Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3SBlY301oa.exe

Overview

General Information

Sample name:3SBlY301oa.exe
renamed because original name is a hash value
Original sample name:b1027ba8039c64d6887daa9ef2f97438ebfa2f6877e2158680c01b326bdc76c9.exe
Analysis ID:1465372
MD5:f5b72b219b9dc802075066951e0f5aad
SHA1:5d475b00153f3bd0d16010ebd5c5aba656455552
SHA256:b1027ba8039c64d6887daa9ef2f97438ebfa2f6877e2158680c01b326bdc76c9
Tags:AsyncRATexe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3SBlY301oa.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\3SBlY301oa.exe" MD5: F5B72B219B9DC802075066951E0F5AAD)
    • jsc.exe (PID: 7624 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
      • powershell.exe (PID: 7888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8100 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jsc.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\jsc.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jsc.exe (PID: 7632 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • WerFault.exe (PID: 7716 cmdline: C:\Windows\system32\WerFault.exe -u -p 7544 -s 1000 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • jsc.exe (PID: 3256 cmdline: "C:\Users\user\AppData\Roaming\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • conhost.exe (PID: 2384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • jsc.exe (PID: 2860 cmdline: "C:\Users\user\AppData\Roaming\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["rwanco.duckdns.org"], "Port": "1556", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1537030307.000001A9BF5B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000003.00000002.3783921795.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000003.00000002.3783921795.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x12599:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x12636:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1274b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x11060:$cnc4: POST / HTTP/1.1
      00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x7c4f1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x91339:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7c58e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x913d6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x7c6a3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x914eb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x7afb8:$cnc4: POST / HTTP/1.1
        • 0x8fe00:$cnc4: POST / HTTP/1.1
        Click to see the 5 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x10999:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x10a36:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x10b4b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf460:$cnc4: POST / HTTP/1.1
          1.2.3SBlY301oa.exe.1a9cf4a4d58.3.unpackJoeSecurity_XWormYara detected XWormJoe Security
            1.2.3SBlY301oa.exe.1a9cf4a4d58.3.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x10999:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x10a36:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x10b4b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xf460:$cnc4: POST / HTTP/1.1
            3.2.jsc.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, ParentProcessId: 7624, ParentProcessName: jsc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', ProcessId: 7888, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, ParentProcessId: 7624, ParentProcessName: jsc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', ProcessId: 7888, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\jsc.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, ProcessId: 7624, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsc
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, ParentProcessId: 7624, ParentProcessName: jsc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', ProcessId: 7888, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, ProcessId: 7624, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsc.lnk
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, ParentProcessId: 7624, ParentProcessName: jsc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe', ProcessId: 7888, ProcessName: powershell.exe

              Snort Signatures

              Timestamp:07/01/24-15:46:50.785433
              SID:2853193
              Source Port:49756
              Destination Port:1556
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/01/24-15:45:41.295408
              SID:2855924
              Source Port:49743
              Destination Port:1556
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: rwanco.duckdns.orgAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["rwanco.duckdns.org"], "Port": "1556", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
              Multi AV Scanner detection for submitted file
              Source: 3SBlY301oa.exeReversingLabs: Detection: 71%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: 3SBlY301oa.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpackString decryptor: rwanco.duckdns.org
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpackString decryptor: 1556
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpackString decryptor: <123456789>
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpackString decryptor: <Xwormmm>
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpackString decryptor: USB.exe

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 00000001.00000002.1537030307.000001A9BF5B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 3SBlY301oa.exe PID: 7544, type: MEMORYSTR
              Source: 3SBlY301oa.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: jsc.pdb source: jsc.exe, 00000014.00000000.1610580379.00000000002D2000.00000002.00000001.01000000.0000000C.sdmp, jsc.exe.3.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: mscorlib.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.ni.pdbRSDS source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: jsc.pdb8 source: jsc.exe, 00000014.00000000.1610580379.00000000002D2000.00000002.00000001.01000000.0000000C.sdmp, jsc.exe.3.dr
              Source: Binary string: mscorlib.ni.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.Core.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.ni.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.Core.ni.pdb source: WERBDF.tmp.dmp.7.dr

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49743 -> 78.159.112.6:1556
              Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49756 -> 78.159.112.6:1556
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: rwanco.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: rwanco.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.7:49716 -> 78.159.112.6:1556
              Source: Joe Sandbox ViewASN Name: LEASEWEB-DE-FRA-10DE LEASEWEB-DE-FRA-10DE
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: rwanco.duckdns.org
              Source: powershell.exe, 0000000F.00000002.1451228175.00000000032AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
              Source: powershell.exe, 00000009.00000002.1394565515.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1427775848.0000000005CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000009.00000002.1387360288.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1420206040.0000000004DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: jsc.exe, 00000003.00000002.3790232304.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1387360288.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1420206040.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1454204375.0000000004FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000009.00000002.1387360288.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1420206040.0000000004DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
              Source: powershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000000F.00000002.1475019979.0000000007A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 00000009.00000002.1387360288.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1420206040.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1454204375.0000000004FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000C.00000002.1420206040.000000000546C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 0000000F.00000002.1482953682.0000000008993000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micros
              Source: powershell.exe, 00000009.00000002.1394565515.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1427775848.0000000005CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000003.00000002.3783921795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB79E48D1_2_00007FFAAB79E48D
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB7A4BBE1_2_00007FFAAB7A4BBE
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB79BBA91_2_00007FFAAB79BBA9
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB7919881_2_00007FFAAB791988
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB79418C1_2_00007FFAAB79418C
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB7987281_2_00007FFAAB798728
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB7987201_2_00007FFAAB798720
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB79143D1_2_00007FFAAB79143D
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB7A4C7D1_2_00007FFAAB7A4C7D
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB7A4C0B1_2_00007FFAAB7A4C0B
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB7A034F1_2_00007FFAAB7A034F
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB7A81D41_2_00007FFAAB7A81D4
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB8600551_2_00007FFAAB860055
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_02A54FA03_2_02A54FA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 3_2_02A519183_2_02A51918
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_049CB4809_2_049CB480
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_049CB4709_2_049CB470
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_089C3AA89_2_089C3AA8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_049AB49812_2_049AB498
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_049AB48812_2_049AB488
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_089B3AA812_2_089B3AA8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04D8B4A015_2_04D8B4A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04D8B49015_2_04D8B490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_08E03AA815_2_08E03AA8
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 20_2_04B4012C20_2_04B4012C
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 20_2_04B4010C20_2_04B4010C
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 20_2_04B40FE020_2_04B40FE0
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 20_2_04B4081220_2_04B40812
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 22_2_04C4010C22_2_04C4010C
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 22_2_04C4012C22_2_04C4012C
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 22_2_04C40FE022_2_04C40FE0
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 22_2_04C400FF22_2_04C400FF
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 22_2_04C400BA22_2_04C400BA
              Source: C:\Users\user\AppData\Roaming\jsc.exeCode function: 22_2_04C4081222_2_04C40812
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7544 -s 1000
              Source: 3SBlY301oa.exeStatic PE information: No import functions for PE file found
              Source: 3SBlY301oa.exe, 00000001.00000002.1543708251.000001A9CF5E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUwohulayukoqiB vs 3SBlY301oa.exe
              Source: 3SBlY301oa.exe, 00000001.00000000.1324102706.000001A9BD5C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEpebujokeha6 vs 3SBlY301oa.exe
              Source: 3SBlY301oa.exe, 00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 3SBlY301oa.exe
              Source: 3SBlY301oa.exe, 00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUwohulayukoqiB vs 3SBlY301oa.exe
              Source: 3SBlY301oa.exe, 00000001.00000002.1551373572.000001A9D7910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUwohulayukoqiB vs 3SBlY301oa.exe
              Source: 3SBlY301oa.exeBinary or memory string: OriginalFilenameEpebujokeha6 vs 3SBlY301oa.exe
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000003.00000002.3783921795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, FLqkNq8t7ZY3Yw7PCsbqcLX8x9QP6PHSYCwnL7hC0R9W8ZtGfW.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, FLqkNq8t7ZY3Yw7PCsbqcLX8x9QP6PHSYCwnL7hC0R9W8ZtGfW.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.csBase64 encoded string: 'NMBNdRmEgZ18WLKJTdAgUfFC7j2YUzFOghfraQJBkuoyJk1PGzmlF3zxy36h', 'Hd0YTG4GoOyEG4upKrGIqQqg0AZiLD2F5DmQggE42eXXCDnu0HtaASjXLN2DqpZ6Sr8xKxKC3vzqmAAjte2PhOTGrQPW', 'NK337S3Czh7hkGtpmNUM6KELttMJUKWieLm15gOG1EqaDwln2vSbNSnC7Ir5cuVjYyzGz7MTRVT3FkW6Z2dcRgSgg2xL', 'piKrxtHg9mQKF4dFNXCUwVqC0paMFxqv3ANVUJe4bAk1kYvmYjWmaSLoFs30Rj5IeKsmpJhPXiGbtdwmEdZr3ChojZcP', 'nUWZbRcrT7pXjVsBIPPjFoyT28FfMAjZ6EmdIxWO4c3knAvEmtF5qp03BiSgs28sDlOJKludGpcTJBEwh8siFeRpHRkY', 'sqKSh0jNV75kv8Yh7sv5nCeP1WHQZ38b0cbI63gQhwX8BzvXUMJ4RvZ5GSoSRUQVUdHnQ1K2zYqeEux0tOC2NmtIVNTD', 'pIpv79YF9AF1jfcBNAubb02wADjd8PyugmFtFDsUOOLtf8OkANGQxsX43XH4kPlEdZzUQidUGgioHtt805xz0Hw98sSk', 'ufz4uF6B2bBvfyH0wUAGE4hZasZy2uLd6yUKjnPPeyhfrndHX1WOAh3UC84PZZItEoEOponVRFMYdviz5dAgw4okGv1s', 'm7SXw5Tu5rd3MfTBqZuDPv5vk5iwi9fi8ugWbGgm9CDwoexHndJQPEPtZ5J7J05wiOtRJYlwYIX4kmnu2iHcp6NY1gtP'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, P7MVS4OnCoxDFg2mSN2v9joQ1CWIE3XazYIdBkMBopcpWcdVJqu0Cv9beHbBW0VybvJw0wynn3Few2MvVGmLS0f.csBase64 encoded string: 'z4QBANY1R3KvIto7KzFIkBoa4F3WKES1BnwN9eB6z58JGjxOP8SMO0OQQIjI', 'zKN23bJk4Z6NXjBtAPN5cQ4d86PaZ5Y61SEzvu1YVOgoMSuJVGRDFv16T4Ka', 'jh18L6GtPSYuzieEDBpVYE0vkTKyLETGgqkOCyWBFJ1vaezUMGmydECarc5b', 'hsodfulKFuS2FD19ePK49qCalEK4gxi7Y44WTs1LjAtm2sZJrD5V055UYyeQ', 'G5o2v3v9aWbj3MHVNP0DU2xev9Wx0fgtTrEhebmwRzGGUZE5DfUUdxoIEeS4', 'mTqemR2oMRDteBRmmfDl4tTCe8CVYZO8VDzeI6uq6H4jOKS2Wx2ybmqpgygz', 'GkJDRhUynJQFhxiS60clK5gnV2xe6pMap2pMxgMRa0vzbigOibkLBKs7wc2K', 'zNHWSL9xIu5YygS2pZoRMTjxMleL4l4RWIDuXWwcce7K69oujrxqlGI5r5Bh'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, Ov2ngEci2NSKf7CACuPsjFLprayb3eMsaf2hyKnAeHj9NgyiIGGoEZ784qGXyhn0f.csBase64 encoded string: 'j0qmG2jSe7TsvqRtZgboTdxIqwOAF0Y3JHBmv1GVRxDwReE7MEGF3UjnfDL1nGlqhRQS5NRhZU5i0qs0erhd73oZ2bPv'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, lEUGg6TA9ZXhbgEHfaMx1ThY0rstjl4mMi7j330wAMwhdD01Mrjs6w54EiOFdqtB4DyMgA4qQkZKvQFVFIZ6aNb.csBase64 encoded string: 'JBmtTW9n88bW72y68aqzvZZ0C3Lj0uKdLnCsXRxElX3p5zvjQUNF8niKhhP0'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.csBase64 encoded string: 'NMBNdRmEgZ18WLKJTdAgUfFC7j2YUzFOghfraQJBkuoyJk1PGzmlF3zxy36h', 'Hd0YTG4GoOyEG4upKrGIqQqg0AZiLD2F5DmQggE42eXXCDnu0HtaASjXLN2DqpZ6Sr8xKxKC3vzqmAAjte2PhOTGrQPW', 'NK337S3Czh7hkGtpmNUM6KELttMJUKWieLm15gOG1EqaDwln2vSbNSnC7Ir5cuVjYyzGz7MTRVT3FkW6Z2dcRgSgg2xL', 'piKrxtHg9mQKF4dFNXCUwVqC0paMFxqv3ANVUJe4bAk1kYvmYjWmaSLoFs30Rj5IeKsmpJhPXiGbtdwmEdZr3ChojZcP', 'nUWZbRcrT7pXjVsBIPPjFoyT28FfMAjZ6EmdIxWO4c3knAvEmtF5qp03BiSgs28sDlOJKludGpcTJBEwh8siFeRpHRkY', 'sqKSh0jNV75kv8Yh7sv5nCeP1WHQZ38b0cbI63gQhwX8BzvXUMJ4RvZ5GSoSRUQVUdHnQ1K2zYqeEux0tOC2NmtIVNTD', 'pIpv79YF9AF1jfcBNAubb02wADjd8PyugmFtFDsUOOLtf8OkANGQxsX43XH4kPlEdZzUQidUGgioHtt805xz0Hw98sSk', 'ufz4uF6B2bBvfyH0wUAGE4hZasZy2uLd6yUKjnPPeyhfrndHX1WOAh3UC84PZZItEoEOponVRFMYdviz5dAgw4okGv1s', 'm7SXw5Tu5rd3MfTBqZuDPv5vk5iwi9fi8ugWbGgm9CDwoexHndJQPEPtZ5J7J05wiOtRJYlwYIX4kmnu2iHcp6NY1gtP'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, P7MVS4OnCoxDFg2mSN2v9joQ1CWIE3XazYIdBkMBopcpWcdVJqu0Cv9beHbBW0VybvJw0wynn3Few2MvVGmLS0f.csBase64 encoded string: 'z4QBANY1R3KvIto7KzFIkBoa4F3WKES1BnwN9eB6z58JGjxOP8SMO0OQQIjI', 'zKN23bJk4Z6NXjBtAPN5cQ4d86PaZ5Y61SEzvu1YVOgoMSuJVGRDFv16T4Ka', 'jh18L6GtPSYuzieEDBpVYE0vkTKyLETGgqkOCyWBFJ1vaezUMGmydECarc5b', 'hsodfulKFuS2FD19ePK49qCalEK4gxi7Y44WTs1LjAtm2sZJrD5V055UYyeQ', 'G5o2v3v9aWbj3MHVNP0DU2xev9Wx0fgtTrEhebmwRzGGUZE5DfUUdxoIEeS4', 'mTqemR2oMRDteBRmmfDl4tTCe8CVYZO8VDzeI6uq6H4jOKS2Wx2ybmqpgygz', 'GkJDRhUynJQFhxiS60clK5gnV2xe6pMap2pMxgMRa0vzbigOibkLBKs7wc2K', 'zNHWSL9xIu5YygS2pZoRMTjxMleL4l4RWIDuXWwcce7K69oujrxqlGI5r5Bh'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, Ov2ngEci2NSKf7CACuPsjFLprayb3eMsaf2hyKnAeHj9NgyiIGGoEZ784qGXyhn0f.csBase64 encoded string: 'j0qmG2jSe7TsvqRtZgboTdxIqwOAF0Y3JHBmv1GVRxDwReE7MEGF3UjnfDL1nGlqhRQS5NRhZU5i0qs0erhd73oZ2bPv'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, lEUGg6TA9ZXhbgEHfaMx1ThY0rstjl4mMi7j330wAMwhdD01Mrjs6w54EiOFdqtB4DyMgA4qQkZKvQFVFIZ6aNb.csBase64 encoded string: 'JBmtTW9n88bW72y68aqzvZZ0C3Lj0uKdLnCsXRxElX3p5zvjQUNF8niKhhP0'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, P7MVS4OnCoxDFg2mSN2v9joQ1CWIE3XazYIdBkMBopcpWcdVJqu0Cv9beHbBW0VybvJw0wynn3Few2MvVGmLS0f.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, P7MVS4OnCoxDFg2mSN2v9joQ1CWIE3XazYIdBkMBopcpWcdVJqu0Cv9beHbBW0VybvJw0wynn3Few2MvVGmLS0f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, P7MVS4OnCoxDFg2mSN2v9joQ1CWIE3XazYIdBkMBopcpWcdVJqu0Cv9beHbBW0VybvJw0wynn3Few2MvVGmLS0f.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, P7MVS4OnCoxDFg2mSN2v9joQ1CWIE3XazYIdBkMBopcpWcdVJqu0Cv9beHbBW0VybvJw0wynn3Few2MvVGmLS0f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@19/24@4/1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile created: C:\Users\user\AppData\Roaming\jsc.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\jsc.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2384:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
              Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7544
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: \Sessions\1\BaseNamedObjects\VeR72e1DfqWDLw8O
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
              Source: 3SBlY301oa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 3SBlY301oa.exeReversingLabs: Detection: 71%
              Source: C:\Users\user\Desktop\3SBlY301oa.exeFile read: C:\Users\user\Desktop\3SBlY301oa.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\3SBlY301oa.exe "C:\Users\user\Desktop\3SBlY301oa.exe"
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7544 -s 1000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jsc.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\jsc.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\jsc.exe "C:\Users\user\AppData\Roaming\jsc.exe"
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\jsc.exe "C:\Users\user\AppData\Roaming\jsc.exe"
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jsc.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\jsc.exe'Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\jsc.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\3SBlY301oa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: jsc.lnk.3.drLNK file: ..\..\..\..\..\jsc.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\3SBlY301oa.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: 3SBlY301oa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 3SBlY301oa.exeStatic file information: File size 1974292 > 1048576
              Source: 3SBlY301oa.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: 3SBlY301oa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: jsc.pdb source: jsc.exe, 00000014.00000000.1610580379.00000000002D2000.00000002.00000001.01000000.0000000C.sdmp, jsc.exe.3.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: mscorlib.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.ni.pdbRSDS source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: jsc.pdb8 source: jsc.exe, 00000014.00000000.1610580379.00000000002D2000.00000002.00000001.01000000.0000000C.sdmp, jsc.exe.3.dr
              Source: Binary string: mscorlib.ni.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.Core.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.ni.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WERBDF.tmp.dmp.7.dr
              Source: Binary string: System.Core.ni.pdb source: WERBDF.tmp.dmp.7.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.PJ4yIh8L4QL9KfjDPBR6mAV60ZYnHV3mntp4Y5CT7Hegjo7uutBTlJogDJtOghyns2fHGbpWGcVw2m9ZEiwSdM9,LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.QKZ0Ck2mWlkLyMBlUtXjO3hfRKiRlLeaOmD52QkKewi5zUw6QBgzxWEFQTBwW6z63ocKhcs4vHbeShFtGzggfKf,LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.uTsTqSQAO2Qg6WmIOqht24LLvyXr7Zs4I6TaR29pHK0FxT3cUhnPRy1XwR5OhckyxbCOsgZmIiKun6eFbyZlRwk,LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.YgxWVA05MO4ZL3gv0885DgK4HlWMcsgpWkiLrldxSWExGtQNBLmtr44EqreHCmpuYZOAMKWVD0HgKtUHLfUQ48G,uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.XyiV68Uo1k4lXpfRGu52kQhEX2VANGAJ0zRwXTc83B91HDOZNt()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HiXZwYZkji9G8B60bxzJ3B2jU7MhaBKhpXI477IyLari2hWVggPnqaGW7f9AuGMcl[2],uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm._1GhP4YFOCKZGi4WVrIfAPVJVUpnOcxMFjSpkHIye01cn7PRzKL2FXygpGNvZVFrRicaolt11Wqr4ZDP3tR(uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.EGYlzJtcZoAvfuFHsR7OjQSuZXxNOIKAoFVon54hcgOcebfwrn(HiXZwYZkji9G8B60bxzJ3B2jU7MhaBKhpXI477IyLari2hWVggPnqaGW7f9AuGMcl[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HiXZwYZkji9G8B60bxzJ3B2jU7MhaBKhpXI477IyLari2hWVggPnqaGW7f9AuGMcl[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.PJ4yIh8L4QL9KfjDPBR6mAV60ZYnHV3mntp4Y5CT7Hegjo7uutBTlJogDJtOghyns2fHGbpWGcVw2m9ZEiwSdM9,LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.QKZ0Ck2mWlkLyMBlUtXjO3hfRKiRlLeaOmD52QkKewi5zUw6QBgzxWEFQTBwW6z63ocKhcs4vHbeShFtGzggfKf,LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.uTsTqSQAO2Qg6WmIOqht24LLvyXr7Zs4I6TaR29pHK0FxT3cUhnPRy1XwR5OhckyxbCOsgZmIiKun6eFbyZlRwk,LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.YgxWVA05MO4ZL3gv0885DgK4HlWMcsgpWkiLrldxSWExGtQNBLmtr44EqreHCmpuYZOAMKWVD0HgKtUHLfUQ48G,uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.XyiV68Uo1k4lXpfRGu52kQhEX2VANGAJ0zRwXTc83B91HDOZNt()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{HiXZwYZkji9G8B60bxzJ3B2jU7MhaBKhpXI477IyLari2hWVggPnqaGW7f9AuGMcl[2],uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm._1GhP4YFOCKZGi4WVrIfAPVJVUpnOcxMFjSpkHIye01cn7PRzKL2FXygpGNvZVFrRicaolt11Wqr4ZDP3tR(uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.EGYlzJtcZoAvfuFHsR7OjQSuZXxNOIKAoFVon54hcgOcebfwrn(HiXZwYZkji9G8B60bxzJ3B2jU7MhaBKhpXI477IyLari2hWVggPnqaGW7f9AuGMcl[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { HiXZwYZkji9G8B60bxzJ3B2jU7MhaBKhpXI477IyLari2hWVggPnqaGW7f9AuGMcl[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: IMs7q0DloNNoDQRAsyZKCN0CtByg948u System.AppDomain.Load(byte[])
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: _9BGqkz0L0TzggljMxB7G7bL3Y5iIVSxGYp8i8yyupBWj5dv90JAfE4BJUEvIz6tTQ System.AppDomain.Load(byte[])
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: _9BGqkz0L0TzggljMxB7G7bL3Y5iIVSxGYp8i8yyupBWj5dv90JAfE4BJUEvIz6tTQ
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: IMs7q0DloNNoDQRAsyZKCN0CtByg948u System.AppDomain.Load(byte[])
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: _9BGqkz0L0TzggljMxB7G7bL3Y5iIVSxGYp8i8yyupBWj5dv90JAfE4BJUEvIz6tTQ System.AppDomain.Load(byte[])
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.cs.Net Code: _9BGqkz0L0TzggljMxB7G7bL3Y5iIVSxGYp8i8yyupBWj5dv90JAfE4BJUEvIz6tTQ
              Source: 3SBlY301oa.exeStatic PE information: 0x9B9359DD [Mon Sep 16 18:47:57 2052 UTC]
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB7A5C7F push cs; retf 1_2_00007FFAAB7A5C80
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB797963 push ebx; retf 1_2_00007FFAAB79796A
              Source: C:\Users\user\Desktop\3SBlY301oa.exeCode function: 1_2_00007FFAAB860055 push esp; retf 4810h1_2_00007FFAAB860312
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_049C635D push eax; ret 9_2_049C6371
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_049C2D09 push 04B80792h; retf 9_2_049C2D0E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_049C3AA8 push ebx; retf 9_2_049C3ADA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_049C3A63 push ebx; retf 9_2_049C3ADA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_089C7408 push eax; retf 9_2_089C7409
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_049A42BD push ebx; ret 12_2_049A42DA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_049A635D push eax; ret 12_2_049A6371
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_089B74B0 push esp; ret 12_2_089B74B1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04D850E7 pushfd ; retf 0008h15_2_04D85092
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04D842EB push esi; retf 0008h15_2_04D84312
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04D842A8 push esi; retf 0008h15_2_04D84312
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04D873C0 pushfd ; retf 0008h15_2_04D873D9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04D84347 push esi; retf 0008h15_2_04D84312
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04D86377 push eax; ret 15_2_04D86381
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, hnx6gUrEdLQrZkHVbuR3ysbr53WS710OBdOIkG5FDwALkL6YfHbGqIX9XCBl3Z45cvNhJ0UAqRKkJ2ASGu.csHigh entropy of concatenated method names: 'MCn27tSY8m8i0mQ9jTbjuVHKaSgqYhUkRjSHBdcOkYFlg8Wn9mswDqq3K0PFYlmjHGHg8Up9W1mNx05qf6', 'SNOu6jVft9cVYusd2OUL7FeVgDXjQDIxPjC3exdlIEB32VAaU2uceEwamxZLiJnc1O5qWbeNMlzS46YzU4', '_4JkXxspwrShWYOu8EqloypdaBacXKoohL2KKLq1fj1TYvJW5ytBCivHnUpzIni2aNrZhaW5ZGzqmJ7j3Oh', 'NgBa3eHghoFV7qHrsS2VrAKDnKPi2vLBU86CKvgUwGabTvVFwU0gRkAldtJQ0Fckajx1hA6fQClYg', 'gTOW2jvgUcMv1GDuUzTHZYm94k8mdVx9epxdwrnpFKkJLIgAAIjaKZxsKRa1QeZkRs3lqLorR9YMD', 't4f0jWe5oCErz0xtT2VvAuPGesSz51jNAQuTfAunHCxCmoghpMAVX6VDcDI76zFN5OQFmzRwHy2nE', 'xW6GDhLRfdRzhjPNsesQzpmMlYvAntWk8TsmBn8EEei0LXygethQiBAJknCqMGe0CvpFabzxEATEb', 'HarFJk2ViRXGJqoKYokpIAUFmTVTVSVoqG6q0', '_2vqhNDxcS7WhtxYQgeVn866eHi14fsLrqukVP', 'P4wEPP6H9xEoxZLsNnbgYphv0lli04jh4JjZx'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.csHigh entropy of concatenated method names: 'NpcKyY8maoDwxlvcxcRVIup0lIXmeyH8kKiaYCT7aOD6VENYPDCdnSr03QmpxhZCVORzTPqi6c', 'zNMrRdE72TFU2RTnon79VMKhD0b6suqoJ168BDeXUMb3i3NDFQANGwDRmBA3Zo6Fqg4pWktyVw', '_2mLODVkjd3B1ofUY7GLtrEci3PBJ75leQzdHDZb0AEKH00BkImIuSIfM9Sd2nOhwO6BmSEM7PE', 'lSFXiHexEfWlc5Do0v38QCSODXKS5k7smjtpIl0WY9n25PtCDS8wFzzofFkThkpW3896hViUHy'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, ziDLcACXS24cqvyk8UjuSVl0BmE3QkTHg2wMRgvLFj7j9UoOwICcfMi.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'NeHBY7TkxjG1RCnXCeDrkD20fbRLC1rHkE1qZ5kLjkAeGfayjcMGvRlXuZFZg3wsMRepF2Mq0q', 'ynQ4ziIAtnOen2LlhJhRQfSn0QKylkYDJJYFGS6rpROr1ArgXI13qYnCGddAkv4RYWGv52s0Uf', '_10zWt7BkXnaSCItxDFQSP3yZuRi3BaQLq5gwhZM2sHc0yu87IVYAEEHwSU4IqEV0785FewBk3L', 'ERbwvm66yYI2Sc15rniGKXTjT0THCaKzC9mI2TuSfRPgVErFf2gpmdTUbnuQSPfLzlaNegrQHd'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, opnSQ24XL3OilMgfvlfjrC55vSwvR2OJeC4V70NlscRy30DujE.csHigh entropy of concatenated method names: '_1zFkoXKWjWZwJsCT5rL5aqsSge9yRTYw6LnIvFSX3J8Goq5a5Q', 'oOgaruf1KfKOKkywa41JL2m6f2OLZk1fDsny9bEyqsnLqsdI6L', 'Cx4abq6DZqTgeNMz0s5sbOb2x52lJufNPyVBjpXObFziHX3Aqc', 'zrpkx8NbIjtYvf9yoYFmfJ4OkasFMD96zv938UNWkvz5o1X7qV', 'THO2At7ZUJww27YnL9S4NlDYenjLyJod3uAyYdKtFVKiWSHpp254fZk5mrGUIQTCl9vYszDgvvYC5', 'LSnEzCBEZHcSHm4ZYh5qJQ1hXnJpL7DaEkOpVZipoG5oMGdhXBz99qoohk8L4nctuvqVhlBPj5mGk', 'e7GEWK0cRm1YuJs3Xumxe8XU3OLtweGqf6qkKs1GEuKTzlW4bRir3PRNFWBsUaao39bZfplthXwIR', 'AkLkHpJQe693l2V71MmRrUjjcYrKfrvxTXmQXKHLAaiu5BtjlPpZDGtJNrShOgtn9VB8lQnJ4fNTt', 'g9Fxq7yl15MqJtxsouW9iKw6YzvLNubMXWXXuDqqHxml9kD1Ua32y3xfxTP47MjYSaThTVDD1xFcv', 'QRmTMeAUia2a1Nxaq6vsi1YFQmfCOpMddzKDtqq85835m3ROZm4avt5TRdfbjIEqu7d0ddPKuY1g2'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.csHigh entropy of concatenated method names: 'M1c8kiFJbUucucXjaSnfR2nLtPbob09f', 'IMs7q0DloNNoDQRAsyZKCN0CtByg948u', '_7WlRwYCHYBkfE8xwvXDlTPA18YwlHjPk', 'viVHj9d18IScWXsSZQVpgM57FOAQMiDaiWXY2DHoLIuhIh5lwqQahsni0xWz0JD9I', 'hxwwKIciyA4398u8fCK3TuZ9Qo8G6LVrZFx6myx9VfrlE4JL9oExiPiHasnRzSmIj', 'lnPBBZ1bE6cabQay4bBQ2mVezXFzHJg8ZwLf8pX2d6KZ2KmD2ip2DZ8QtA9F6J4Vt', 'iMLJNkAXhSI4cEx6LH5k85VySJ0AVw1Wv6sEGys30BiNiqlYJQGXvejpvVYjiWgOA', '_4NZruWJbryAceex8RUEmqAdwrqJqIUiwVdDU7oFBxp4nAj6TySF7b798EdkFIq814', 'Pz5cl33t9AmOg6l8qmz2QqmffBnN9lviHcYrVqF4hHzhe1buUIo4RZ346VkIYPQY4', 'QBwydCqZT0CJE7vmBfKbW88M1QLiT5YXsab84lSIg6InLLFC4iwR13zhBiUcEcAjP'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, P7MVS4OnCoxDFg2mSN2v9joQ1CWIE3XazYIdBkMBopcpWcdVJqu0Cv9beHbBW0VybvJw0wynn3Few2MvVGmLS0f.csHigh entropy of concatenated method names: 'xIFmamIjxhcygeweRYzJpUfWUuxDESo9nGundshRochQYWakwnk638xR3QxiEerulhGOMdygd5V2KMt5z7SN9Y9', '_6CAhVxC5c5QbKaHb88vJ7HkVXLgbSndC3Bs3rkezT3927CBbvLQ5Q6ALrtLnApfgVLDJasiVQ', 'GRf7qpJUcaF2b4rDtewcJcxzWT1CWpfLuhXLdRCcSXWw9gk0tjvqISDn5z0KlcjogMs5OrRfn', 'mcItlcj118Dv5eqSN5T1i5AystGQV5MN6OZNLOGReA273eaZJ88ykqB5RhC14HgbWCMJgryTE', 'mspEGkObkL0q867onyNhWyTdS656vnhSVSpuGCS60n16OuVwnNVJilWKN8notipzctbiWH9zg', '_9IU6fSrmj55rdN06f5wjRpAwOXdt4RFZ8BJZH47Prsf6yJ5JW6ZPoFgXO6Fwwf3LXmYSYXZ8R', 'mEaik3EQhEou0DDJYG0K2rVdzZNxUfNobBVeQLrssHX59cZGd9hac82RJgMmCj7uby61AKIy1', '_2hw28fS9fiBfck11JSG7DTR30afaAoGGUUosPbdlKyRpvSaklAaaLUaudrAUfxsM5M7HEz9L8', '_2Uaqoj33codsDT4svZAcrwPbKAKNJm1jsxOkjg3O6QESflU4US4xoXyjm5nCWlbwym5mkbS8L', 'MkfQjLexxJ4Y5MbQ8yYK7FuaIzckm96gZI1HXbsBwo8WRNjtdxL0iE4Fg6CzmCywjI1fLtS7u'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, Ov2ngEci2NSKf7CACuPsjFLprayb3eMsaf2hyKnAeHj9NgyiIGGoEZ784qGXyhn0f.csHigh entropy of concatenated method names: 'cyF4dBrRKO7yi6ED1RXvUwsYPyvjMzWwAXUfbsEK6WhKyyzddB3MV1WW6UkteyZjM', 'x2ExmQI9jwo0dxRr1CcTdIrzciqAWfMKEI1XTncDjm9ZMCCV41Tt6chqWXOAWaK5MHraIuUqgYnR8VdemAOAQFO324QC', 'go6ktPSHlSt168oO2OfgAiFnUgGLEb6nzXlM8hFJDiVWbK3qyaXRlqGrtUcdmmgEiMzg9L2PX9NG8', 'T9jL2uggett9kBTiRhu3YLvzwHJ9GEUZify4mqyzSycUjDn1LtKJdlVUwFrZPSgeGqGnQ4RbauC79', 'HicLbQMe9mKgqTbKmzgtX7Ax6qBdnyY6chfIe6SDH9qlsj9BfgwSj1gVo36Bfnzj5LzOkU8JXlYbP'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, FLqkNq8t7ZY3Yw7PCsbqcLX8x9QP6PHSYCwnL7hC0R9W8ZtGfW.csHigh entropy of concatenated method names: 'wcfrJVluv3OS7yUY36HHEOEb3KIiEC3tePn2gDp886Cp1mw4DK', '_6gMZvqFuMJTFoBplDUK8mFGdtcesKwT1P1HkwzQG9b4p1UyylG', 'UNFgPUvNX7lJ21brhgt98hYwhdf6gk6mtZnKLUVZh9Vk3bAWf9', '_9SOzBfeG8MGTEJgUzN9DtpvO6oYoyVMb5utGz99MVIOXuaOVsKWWjxjkPcgOnRTgATahKUy1pezK2', 'HglCyM4Jg53pqX902L2a5IOSdwEyCE7vqg2Y8uNWN5pTSvhVFYZKX4XsXKjSRQxlaKqog7hzaTc9T', 'qYJe3i18rPj9gib7P8z65HgFG9DNP2sYJS4nUFWICITEa3rthmonrzq3nvsmTaYOteWFh8h77HGwy', 'FqzhCIIAomJZSSM4j8tfEuBxyEjWWpfOAxSVrXgtGTCilAil8UZAOg9d1QiYlZBWFwq2YBAGf1WCv', 'bzt659amT8V3PZ8xfL4XUeUaT8yBBzxMz4j0b7cOjwp63MQyclttcGgPDy7xKzlZ2ZpXco5ztBZip', '_6eqWmqnW4oQf7GnCqoZgLaxXdgCfosvWAurXTAkDEQyj1ocSMBVEH3HsU4Dd60eJWcdqVxakPrQzK', '_5f72odwL6IfroqBRVAibV5aXok16O5QtWwkt7PajH9t6ucPwSzDRmq9JsJttWVCxdQSSNNhqqmtIB'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.csHigh entropy of concatenated method names: 'IqCY5ARkNOvWyqqjvLsY5SbFsxdTHwZxfPSmxYkVCyfhCki8aw', 'K5rKr2zgNMyDsGKQwrE6mTuIfaT3xADZiC0B1OrM46gGt9HqeD', 'VPpDPIotu6pMH1Cs8mGfYkCq28yFcglBfT4hNqV81b9y2lR1jo', 'M9k9ko3eSQ4rK1i8vAJX1QLwoiiXd5AJginNuiz61pokGFQ8TW', 'm7XyOM43gO65utKMRRHxHBAVbwtkNIFUlAZwJ2xwlaSYhEWvjZ', 'ITaGyHzq9WHYJfuo5IdindCbGEMf5inZkp2XLDs3r5w9eonL84', 'bIPZ4nieEwHFLMBHuq7hvJ3BpSQuo7d8sR4GF27uAmacBjbv9Q', 'XOeiLNyUXueNYW3zzG2nvo0eJdPJDHtByX2gJMf3HRkjalox7g', 'DRUGSg0piHSn38oBZXNYdRLixptxsvtAisO0JIJ5aVtIJR6GbO', 'EGYlzJtcZoAvfuFHsR7OjQSuZXxNOIKAoFVon54hcgOcebfwrn'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, Kgn0Nl0cIVemHWKGRa2fKZarKOln46ySB1LQfPpw5mm9bvx1kkun9MhJghfZQsiZK.csHigh entropy of concatenated method names: 'ZXg0uSo4FTOUnE2WSjicvZslQk2lqtORPWQvrK4WuHvONDHc54Fy4EpnxnwRaOc0f', 'ljt5YwntiiKZBAoYd8kMEwFFUNVakzSb6liLBUQkUIkGlZdWra5buYOs1HCtLKSwf', 'SPgB8y2Y6yiy1BmeNENfU31S2iqtBI3MHnHvVZfxjwLMaSiPUv', 'GJeyvC7H1k0VVI1MZSiEO1WXmSQGOzmXYKY4XabJOL9svwy9Wh', '_7U79M5KPcHdMepvALfjVXxWspOqB8Im5gLJzJhPAnvFLhNYEOu', '_5MPTmxWNCFXDgxsi2y37uQlb3jjFH7a5LwKqz0dQAkKYXHzzYW', 'dHeeJ2G6Pxbsw2nv1SMDv2orMUWs5Fbi9gyoyf6Ku0jXATtWlH', '_5mnCGT5mmv3A97bE54cNurisrN4A8HgMRLI84IxlvcpGarEh1p', '_0LXlGLbPdLQUcSJF5A9UejYoHCH8qWvx2UveVDzjlDEkBadKrL', 'fWWPhBTguISksjCVEg4pVoab1AOw1DUWi4OaFRcQMLHS39K0Ob'
              Source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, lEUGg6TA9ZXhbgEHfaMx1ThY0rstjl4mMi7j330wAMwhdD01Mrjs6w54EiOFdqtB4DyMgA4qQkZKvQFVFIZ6aNb.csHigh entropy of concatenated method names: 'DKZt1Nmba5mu3gym5xqSWDbmChbpLhNf2cE1EL0Z2KtdUApJ40Vk5JELfW0kvUKZeTIucfJQqFMZAjvcPT02b1g', 'BC9oN1P8z9pfs2GnQEIhckIAXU1sYzGI6F0FqTW9cBCJG1gmTjCccMDn5sCxqI1XujSNM8pBTUmEYTk075oNzNg', 'M6o1H8i9q41o0dzUkzzSsWPR22F2kTKdWIXhxxD3o5nGmdTbgZguKnUOihYBpn0HRmtxSDESLf9GHMsYAUdM752', 'ePUOuxnIKy5gCP68dUdcI7mP96EzI0CHLbWpKwOVaJmguj0sKr8aybGqdALgVDHQ001doHiycKpq57E3J5GkHYp', 'KeaAToFHIO8SNmEILop6uCUoEKFSRWMci0jQZXIy9s4Ri5jMpZNC6VW70S5uWu9nZUZgbpmvp4BUwUd2ghTBHbk', 'UOgQIHadJlEWVfg2Wch0gX96asCCW0dhmwuYrUnR5Fg1riIAYReqrhzky0XNUZ09sxQh8eaYhO', 'gkxn8bi7xQYmqFjNnzFygK3JoBYajNty0140aZTz5QpnMRXPYJHw7lsEDPTIQvVwOwh9GfY25s', 'uUhqZ3uwUhvvmhdXwCTOcoPPpnknCwqgFJ56JjIefDAtOlUp0gn0E3DliLjQeYHQHY4FFJemZw', '_1mj0tZFCwTP3OLSNzUIUp49foiTDOeJLgq5uY2BCw1avlHSbONq8wkSPQ7wbUflB4pte70LUZp', 'JlvyOS4ZlISKoEMVsQH2HCJmLG4CuLphSGG7NWAhp6tSuzNstEB3DNmNbQgkG7GcUKluGMV6Zn'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, hnx6gUrEdLQrZkHVbuR3ysbr53WS710OBdOIkG5FDwALkL6YfHbGqIX9XCBl3Z45cvNhJ0UAqRKkJ2ASGu.csHigh entropy of concatenated method names: 'MCn27tSY8m8i0mQ9jTbjuVHKaSgqYhUkRjSHBdcOkYFlg8Wn9mswDqq3K0PFYlmjHGHg8Up9W1mNx05qf6', 'SNOu6jVft9cVYusd2OUL7FeVgDXjQDIxPjC3exdlIEB32VAaU2uceEwamxZLiJnc1O5qWbeNMlzS46YzU4', '_4JkXxspwrShWYOu8EqloypdaBacXKoohL2KKLq1fj1TYvJW5ytBCivHnUpzIni2aNrZhaW5ZGzqmJ7j3Oh', 'NgBa3eHghoFV7qHrsS2VrAKDnKPi2vLBU86CKvgUwGabTvVFwU0gRkAldtJQ0Fckajx1hA6fQClYg', 'gTOW2jvgUcMv1GDuUzTHZYm94k8mdVx9epxdwrnpFKkJLIgAAIjaKZxsKRa1QeZkRs3lqLorR9YMD', 't4f0jWe5oCErz0xtT2VvAuPGesSz51jNAQuTfAunHCxCmoghpMAVX6VDcDI76zFN5OQFmzRwHy2nE', 'xW6GDhLRfdRzhjPNsesQzpmMlYvAntWk8TsmBn8EEei0LXygethQiBAJknCqMGe0CvpFabzxEATEb', 'HarFJk2ViRXGJqoKYokpIAUFmTVTVSVoqG6q0', '_2vqhNDxcS7WhtxYQgeVn866eHi14fsLrqukVP', 'P4wEPP6H9xEoxZLsNnbgYphv0lli04jh4JjZx'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, LPVrK4pqk4OigmtOYVqUTKrnOk7pNblEWp6wy5ywCwNREebcyZJ5D6PCC87nOqBdKUAJQLaGQcTjT4AKZeqKURr.csHigh entropy of concatenated method names: 'NpcKyY8maoDwxlvcxcRVIup0lIXmeyH8kKiaYCT7aOD6VENYPDCdnSr03QmpxhZCVORzTPqi6c', 'zNMrRdE72TFU2RTnon79VMKhD0b6suqoJ168BDeXUMb3i3NDFQANGwDRmBA3Zo6Fqg4pWktyVw', '_2mLODVkjd3B1ofUY7GLtrEci3PBJ75leQzdHDZb0AEKH00BkImIuSIfM9Sd2nOhwO6BmSEM7PE', 'lSFXiHexEfWlc5Do0v38QCSODXKS5k7smjtpIl0WY9n25PtCDS8wFzzofFkThkpW3896hViUHy'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, ziDLcACXS24cqvyk8UjuSVl0BmE3QkTHg2wMRgvLFj7j9UoOwICcfMi.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'NeHBY7TkxjG1RCnXCeDrkD20fbRLC1rHkE1qZ5kLjkAeGfayjcMGvRlXuZFZg3wsMRepF2Mq0q', 'ynQ4ziIAtnOen2LlhJhRQfSn0QKylkYDJJYFGS6rpROr1ArgXI13qYnCGddAkv4RYWGv52s0Uf', '_10zWt7BkXnaSCItxDFQSP3yZuRi3BaQLq5gwhZM2sHc0yu87IVYAEEHwSU4IqEV0785FewBk3L', 'ERbwvm66yYI2Sc15rniGKXTjT0THCaKzC9mI2TuSfRPgVErFf2gpmdTUbnuQSPfLzlaNegrQHd'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, opnSQ24XL3OilMgfvlfjrC55vSwvR2OJeC4V70NlscRy30DujE.csHigh entropy of concatenated method names: '_1zFkoXKWjWZwJsCT5rL5aqsSge9yRTYw6LnIvFSX3J8Goq5a5Q', 'oOgaruf1KfKOKkywa41JL2m6f2OLZk1fDsny9bEyqsnLqsdI6L', 'Cx4abq6DZqTgeNMz0s5sbOb2x52lJufNPyVBjpXObFziHX3Aqc', 'zrpkx8NbIjtYvf9yoYFmfJ4OkasFMD96zv938UNWkvz5o1X7qV', 'THO2At7ZUJww27YnL9S4NlDYenjLyJod3uAyYdKtFVKiWSHpp254fZk5mrGUIQTCl9vYszDgvvYC5', 'LSnEzCBEZHcSHm4ZYh5qJQ1hXnJpL7DaEkOpVZipoG5oMGdhXBz99qoohk8L4nctuvqVhlBPj5mGk', 'e7GEWK0cRm1YuJs3Xumxe8XU3OLtweGqf6qkKs1GEuKTzlW4bRir3PRNFWBsUaao39bZfplthXwIR', 'AkLkHpJQe693l2V71MmRrUjjcYrKfrvxTXmQXKHLAaiu5BtjlPpZDGtJNrShOgtn9VB8lQnJ4fNTt', 'g9Fxq7yl15MqJtxsouW9iKw6YzvLNubMXWXXuDqqHxml9kD1Ua32y3xfxTP47MjYSaThTVDD1xFcv', 'QRmTMeAUia2a1Nxaq6vsi1YFQmfCOpMddzKDtqq85835m3ROZm4avt5TRdfbjIEqu7d0ddPKuY1g2'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, movlZjapfA1NCF8ZJOoLgpY3f0iBEspN.csHigh entropy of concatenated method names: 'M1c8kiFJbUucucXjaSnfR2nLtPbob09f', 'IMs7q0DloNNoDQRAsyZKCN0CtByg948u', '_7WlRwYCHYBkfE8xwvXDlTPA18YwlHjPk', 'viVHj9d18IScWXsSZQVpgM57FOAQMiDaiWXY2DHoLIuhIh5lwqQahsni0xWz0JD9I', 'hxwwKIciyA4398u8fCK3TuZ9Qo8G6LVrZFx6myx9VfrlE4JL9oExiPiHasnRzSmIj', 'lnPBBZ1bE6cabQay4bBQ2mVezXFzHJg8ZwLf8pX2d6KZ2KmD2ip2DZ8QtA9F6J4Vt', 'iMLJNkAXhSI4cEx6LH5k85VySJ0AVw1Wv6sEGys30BiNiqlYJQGXvejpvVYjiWgOA', '_4NZruWJbryAceex8RUEmqAdwrqJqIUiwVdDU7oFBxp4nAj6TySF7b798EdkFIq814', 'Pz5cl33t9AmOg6l8qmz2QqmffBnN9lviHcYrVqF4hHzhe1buUIo4RZ346VkIYPQY4', 'QBwydCqZT0CJE7vmBfKbW88M1QLiT5YXsab84lSIg6InLLFC4iwR13zhBiUcEcAjP'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, P7MVS4OnCoxDFg2mSN2v9joQ1CWIE3XazYIdBkMBopcpWcdVJqu0Cv9beHbBW0VybvJw0wynn3Few2MvVGmLS0f.csHigh entropy of concatenated method names: 'xIFmamIjxhcygeweRYzJpUfWUuxDESo9nGundshRochQYWakwnk638xR3QxiEerulhGOMdygd5V2KMt5z7SN9Y9', '_6CAhVxC5c5QbKaHb88vJ7HkVXLgbSndC3Bs3rkezT3927CBbvLQ5Q6ALrtLnApfgVLDJasiVQ', 'GRf7qpJUcaF2b4rDtewcJcxzWT1CWpfLuhXLdRCcSXWw9gk0tjvqISDn5z0KlcjogMs5OrRfn', 'mcItlcj118Dv5eqSN5T1i5AystGQV5MN6OZNLOGReA273eaZJ88ykqB5RhC14HgbWCMJgryTE', 'mspEGkObkL0q867onyNhWyTdS656vnhSVSpuGCS60n16OuVwnNVJilWKN8notipzctbiWH9zg', '_9IU6fSrmj55rdN06f5wjRpAwOXdt4RFZ8BJZH47Prsf6yJ5JW6ZPoFgXO6Fwwf3LXmYSYXZ8R', 'mEaik3EQhEou0DDJYG0K2rVdzZNxUfNobBVeQLrssHX59cZGd9hac82RJgMmCj7uby61AKIy1', '_2hw28fS9fiBfck11JSG7DTR30afaAoGGUUosPbdlKyRpvSaklAaaLUaudrAUfxsM5M7HEz9L8', '_2Uaqoj33codsDT4svZAcrwPbKAKNJm1jsxOkjg3O6QESflU4US4xoXyjm5nCWlbwym5mkbS8L', 'MkfQjLexxJ4Y5MbQ8yYK7FuaIzckm96gZI1HXbsBwo8WRNjtdxL0iE4Fg6CzmCywjI1fLtS7u'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, Ov2ngEci2NSKf7CACuPsjFLprayb3eMsaf2hyKnAeHj9NgyiIGGoEZ784qGXyhn0f.csHigh entropy of concatenated method names: 'cyF4dBrRKO7yi6ED1RXvUwsYPyvjMzWwAXUfbsEK6WhKyyzddB3MV1WW6UkteyZjM', 'x2ExmQI9jwo0dxRr1CcTdIrzciqAWfMKEI1XTncDjm9ZMCCV41Tt6chqWXOAWaK5MHraIuUqgYnR8VdemAOAQFO324QC', 'go6ktPSHlSt168oO2OfgAiFnUgGLEb6nzXlM8hFJDiVWbK3qyaXRlqGrtUcdmmgEiMzg9L2PX9NG8', 'T9jL2uggett9kBTiRhu3YLvzwHJ9GEUZify4mqyzSycUjDn1LtKJdlVUwFrZPSgeGqGnQ4RbauC79', 'HicLbQMe9mKgqTbKmzgtX7Ax6qBdnyY6chfIe6SDH9qlsj9BfgwSj1gVo36Bfnzj5LzOkU8JXlYbP'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, FLqkNq8t7ZY3Yw7PCsbqcLX8x9QP6PHSYCwnL7hC0R9W8ZtGfW.csHigh entropy of concatenated method names: 'wcfrJVluv3OS7yUY36HHEOEb3KIiEC3tePn2gDp886Cp1mw4DK', '_6gMZvqFuMJTFoBplDUK8mFGdtcesKwT1P1HkwzQG9b4p1UyylG', 'UNFgPUvNX7lJ21brhgt98hYwhdf6gk6mtZnKLUVZh9Vk3bAWf9', '_9SOzBfeG8MGTEJgUzN9DtpvO6oYoyVMb5utGz99MVIOXuaOVsKWWjxjkPcgOnRTgATahKUy1pezK2', 'HglCyM4Jg53pqX902L2a5IOSdwEyCE7vqg2Y8uNWN5pTSvhVFYZKX4XsXKjSRQxlaKqog7hzaTc9T', 'qYJe3i18rPj9gib7P8z65HgFG9DNP2sYJS4nUFWICITEa3rthmonrzq3nvsmTaYOteWFh8h77HGwy', 'FqzhCIIAomJZSSM4j8tfEuBxyEjWWpfOAxSVrXgtGTCilAil8UZAOg9d1QiYlZBWFwq2YBAGf1WCv', 'bzt659amT8V3PZ8xfL4XUeUaT8yBBzxMz4j0b7cOjwp63MQyclttcGgPDy7xKzlZ2ZpXco5ztBZip', '_6eqWmqnW4oQf7GnCqoZgLaxXdgCfosvWAurXTAkDEQyj1ocSMBVEH3HsU4Dd60eJWcdqVxakPrQzK', '_5f72odwL6IfroqBRVAibV5aXok16O5QtWwkt7PajH9t6ucPwSzDRmq9JsJttWVCxdQSSNNhqqmtIB'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, uMFZ3idKKxij6umJX56sbWAs3uGIN8vVfA97nEr6GqFfLYtzqm.csHigh entropy of concatenated method names: 'IqCY5ARkNOvWyqqjvLsY5SbFsxdTHwZxfPSmxYkVCyfhCki8aw', 'K5rKr2zgNMyDsGKQwrE6mTuIfaT3xADZiC0B1OrM46gGt9HqeD', 'VPpDPIotu6pMH1Cs8mGfYkCq28yFcglBfT4hNqV81b9y2lR1jo', 'M9k9ko3eSQ4rK1i8vAJX1QLwoiiXd5AJginNuiz61pokGFQ8TW', 'm7XyOM43gO65utKMRRHxHBAVbwtkNIFUlAZwJ2xwlaSYhEWvjZ', 'ITaGyHzq9WHYJfuo5IdindCbGEMf5inZkp2XLDs3r5w9eonL84', 'bIPZ4nieEwHFLMBHuq7hvJ3BpSQuo7d8sR4GF27uAmacBjbv9Q', 'XOeiLNyUXueNYW3zzG2nvo0eJdPJDHtByX2gJMf3HRkjalox7g', 'DRUGSg0piHSn38oBZXNYdRLixptxsvtAisO0JIJ5aVtIJR6GbO', 'EGYlzJtcZoAvfuFHsR7OjQSuZXxNOIKAoFVon54hcgOcebfwrn'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, Kgn0Nl0cIVemHWKGRa2fKZarKOln46ySB1LQfPpw5mm9bvx1kkun9MhJghfZQsiZK.csHigh entropy of concatenated method names: 'ZXg0uSo4FTOUnE2WSjicvZslQk2lqtORPWQvrK4WuHvONDHc54Fy4EpnxnwRaOc0f', 'ljt5YwntiiKZBAoYd8kMEwFFUNVakzSb6liLBUQkUIkGlZdWra5buYOs1HCtLKSwf', 'SPgB8y2Y6yiy1BmeNENfU31S2iqtBI3MHnHvVZfxjwLMaSiPUv', 'GJeyvC7H1k0VVI1MZSiEO1WXmSQGOzmXYKY4XabJOL9svwy9Wh', '_7U79M5KPcHdMepvALfjVXxWspOqB8Im5gLJzJhPAnvFLhNYEOu', '_5MPTmxWNCFXDgxsi2y37uQlb3jjFH7a5LwKqz0dQAkKYXHzzYW', 'dHeeJ2G6Pxbsw2nv1SMDv2orMUWs5Fbi9gyoyf6Ku0jXATtWlH', '_5mnCGT5mmv3A97bE54cNurisrN4A8HgMRLI84IxlvcpGarEh1p', '_0LXlGLbPdLQUcSJF5A9UejYoHCH8qWvx2UveVDzjlDEkBadKrL', 'fWWPhBTguISksjCVEg4pVoab1AOw1DUWi4OaFRcQMLHS39K0Ob'
              Source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, lEUGg6TA9ZXhbgEHfaMx1ThY0rstjl4mMi7j330wAMwhdD01Mrjs6w54EiOFdqtB4DyMgA4qQkZKvQFVFIZ6aNb.csHigh entropy of concatenated method names: 'DKZt1Nmba5mu3gym5xqSWDbmChbpLhNf2cE1EL0Z2KtdUApJ40Vk5JELfW0kvUKZeTIucfJQqFMZAjvcPT02b1g', 'BC9oN1P8z9pfs2GnQEIhckIAXU1sYzGI6F0FqTW9cBCJG1gmTjCccMDn5sCxqI1XujSNM8pBTUmEYTk075oNzNg', 'M6o1H8i9q41o0dzUkzzSsWPR22F2kTKdWIXhxxD3o5nGmdTbgZguKnUOihYBpn0HRmtxSDESLf9GHMsYAUdM752', 'ePUOuxnIKy5gCP68dUdcI7mP96EzI0CHLbWpKwOVaJmguj0sKr8aybGqdALgVDHQ001doHiycKpq57E3J5GkHYp', 'KeaAToFHIO8SNmEILop6uCUoEKFSRWMci0jQZXIy9s4Ri5jMpZNC6VW70S5uWu9nZUZgbpmvp4BUwUd2ghTBHbk', 'UOgQIHadJlEWVfg2Wch0gX96asCCW0dhmwuYrUnR5Fg1riIAYReqrhzky0XNUZ09sxQh8eaYhO', 'gkxn8bi7xQYmqFjNnzFygK3JoBYajNty0140aZTz5QpnMRXPYJHw7lsEDPTIQvVwOwh9GfY25s', 'uUhqZ3uwUhvvmhdXwCTOcoPPpnknCwqgFJ56JjIefDAtOlUp0gn0E3DliLjQeYHQHY4FFJemZw', '_1mj0tZFCwTP3OLSNzUIUp49foiTDOeJLgq5uY2BCw1avlHSbONq8wkSPQ7wbUflB4pte70LUZp', 'JlvyOS4ZlISKoEMVsQH2HCJmLG4CuLphSGG7NWAhp6tSuzNstEB3DNmNbQgkG7GcUKluGMV6Zn'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile created: C:\Users\user\AppData\Roaming\jsc.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsc.lnkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsc.lnkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jscJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jscJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\jsc.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: 3SBlY301oa.exe PID: 7544, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF5B9000.00000004.00000800.00020000.00000000.sdmp, 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF5B9000.00000004.00000800.00020000.00000000.sdmp, 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory allocated: 1A9BD8F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory allocated: 1A9D7250000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 4BC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\jsc.exeMemory allocated: 2410000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\jsc.exeMemory allocated: 2610000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\jsc.exeMemory allocated: 2550000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\jsc.exeMemory allocated: B00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\jsc.exeMemory allocated: 26B0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\jsc.exeMemory allocated: 46B0000 memory reserve | memory write watch
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\jsc.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\jsc.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\jsc.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\jsc.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 2913Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 6881Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5866Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3857Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7634Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1946Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5921Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3878Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 1168Thread sleep time: -33204139332677172s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep count: 7634 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep count: 1946 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep count: 5921 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep count: 3878 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\jsc.exe TID: 2092Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\jsc.exe TID: 2184Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\jsc.exe TID: 7996Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\jsc.exe TID: 7984Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\jsc.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\jsc.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\jsc.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\jsc.exeThread delayed: delay time: 922337203685477
              Source: Amcache.hve.7.drBinary or memory string: VMware
              Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
              Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: jsc.exe, 00000003.00000002.3786253130.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Amcache.hve.7.drBinary or memory string: vmci.sys
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
              Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.7.drBinary or memory string: VMware20,1
              Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: 3SBlY301oa.exe, 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
              Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.7.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
              Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 3SBlY301oa.exe, -------.csReference to suspicious API methods: GetProcAddress(__0656_FDEE_061A, _06E3_0607_061D_065B)
              Source: 3SBlY301oa.exe, -------.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)_06D6.Length, 64u, out var _065E_060D_FBC2_FBC9_060B_06E9)
              Source: 3SBlY301oa.exe, -------.csReference to suspicious API methods: LoadLibrary(_FDE2_FDE4_06DF_06DC_FDEC(_061D_0602_0650_06D6._060A_0607_FDE4))
              Adds a directory exclusion to Windows Defender
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\jsc.exe'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\jsc.exe'Jump to behavior
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and writeJump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 418000Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 41A000Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: B59008Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jsc.exe'Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\jsc.exe'Jump to behavior
              Source: C:\Users\user\Desktop\3SBlY301oa.exeQueries volume information: C:\Users\user\Desktop\3SBlY301oa.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\jsc.exeQueries volume information: C:\Users\user\AppData\Roaming\jsc.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\jsc.exeQueries volume information: C:\Users\user\AppData\Roaming\jsc.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.JScript\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll VolumeInformation
              Source: C:\Users\user\Desktop\3SBlY301oa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: jsc.exe, 00000003.00000002.3786253130.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3806247170.0000000006B45000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3786253130.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3786253130.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3806247170.0000000006B20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.3783921795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 3SBlY301oa.exe PID: 7544, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 7624, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.3SBlY301oa.exe.1a9cf4b9ba0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.3SBlY301oa.exe.1a9cf4a4d58.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.3783921795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 3SBlY301oa.exe PID: 7544, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 7624, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		21
              Registry Run Keys / Startup Folder              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping131
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		1
              DLL Side-Loading              		21
              Registry Run Keys / Startup Folder              		11
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)1
              DLL Side-Loading              		41
              Virtualization/Sandbox Evasion              		Security Account Manager41
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture21
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Timestomp              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              DLL Side-Loading              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465372 Sample: 3SBlY301oa.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 48 rwanco.duckdns.org 2->48 56 Snort IDS alert for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 64 13 other signatures 2->64 9 3SBlY301oa.exe 2 2->9         started        12 jsc.exe 2->12         started        14 jsc.exe 2->14         started        signatures3 62 Uses dynamic DNS services 48->62 process4 signatures5 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->66 68 Writes to foreign memory regions 9->68 70 Allocates memory in foreign processes 9->70 72 Injects a PE file into a foreign processes 9->72 16 jsc.exe 1 7 9->16         started        21 WerFault.exe 19 16 9->21         started        23 jsc.exe 9->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        process6 dnsIp7 46 rwanco.duckdns.org 78.159.112.6, 1556, 49716, 49719 LEASEWEB-DE-FRA-10DE Germany 16->46 42 C:\Users\user\AppData\Roaming\jsc.exe, PE32 16->42 dropped 50 Protects its processes via BreakOnTermination flag 16->50 52 Bypasses PowerShell execution policy 16->52 54 Adds a directory exclusion to Windows Defender 16->54 29 powershell.exe 23 16->29         started        32 powershell.exe 22 16->32         started        34 powershell.exe 23 16->34         started        44 C:\ProgramData\Microsoft\...\Report.wer, Unicode 21->44 dropped file8 signatures9 process10 signatures11 74 Loading BitLocker PowerShell Module 29->74 36 conhost.exe 29->36         started        38 conhost.exe 32->38         started        40 conhost.exe 34->40         started        process12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              3SBlY301oa.exe71%ReversingLabsWin64.Backdoor.Xworm
              3SBlY301oa.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\jsc.exe0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://upx.sf.net0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://go.micros0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://www.microsoft.co0%Avira URL Cloudsafe
              rwanco.duckdns.org100%Avira URL Cloudmalware
              http://crl.mi0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.210.172
              		truefalse
                		unknown
                rwanco.duckdns.org
                		78.159.112.6
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  rwanco.duckdns.orgtrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1394565515.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1427775848.0000000005CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://go.microspowershell.exe, 0000000F.00000002.1482953682.0000000008993000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.1387360288.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1420206040.0000000004DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 00000009.00000002.1387360288.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1420206040.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1454204375.0000000004FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://go.micropowershell.exe, 0000000C.00000002.1420206040.000000000546C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.1387360288.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1420206040.0000000004DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1394565515.0000000005CBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1427775848.0000000005CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoft.copowershell.exe, 0000000F.00000002.1475019979.0000000007A82000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000F.00000002.1468272019.000000000602D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://upx.sf.netAmcache.hve.7.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejsc.exe, 00000003.00000002.3790232304.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1387360288.0000000004C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1420206040.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1454204375.0000000004FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000000F.00000002.1454204375.0000000005116000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.mipowershell.exe, 0000000F.00000002.1451228175.00000000032AE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  78.159.112.6
                  		rwanco.duckdns.orgGermany
                  		28753LEASEWEB-DE-FRA-10DEtrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1465372
                  Start date and time:2024-07-01 15:43:02 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 9m 42s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:28
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:3SBlY301oa.exe
                  renamed because original name is a hash value
                  Original Sample Name:b1027ba8039c64d6887daa9ef2f97438ebfa2f6877e2158680c01b326bdc76c9.exe
                  Detection:MAL
                  Classification:mal100.troj.expl.evad.winEXE@19/24@4/1
                  EGA Information:
                  • Successful, ratio: 71.4%
                  HCA Information:
                  • Successful, ratio: 95%
                  • Number of executed functions: 264
                  • Number of non-executed functions: 3
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 199.232.210.172, 20.189.173.20, 2.16.100.168, 88.221.110.91
                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
                  • Execution Graph export aborted for target jsc.exe, PID 2860 because it is empty
                  • Execution Graph export aborted for target jsc.exe, PID 3256 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • VT rate limit hit for: 3SBlY301oa.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  09:44:12API Interceptor30x Sleep call for process: powershell.exe modified
                  11:28:11API Interceptor7473536x Sleep call for process: jsc.exe modified
                  11:28:14API Interceptor1x Sleep call for process: WerFault.exe modified
                  17:28:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jsc C:\Users\user\AppData\Roaming\jsc.exe
                  17:28:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jsc C:\Users\user\AppData\Roaming\jsc.exe
                  17:28:30AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsc.lnk

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  bg.microsoft.map.fastly.nethttp://trk-synovetra.comGet hashmaliciousUnknownBrowse
                  • 199.232.214.172
                  fOsCO13KRs.exeGet hashmaliciousRedLineBrowse
                  • 199.232.214.172
                  https://cts.vresp.com/c/?WaveCompliance/d919e57ba7/b5e5b2a536/185933d903/utm_source=abhi&utm_medium=hr&utm_campaign=emailGet hashmaliciousUnknownBrowse
                  • 199.232.210.172
                  Remittance advice.exeGet hashmaliciousAgentTeslaBrowse
                  • 199.232.210.172
                  https://na4.docusign.net/Signing/EmailStart.aspx?a=95fa3666-e4d2-4181-926f-7d752b5d1bb7&acct=4b225f64-a250-4de3-9bb5-6320c76f2c33&er=388f7591-fe27-446f-8df0-11aebdd778b2Get hashmaliciousUnknownBrowse
                  • 199.232.210.172
                  mUNguTZLws.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 199.232.210.172
                  Agreement for Bmangan 5753.pdfGet hashmaliciousHTMLPhisherBrowse
                  • 199.232.210.172
                  http://62.133.61.26/Downloads/MOD_200.pdf.lnkGet hashmaliciousUnknownBrowse
                  • 199.232.214.172
                  http://bestresulttostart.comGet hashmaliciousUnknownBrowse
                  • 199.232.214.172
                  MacroGamer.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                  • 199.232.210.172

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  LEASEWEB-DE-FRA-10DEhttps://cfdieih.hornydate24.link/s/20b72a96a814b?ext_click_id=22v23v2bf02dGet hashmaliciousUnknownBrowse
                  • 178.162.199.80
                  Die Frau sa#U00df starr und in sich gekehrt..emlGet hashmaliciousUnknownBrowse
                  • 178.162.199.80
                  https://42442763756652.docs.google.com/drawings/d/1tU7bhYvC_6uPDICVJZ5kXXR1DmS2YvHcWEekSlAaWLc/preview?VJ4GGGet hashmaliciousPorn ScamBrowse
                  • 178.162.199.80
                  4.pdfGet hashmaliciousUnknownBrowse
                  • 178.162.199.80
                  JUSTIFICANTE PAGO FACTURA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                  • 212.95.49.159
                  https://www.purchasephone.shop/Get hashmaliciousTechSupportScamBrowse
                  • 217.20.112.104
                  https://argodol.com/ie?v=4&c=pNl_LY5tgxsDVFJ7yjAhxUK53mrL8P-PIMg9guWrcdh3GO5zzQhV7iCF-mGXFebG9h8YlE_RVXPcp49vtB1cCgv2a0l2octZulitWCBOJPArDSW-2qNb3FLq9ypF1k-Vk1irZOwsjsML77pmTp3XSP6169vVcR4Zittr_YOJhI9Get hashmaliciousUnknownBrowse
                  • 178.162.215.162
                  BHrOeWBfOL.dllGet hashmaliciousUnknownBrowse
                  • 185.49.69.41
                  BHrOeWBfOL.dllGet hashmaliciousUnknownBrowse
                  • 185.49.69.41
                  https://winrocket07.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                  • 217.20.112.104

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Roaming\jsc.exez9order.exeGet hashmaliciousAgentTeslaBrowse
                    Halkbank_Ekstre_20240626_0805893_4585894.xlxs.exeGet hashmaliciousAgentTeslaBrowse
                      hesaphareketi-01.pdf.exeGet hashmaliciousAgentTeslaBrowse
                        kSf9sIgyxl.exeGet hashmaliciousNanocoreBrowse
                          AUS5YMhYPA.exeGet hashmaliciousAgentTeslaBrowse
                            INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                              DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                  SecuriteInfo.com.IL.Trojan.MSILZilla.114613.20476.19722.exeGet hashmaliciousAgentTeslaBrowse
                                    AWB-Ref-#32122432 Pdf.exeGet hashmaliciousAgentTeslaBrowse

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_3SBlY301oa.exe_5a1a519effa811292938bb68c3ebce597f77c4c_e88ba259_f039ff30-d749-46dd-a705-b4a398e35dde\Report.wer

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):65536
                                      Entropy (8bit):0.9926051149229566
                                      Encrypted:false
                                      SSDEEP:192:5AKSXrHfez0UnUtaWh8U/NzuiFdZ24lO8wvTSH:9S7egUnUtau80zuiFdY4lO8wvs
                                      MD5:974E4435C1E4402EA606925A18A5CC21
                                      SHA1:477880C365880E184CEA07B9489BA8700EC2CB07
                                      SHA-256:0D44C592AFB0818CCF797DD0FDCEFA8E4C464E52BA35F5221322204B55559C43
                                      SHA-512:18AB8BCC562935A42BFBA71314C8B4670CC06ACFD27EA47A04647A19B2265AC3D3EB960F893B916C48A290DAB9F460CFC13B25E6FA53C6056C2268D524935E94
                                      Malicious:true
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.1.5.0.4.9.6.8.0.4.1.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.1.5.0.5.0.2.2.7.3.0.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.0.3.9.f.f.3.0.-.d.7.4.9.-.4.6.d.d.-.a.7.0.5.-.b.4.a.3.9.8.e.3.5.d.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.7.9.2.b.c.e.-.7.4.c.0.-.4.d.2.f.-.b.8.9.2.-.8.5.e.0.9.3.7.7.1.2.1.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.3.S.B.l.Y.3.0.1.o.a...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.p.e.b.u.j.o.k.e.h.a.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.8.-.0.0.0.1.-.0.0.1.4.-.b.a.0.8.-.d.4.b.e.b.c.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.a.7.5.f.8.d.3.0.6.f.1.4.5.4.0.2.1.d.e.7.7.5.1.e.1.e.8.6.7.d.3.0.0.0.0.0.0.0.0.!.0.0.0.0.5.d.4.7.5.b.0.0.1.5.3.f.3.b.d.0.d.1.6.0.1.0.e.b.d.5.c.5.a.b.a.6.5.6.4.5.5.5.5.2.!.3.S.B.l.Y.3.0.1.o.a...

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDF.tmp.dmp

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:Mini DuMP crash report, 16 streams, Mon Jul 1 13:44:09 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):388095
                                      Entropy (8bit):3.2693049960168037
                                      Encrypted:false
                                      SSDEEP:3072:4lvl9wIMI/Q4siQ4cSCXZO5FlJ1CCqntI3+vUVsv:Mvl9rMhmCXYnqC3QUV
                                      MD5:4400E05FE52E80CDD0829874DAB289DC
                                      SHA1:523498DF1606537E6DF02B0D36908403E2C78CEF
                                      SHA-256:68A29596D640C5C1AFED63F65FE271AE9DEBF24F38B8C71DE0EAABE25A3EDD93
                                      SHA-512:43FD0309E0B5CA4F4435AC21CB8A8F412768A11A60CA41E4749D5F22367C8927E30441B64AD536BD0F22BED695B7FB46E96B09CDBB3C6FE26964B5D4C461B775
                                      Malicious:false
                                      Preview:MDMP..a..... ..........f....................................$...........H...........TE...t..........l.......8...........T............(..w............7...........8..............................................................................eJ.......9......Lw......................T.......x......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD28.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8604
                                      Entropy (8bit):3.707768815851765
                                      Encrypted:false
                                      SSDEEP:192:R6l7wVeJwdFPFu6YNQF4HgmfAqsprR489bTm8fZsxm:R6lXJCFU6Y6FwgmfAqOFTVfJ
                                      MD5:42959CF7436638A4F83455A213A62E37
                                      SHA1:A320A106EC69E0A493D2107B7E3F6368B3645CCA
                                      SHA-256:CEC3B066CFFD2E10A27D4779226501B09A44ADB555D12A74261B708633D0EDFC
                                      SHA-512:74B2373DAE35EE7D000D8BB7CA633E3037843ABAA14BE14B56FC81D41CDADC8C65EC78D0F974EBAF9EFFE78A70BC666BBB33FA2F2AEC370ECC67AC6E40EE8164
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.4.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD67.tmp.xml

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4763
                                      Entropy (8bit):4.517803069008242
                                      Encrypted:false
                                      SSDEEP:48:cvIwWl8zsEJg771I969WpW8VYRSsYm8M4JMSAFNyq85zL/uzBYLQd:uIjfCI7lM7VsSpJgq2YLQd
                                      MD5:F885621DE8BC58A6AF3594C977779BBC
                                      SHA1:CBA9241B39CBD097EF457C948D6F92124638D7DA
                                      SHA-256:DB52C9A08A52B5D5F6AA359985CC5ED72DD23782B56EF534E572CD85B04F4D18
                                      SHA-512:AEE20D64C7F68EE5FB922BD2AFE23D77ACD608FE06E777CA45F61F9446332F6815AED2E4E7E88EE60E61D1A97773D8E7ABD82DB4B844E4969C497C9734E81AF9
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="391966" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsc.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\jsc.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):135
                                      Entropy (8bit):5.045303121991894
                                      Encrypted:false
                                      SSDEEP:3:QHXMKa/xwwUCztJXILKNUhh+9Am12MFuAvOAsDeieVyn:Q3La/xwczfIWW+P12MUAvvrs
                                      MD5:BB527FDBC763485B0662FCCFD53AA00A
                                      SHA1:86438ECBAF308B24FA264C7B6ECECDABD1338DC0
                                      SHA-256:6158C0B5B794617AAD8DA6D671FEF9EDE9CAB2AA9A9FAD91D038739DFF5CEDBD
                                      SHA-512:2003E36806330552D7DD5E633F24A67F2F4226C12EE43A6F79BB709727DD52910CA5EAF336F9C1E5733C66BC3075CA24CACA19D086BE373B76AA08D3FA818106
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.JScript, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):2232
                                      Entropy (8bit):5.37859781817162
                                      Encrypted:false
                                      SSDEEP:48:YWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:YLHxvIIwLgZ2KRHWLOug8s
                                      MD5:0ACE1C093CB85EC8561B8A88F7DBFD99
                                      SHA1:B0E8DE45C30A21616C84C5E0C2BD38D8C8AE8980
                                      SHA-256:16F9B3794D78E82B7C5EDC6BDDCF2844115147AB8023C4BEBE48EE2BB4FDEBF8
                                      SHA-512:2F28BCD8D021008FC920D10F86F53F7780280C29B7014A6E13CD430FBBC7CCEA3989E9FA334C45B1D2EC5E2C8D2D7F01A2B28A56DC18213C88E4358A1E8C1FFA
                                      Malicious:false
                                      Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):41
                                      Entropy (8bit):3.7195394315431693
                                      Encrypted:false
                                      SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                      MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                      SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                      SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                      SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                      Malicious:false
                                      Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11e1mfol.1ae.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3skpmywg.xqi.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1plpdlj.gn3.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cimcy0g0.dyj.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_curbv2ia.4ov.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dujlpnt2.sre.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3nd3o5y.2rm.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kf4ddzuz.3hi.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krauy1eb.wcv.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odurkfd4.yu5.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvshr32v.biy.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymemg2im.33a.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jsc.lnk

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 1 14:28:10 2024, mtime=Mon Jul 1 14:28:11 2024, atime=Mon Jul 1 14:28:11 2024, length=47584, window=hide
                                      Category:dropped
                                      Size (bytes):744
                                      Entropy (8bit):5.129458032686378
                                      Encrypted:false
                                      SSDEEP:12:8IUKy4SQN+2Chyi1Y//LaDjLAewTQJjAsSNHiCzDQJnQJzBmV:8I42V9E3PwEtAsEz0JQJtm
                                      MD5:58423637393B6F7D0C7A69E1AD408390
                                      SHA1:65E05B286586285F12BE51D2F6E789403BF1399F
                                      SHA-256:B04E307A12D96205951F0D7CE6B01366EECEC9D550F434953CC1C430029808D4
                                      SHA-512:5A07941D8DE30A94C82670B794BAD121F67F075F04092A41520EE7CA7CF82A8060099BB22BC37C0E04473BC2F6C7022DDD527EDAF795D68EFEBAF4EEBA0A32A2
                                      Malicious:false
                                      Preview:L..................F.... ......G......{H......{H...........................j.:..DG..Yr?.D..U..k0.&...&......Qg.*_...}.#.....@#~H........t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.X.{..........................3*N.A.p.p.D.a.t.a...B.V.1......X.m..Roaming.@......EW.=.X.m..........................5...R.o.a.m.i.n.g.....V.2.....X.{ .jsc.exe.@.......X.{.X.{....)......................MA.j.s.c...e.x.e.......Y...............-.......X...........$w.m.....C:\Users\user\AppData\Roaming\jsc.exe........\.....\.....\.....\.....\.j.s.c...e.x.e.`.......X.......376483...........hT..CrF.f4... .U../Tc...,......hT..CrF.f4... .U../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                      C:\Users\user\AppData\Roaming\jsc.exe

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):47584
                                      Entropy (8bit):6.391877602293662
                                      Encrypted:false
                                      SSDEEP:768:DeSZaMT79n3DwU8ZCM2o1QG/n29WERqqJaqW/P8+4W:DeoaElzEZ2fG/nmkK4s+4W
                                      MD5:94C8E57A80DFCA2482DEDB87B93D4FD9
                                      SHA1:5729E6C7D2F5AB760F0093B9D44F8AC0F876A803
                                      SHA-256:39E87F0EDCDD15582CFEFDFAB1975AADD2C7CA1E3A5F07B1146CE3206F401BB5
                                      SHA-512:1798A3607B2B94732B52DE51D2748C86F9453343B6D8A417E98E65DDB38E9198CDCB2F45BF60823CB429B312466B28C5103C7588F2C4EF69FA27BFDB4F4C67DC
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: z9order.exe, Detection: malicious, Browse
                                      • Filename: Halkbank_Ekstre_20240626_0805893_4585894.xlxs.exe, Detection: malicious, Browse
                                      • Filename: hesaphareketi-01.pdf.exe, Detection: malicious, Browse
                                      • Filename: kSf9sIgyxl.exe, Detection: malicious, Browse
                                      • Filename: AUS5YMhYPA.exe, Detection: malicious, Browse
                                      • Filename: INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exe, Detection: malicious, Browse
                                      • Filename: DHL EXPRESS.exe, Detection: malicious, Browse
                                      • Filename: DHL EXPRESS.exe, Detection: malicious, Browse
                                      • Filename: SecuriteInfo.com.IL.Trojan.MSILZilla.114613.20476.19722.exe, Detection: malicious, Browse
                                      • Filename: AWB-Ref-#32122432 Pdf.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.]..............0..n..........b.... ........@.. ..............................h.....`.....................................O....................x...A.......................................................... ............... ..H............text...hm... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B................D.......H........D...8..........h}..p...........................................0...........(......}......}......}..... L...}......}......}......}.....s....}.....s....}.......s....}.......s....}.....s....}....r...p(......,...}....*.r...p}....*.0..........s......r...po.....r...po......(....o....s.....r...p..(...........( ...(!...o"...r!..po#...o$...t.......o.......#..rA..p..o%...(....(....(&...........*..........Tp.# .....(....*.0............}......}......}......}......}......}.....s

                                      C:\Windows\appcompat\Programs\Amcache.hve

                                      Download File
                                      Process:C:\Windows\System32\WerFault.exe
                                      File Type:MS Windows registry file, NT/2000 or above
                                      Category:dropped
                                      Size (bytes):1835008
                                      Entropy (8bit):4.417197918284012
                                      Encrypted:false
                                      SSDEEP:6144:3cifpi6ceLPL9skLmb0mcSWSPtaJG8nAgex285i2MMhA20X4WABlGuNw5+:si58cSWIZBk2MM6AFB6o
                                      MD5:4CEC9C00DD4D6538105E9C1948784FA7
                                      SHA1:5EDD61021297A8C3A5E527A9F54499FEEF255B20
                                      SHA-256:B8EF289D53CAB687B11EC616C42C2CB0A874EF76E451BD66169AC835B3212A50
                                      SHA-512:1DC795908ED72C7C0653A52F1560C455B00F1F98A4C1400BBDFB455162DD7EE9318AEF16919885841C13F0F4CE96730351A5E1D777A68AEF793C0B98AB14E5D7
                                      Malicious:false
                                      Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      \Device\ConDrv

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\jsc.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2674
                                      Entropy (8bit):4.476202952399629
                                      Encrypted:false
                                      SSDEEP:48:zKQKcDlb/FmJ2WIH6l1esj3N71AwxlKK2ZuSI3VLukGTSHB2GbrA0t/kwM:zKQKcDB/FmJ2W+wj97SwxlKKgkGTg24w
                                      MD5:10BD8D8BDF561315C770518BB7221209
                                      SHA1:ED69B257D7793C49537F0E530EAA052F3D9B28E9
                                      SHA-256:B0E312B41391EE4A64D26F2B0E1BA54819D656B630F78CD7B4BB06D29387AA46
                                      SHA-512:BCE818E0DD8466BBCE9D022DB589DC3B31B0B7370A54AD3B8DA1300F4042636FAEBD312269E0AFBD28DC2E35B9F45F4F93768E43124E7B7F8C635D35B6C53A60
                                      Malicious:false
                                      Preview:Microsoft (R) JScript Compiler version 14.00.4084..for Microsoft (R) .NET Framework version 4.0.30319..Copyright (C) Microsoft Corporation. All rights reserved.....jsc [options] <source files> [[options] <source files>...].... JScript Compiler Options.... - OUTPUT FILES -.. /out:<file> Specify name of binary output file.. /t[arget]:exe Create a console application (default).. /t[arget]:winexe Create a windows application.. /t[arget]:library Create a library assembly.. /platform:<platform> Limit which platforms this code can run on; must be x86, Itanium, x64, or any cpu, which is the default.... - INPUT FILES -.. /autoref[+|-] Automatically reference assemblies based on imported namespaces and fully-qualified names (on by default).. /lib:<path> Specify additional directories to search in for references.. /r[eference]:<file list> Reference

                                      Static File Info

                                      General

                                      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):4.651936379806183
                                      TrID:
                                      • Win64 Executable GUI (202006/5) 92.65%
                                      • Win64 Executable (generic) (12005/4) 5.51%
                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                      • DOS Executable Generic (2002/1) 0.92%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:3SBlY301oa.exe
                                      File size:1'974'292 bytes
                                      MD5:f5b72b219b9dc802075066951e0f5aad
                                      SHA1:5d475b00153f3bd0d16010ebd5c5aba656455552
                                      SHA256:b1027ba8039c64d6887daa9ef2f97438ebfa2f6877e2158680c01b326bdc76c9
                                      SHA512:754ace2e865ce9199eff860ffff7d72e42e72864ee055173d8b86961d48dc5858c156811eb309c79d428b1b3ab2ac503de25fa7a93624fe68730b5e508a9e154
                                      SSDEEP:6144:57N5lBaoSYS15AN5qev787IieFFyCoxTuFl7oTWuS/38EOL/Xmae0v6lthr0:/kofS1uNoeHVPFlsTk38XyaF63hY
                                      TLSH:11951292364F1D2BFE90493AC6E572F268FD2E2735F61A5FCF900C4864921BC11666F2
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Y............"...0.P:............... ....@...... ....................................`................................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x400000
                                      Entrypoint Section:
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x9B9359DD [Mon Sep 16 18:47:57 2052 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:

                                      Entrypoint Preview

                                      Instruction
                                      dec ebp
                                      pop edx
                                      nop
                                      add byte ptr [ebx], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax+eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x99c.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x5a340x1c.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x3a500x3c002dcbf5312b0a8043cff4db385af28efcFalse0.6322265625data6.113831039350694IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x60000x99c0xa00ba9a49f79cbbc830461bbf85f5410b13False0.306640625data4.266932402351611IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x60b80x37cdata0.4854260089686099
                                      RT_VERSION0x64340x37cdataEnglishUnited States0.4876681614349776
                                      RT_MANIFEST0x67b00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      07/01/24-15:46:50.785433TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497561556192.168.2.778.159.112.6
                                      07/01/24-15:45:41.295408TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497431556192.168.2.778.159.112.6

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 1, 2024 15:44:27.079025984 CEST497161556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:27.083944082 CEST15564971678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:27.084019899 CEST497161556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:27.173310995 CEST497161556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:27.178311110 CEST15564971678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:28.887016058 CEST15564971678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:28.887092113 CEST497161556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:30.390983105 CEST497161556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:30.393085957 CEST497191556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:30.396686077 CEST15564971678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:30.398051023 CEST15564971978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:30.398135900 CEST497191556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:30.444051981 CEST497191556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:30.448988914 CEST15564971978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:32.233891964 CEST15564971978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:32.240144014 CEST497191556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:35.182897091 CEST497191556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:35.184175968 CEST497201556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:35.187771082 CEST15564971978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:35.189002991 CEST15564972078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:35.189080954 CEST497201556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:35.201462030 CEST497201556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:35.206270933 CEST15564972078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:36.825143099 CEST15564972078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:36.825275898 CEST497201556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:39.792267084 CEST497201556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:39.793735027 CEST497211556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:39.797101974 CEST15564972078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:39.798590899 CEST15564972178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:39.798701048 CEST497211556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:39.809118032 CEST497211556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:39.813913107 CEST15564972178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:41.436439991 CEST15564972178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:41.436530113 CEST497211556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:44.511019945 CEST497211556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:44.512226105 CEST497221556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:44.823537111 CEST497211556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:44.855576038 CEST15564972178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:44.855588913 CEST15564972278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:44.855601072 CEST15564972178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:44.855689049 CEST497221556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:44.855720043 CEST497211556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:44.866398096 CEST497221556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:44.872030020 CEST15564972278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:46.497076988 CEST15564972278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:46.497168064 CEST497221556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:48.370469093 CEST497221556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:48.372467041 CEST497231556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:48.375643969 CEST15564972278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:48.377352953 CEST15564972378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:48.377476931 CEST497231556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:48.387748957 CEST497231556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:48.392647982 CEST15564972378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:50.052340984 CEST15564972378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:50.052495956 CEST497231556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:52.839252949 CEST497231556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:52.840643883 CEST497241556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:52.844103098 CEST15564972378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:52.845606089 CEST15564972478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:52.845710039 CEST497241556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:52.856513023 CEST497241556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:52.877794981 CEST15564972478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:54.514092922 CEST15564972478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:54.514170885 CEST497241556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:57.917396069 CEST497241556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:57.918433905 CEST497261556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:58.229892969 CEST497241556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:58.237092018 CEST15564972478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:58.237111092 CEST15564972678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:58.237123966 CEST15564972478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:58.237224102 CEST497261556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:58.237246037 CEST497241556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:58.247431040 CEST497261556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:44:58.259584904 CEST15564972678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:59.932590961 CEST15564972678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:44:59.936233044 CEST497261556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:01.901797056 CEST497261556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:01.903187037 CEST497271556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:01.906689882 CEST15564972678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:01.907999039 CEST15564972778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:01.908188105 CEST497271556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:01.918482065 CEST497271556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:01.923331976 CEST15564972778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:03.565586090 CEST15564972778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:03.565674067 CEST497271556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:05.933136940 CEST497271556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:05.934444904 CEST497291556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:05.941061974 CEST15564972778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:05.941081047 CEST15564972978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:05.941200972 CEST497291556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:05.952225924 CEST497291556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:05.957020998 CEST15564972978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:07.990617037 CEST15564972978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:07.990760088 CEST497291556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:07.990894079 CEST15564972978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:07.990938902 CEST497291556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:08.714277029 CEST497291556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:08.715713978 CEST497301556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:08.719505072 CEST15564972978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:08.720519066 CEST15564973078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:08.720608950 CEST497301556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:08.733207941 CEST497301556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:08.738002062 CEST15564973078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:10.395364046 CEST15564973078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:10.395518064 CEST497301556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:12.026742935 CEST497301556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:12.027899027 CEST497311556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:12.031636000 CEST15564973078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:12.032677889 CEST15564973178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:12.032758951 CEST497311556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:12.042342901 CEST497311556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:12.047369957 CEST15564973178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:13.689165115 CEST15564973178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:13.689280033 CEST497311556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:13.901801109 CEST497311556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:13.903616905 CEST497321556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:13.906646013 CEST15564973178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:13.908452034 CEST15564973278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:13.908536911 CEST497321556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:13.929688931 CEST497321556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:13.934489012 CEST15564973278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:15.562014103 CEST15564973278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:15.562100887 CEST497321556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:17.058154106 CEST497321556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:17.060638905 CEST497331556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:17.063075066 CEST15564973278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:17.068245888 CEST15564973378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:17.068363905 CEST497331556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:17.080671072 CEST497331556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:17.085529089 CEST15564973378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:18.737911940 CEST15564973378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:18.737998962 CEST497331556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:18.901741982 CEST497331556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:18.902863979 CEST497341556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:18.906702995 CEST15564973378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:18.907752037 CEST15564973478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:18.907835007 CEST497341556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:18.917876959 CEST497341556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:18.922662973 CEST15564973478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:20.564233065 CEST15564973478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:20.564311981 CEST497341556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:20.683571100 CEST497341556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:20.685321093 CEST497351556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:20.688812017 CEST15564973478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:20.690141916 CEST15564973578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:20.690262079 CEST497351556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:20.703469038 CEST497351556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:20.708820105 CEST15564973578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:22.365011930 CEST15564973578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:22.365133047 CEST497351556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:22.745651007 CEST497351556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:22.747450113 CEST497361556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:22.783488035 CEST15564973578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:22.783515930 CEST15564973678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:22.783643961 CEST497361556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:22.794158936 CEST497361556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:22.801795959 CEST15564973678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:24.439553976 CEST15564973678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:24.439646006 CEST497361556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:24.908466101 CEST497361556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:24.911046982 CEST497371556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:24.923402071 CEST15564973678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:24.926323891 CEST15564973778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:24.926424980 CEST497371556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:24.938134909 CEST497371556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:24.949575901 CEST15564973778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:26.579116106 CEST15564973778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:26.579194069 CEST497371556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:26.714375019 CEST497371556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:26.720768929 CEST15564973778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:27.342840910 CEST497391556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:27.348098040 CEST15564973978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:27.348192930 CEST497391556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:27.358378887 CEST497391556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:27.364517927 CEST15564973978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:29.005672932 CEST15564973978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:29.005768061 CEST497391556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:29.060966969 CEST497391556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:29.063317060 CEST497401556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:29.065855026 CEST15564973978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:29.068222046 CEST15564974078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:29.068299055 CEST497401556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:29.098993063 CEST497401556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:29.112185955 CEST15564974078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:30.734340906 CEST15564974078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:30.736321926 CEST497401556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:30.736645937 CEST497401556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:30.738869905 CEST497411556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:30.741391897 CEST15564974078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:30.743686914 CEST15564974178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:30.743765116 CEST497411556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:30.753915071 CEST497411556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:30.758867979 CEST15564974178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:32.392047882 CEST15564974178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:32.392142057 CEST497411556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:36.042484999 CEST497411556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:36.045967102 CEST497421556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:36.047733068 CEST15564974178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:36.050911903 CEST15564974278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:36.051034927 CEST497421556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:36.082113981 CEST497421556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:36.087294102 CEST15564974278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:37.701201916 CEST15564974278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:37.701298952 CEST497421556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:41.105032921 CEST497421556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:41.108053923 CEST497431556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:41.110198021 CEST15564974278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:41.112983942 CEST15564974378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:41.113209009 CEST497431556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:41.153130054 CEST497431556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:41.159068108 CEST15564974378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:41.295408010 CEST497431556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:41.300653934 CEST15564974378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:42.768524885 CEST15564974378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:42.772327900 CEST497431556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:46.308274984 CEST497431556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:46.313612938 CEST15564974378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:46.318396091 CEST497441556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:46.323345900 CEST15564974478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:46.323437929 CEST497441556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:46.412856102 CEST497441556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:46.417860031 CEST15564974478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:46.667706966 CEST497441556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:46.864816904 CEST15564974478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:47.480160952 CEST497441556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:47.485344887 CEST15564974478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:47.970530033 CEST15564974478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:47.972345114 CEST497441556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:51.605354071 CEST497441556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:51.606700897 CEST497451556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:51.610308886 CEST15564974478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:51.611546993 CEST15564974578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:51.611615896 CEST497451556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:51.638427019 CEST497451556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:51.643603086 CEST15564974578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:53.268085003 CEST15564974578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:53.268143892 CEST497451556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:57.230007887 CEST497451556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:57.233670950 CEST497461556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:57.234955072 CEST15564974578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:57.238574028 CEST15564974678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:57.238662004 CEST497461556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:57.337069988 CEST497461556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:45:57.341984034 CEST15564974678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:58.873528957 CEST15564974678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:45:58.873611927 CEST497461556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:02.480081081 CEST497461556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:02.482690096 CEST497471556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:02.485255003 CEST15564974678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:02.487636089 CEST15564974778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:02.492362022 CEST497471556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:02.532728910 CEST497471556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:02.537913084 CEST15564974778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:03.464010000 CEST497471556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:03.469858885 CEST15564974778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:03.874742031 CEST497471556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:03.879908085 CEST15564974778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:04.143187046 CEST15564974778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:04.143250942 CEST497471556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:08.402019978 CEST497471556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:08.403459072 CEST497481556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:08.407128096 CEST15564974778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:08.408359051 CEST15564974878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:08.408543110 CEST497481556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:08.438798904 CEST497481556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:08.444772959 CEST15564974878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:08.733872890 CEST497481556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:08.738838911 CEST15564974878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:08.932298899 CEST497481556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:08.937283039 CEST15564974878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:09.995783091 CEST497481556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:10.000652075 CEST15564974878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:10.092128038 CEST15564974878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:10.092343092 CEST497481556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:13.667804003 CEST497481556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:13.671952009 CEST497491556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:13.672740936 CEST15564974878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:13.677006006 CEST15564974978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:13.677150965 CEST497491556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:13.706228018 CEST497491556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:13.711126089 CEST15564974978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:14.882880926 CEST497491556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:14.887713909 CEST15564974978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:15.330153942 CEST15564974978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:15.330219030 CEST497491556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:19.058357954 CEST497491556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:19.063196898 CEST15564974978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:19.064168930 CEST497501556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:19.069124937 CEST15564975078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:19.069209099 CEST497501556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:19.204005003 CEST497501556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:19.210180044 CEST15564975078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:20.477957964 CEST497501556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:20.482855082 CEST15564975078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:20.718513012 CEST15564975078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:20.718589067 CEST497501556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:24.232294083 CEST497501556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:24.233891964 CEST497511556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:24.237333059 CEST15564975078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:24.238851070 CEST15564975178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:24.238957882 CEST497511556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:24.343533039 CEST497511556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:24.348797083 CEST15564975178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:24.530944109 CEST497511556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:24.535948038 CEST15564975178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:24.639694929 CEST497511556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:24.644573927 CEST15564975178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:24.645677090 CEST497511556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:24.650451899 CEST15564975178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:24.699253082 CEST497511556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:24.704113960 CEST15564975178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:25.891463995 CEST15564975178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:25.892350912 CEST497511556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:29.714935064 CEST497511556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:29.719978094 CEST15564975178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:29.844006062 CEST497521556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:29.850411892 CEST15564975278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:29.850943089 CEST497521556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:29.901190996 CEST497521556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:29.910473108 CEST15564975278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:30.713623047 CEST497521556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:30.719414949 CEST15564975278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:31.501121044 CEST15564975278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:31.501265049 CEST497521556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:34.996000051 CEST497521556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:34.998045921 CEST497531556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:35.000888109 CEST15564975278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:35.002857924 CEST15564975378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:35.002943993 CEST497531556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:35.029988050 CEST497531556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:35.034857035 CEST15564975378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:36.301177979 CEST497531556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:36.306082010 CEST15564975378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:36.658821106 CEST15564975378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:36.658900976 CEST497531556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:40.058825970 CEST497531556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:40.061703920 CEST497541556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:40.064784050 CEST15564975378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:40.068172932 CEST15564975478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:40.070614100 CEST497541556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:40.258312941 CEST497541556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:40.263217926 CEST15564975478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:40.512862921 CEST497541556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:40.518811941 CEST15564975478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:40.791117907 CEST497541556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:40.796093941 CEST15564975478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:41.753314018 CEST15564975478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:41.756452084 CEST497541556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:45.292707920 CEST497541556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:45.294382095 CEST497551556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:45.297610044 CEST15564975478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:45.299207926 CEST15564975578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:45.299279928 CEST497551556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:45.323631048 CEST497551556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:45.328496933 CEST15564975578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:46.531234980 CEST497551556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:46.536159992 CEST15564975578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:46.588711023 CEST497551556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:46.593636990 CEST15564975578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:46.682112932 CEST497551556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:46.687614918 CEST15564975578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:46.833867073 CEST497551556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:46.838936090 CEST15564975578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:46.939027071 CEST15564975578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:46.939104080 CEST497551556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:50.402101994 CEST497551556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:50.403369904 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:50.407146931 CEST15564975578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:50.408221006 CEST15564975678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:50.408301115 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:50.448972940 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:50.453982115 CEST15564975678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:50.785433054 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:50.790410042 CEST15564975678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:50.918425083 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:50.923492908 CEST15564975678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:51.371742964 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:51.376629114 CEST15564975678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:51.829523087 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:51.834450960 CEST15564975678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:52.067703962 CEST15564975678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:52.068073034 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:55.574075937 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:55.578422070 CEST497571556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:55.980330944 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:56.095840931 CEST15564975678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:56.095854044 CEST15564975778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:56.095882893 CEST15564975678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:56.096013069 CEST497571556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:56.096048117 CEST497561556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:56.244347095 CEST497571556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:56.249176979 CEST15564975778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:56.448398113 CEST497571556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:56.453246117 CEST15564975778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:56.721724033 CEST497571556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:56.728907108 CEST15564975778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:57.101849079 CEST497571556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:46:57.106750965 CEST15564975778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:57.797900915 CEST15564975778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:46:57.798024893 CEST497571556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:01.324055910 CEST497571556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:01.325803995 CEST497581556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:01.329056025 CEST15564975778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:01.330763102 CEST15564975878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:01.330837965 CEST497581556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:01.356040001 CEST497581556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:01.360984087 CEST15564975878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:01.390722990 CEST497581556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:01.395587921 CEST15564975878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:02.986012936 CEST15564975878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:02.986284018 CEST497581556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:06.371059895 CEST497581556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:06.372910023 CEST497591556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:06.376022100 CEST15564975878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:06.377743006 CEST15564975978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:06.377825975 CEST497591556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:06.416369915 CEST497591556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:06.421356916 CEST15564975978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:07.697415113 CEST497591556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:07.703263998 CEST15564975978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:08.066800117 CEST15564975978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:08.066881895 CEST497591556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:11.871042967 CEST497591556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:11.874969959 CEST497601556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:11.875967979 CEST15564975978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:11.879857063 CEST15564976078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:11.879924059 CEST497601556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:11.925949097 CEST497601556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:11.930807114 CEST15564976078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:13.533082008 CEST15564976078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:13.533139944 CEST497601556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:17.042876959 CEST497601556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:17.044909954 CEST497611556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:17.047691107 CEST15564976078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:17.049712896 CEST15564976178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:17.049880028 CEST497611556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:17.126867056 CEST497611556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:17.132343054 CEST15564976178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:17.607053995 CEST497611556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:17.611951113 CEST15564976178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:18.687916994 CEST15564976178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:18.688791990 CEST497611556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:22.183468103 CEST497611556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:22.185205936 CEST497621556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:22.188535929 CEST15564976178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:22.190114021 CEST15564976278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:22.190210104 CEST497621556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:22.210860968 CEST497621556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:22.215706110 CEST15564976278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:23.632652998 CEST497621556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:23.637602091 CEST15564976278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:23.780777931 CEST497621556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:23.785629034 CEST15564976278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:23.825747967 CEST497621556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:23.830620050 CEST15564976278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:23.849652052 CEST15564976278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:23.849770069 CEST497621556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:27.512049913 CEST497621556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:27.516927004 CEST15564976278.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:27.516932964 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:27.521740913 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:27.521821976 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:27.858366966 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:27.863235950 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:27.874252081 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:27.879030943 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:28.309214115 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:28.314225912 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:28.347218990 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:28.352005959 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:28.448607922 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:28.453389883 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:28.730361938 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:28.735121965 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:28.746498108 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:28.751272917 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:29.187861919 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:29.187931061 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:33.372040987 CEST497631556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:33.377816916 CEST15564976378.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:33.499562025 CEST497641556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:33.504667997 CEST15564976478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:33.504738092 CEST497641556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:33.535490036 CEST497641556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:33.540368080 CEST15564976478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:33.708595991 CEST497641556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:33.713757038 CEST15564976478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:33.723225117 CEST497641556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:33.728104115 CEST15564976478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:34.654506922 CEST497641556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:34.659323931 CEST15564976478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:35.158869028 CEST15564976478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:35.164633989 CEST497641556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:39.232366085 CEST497641556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:39.237601042 CEST15564976478.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:39.253715038 CEST497651556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:39.258826971 CEST15564976578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:39.260452032 CEST497651556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:39.451668024 CEST497651556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:39.456630945 CEST15564976578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:40.076622963 CEST497651556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:40.081509113 CEST15564976578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:40.910484076 CEST15564976578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:40.910568953 CEST497651556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:44.599200964 CEST497651556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:44.601164103 CEST497661556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:44.604113102 CEST15564976578.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:44.606832027 CEST15564976678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:44.606919050 CEST497661556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:44.641300917 CEST497661556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:44.646064043 CEST15564976678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:45.018239021 CEST497661556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:45.023233891 CEST15564976678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:46.252535105 CEST15564976678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:46.252661943 CEST497661556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:50.261699915 CEST497661556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:50.264416933 CEST497671556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:50.386394024 CEST15564976678.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:50.386404991 CEST15564976778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:50.386535883 CEST497671556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:50.455281973 CEST497671556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:50.460129976 CEST15564976778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:50.819112062 CEST497671556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:50.824948072 CEST15564976778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:51.051110983 CEST497671556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:51.055959940 CEST15564976778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:51.113770962 CEST497671556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:51.118752956 CEST15564976778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:51.136706114 CEST497671556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:51.141604900 CEST15564976778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:52.051229954 CEST15564976778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:52.051335096 CEST497671556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:56.277499914 CEST497671556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:56.280427933 CEST497681556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:56.283494949 CEST15564976778.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:56.285217047 CEST15564976878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:56.285351038 CEST497681556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:56.436419964 CEST497681556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:56.451936960 CEST15564976878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:56.981897116 CEST497681556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:56.986663103 CEST15564976878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:57.052131891 CEST497681556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:47:57.057195902 CEST15564976878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:57.942502975 CEST15564976878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:47:57.944519043 CEST497681556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:01.465059042 CEST497681556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:01.466648102 CEST497691556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:01.470865011 CEST15564976878.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:01.473206043 CEST15564976978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:01.473352909 CEST497691556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:01.521976948 CEST497691556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:01.526842117 CEST15564976978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:01.858220100 CEST497691556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:01.863044024 CEST15564976978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:02.564294100 CEST497691556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:02.569782019 CEST15564976978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:02.633069038 CEST497691556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:02.637916088 CEST15564976978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:02.726259947 CEST497691556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:02.731050968 CEST15564976978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:03.129606962 CEST15564976978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:03.129712105 CEST497691556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:06.964847088 CEST497691556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:06.966254950 CEST497701556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:06.970684052 CEST15564976978.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:06.971955061 CEST15564977078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:06.972040892 CEST497701556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:07.006467104 CEST497701556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:07.012389898 CEST15564977078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:08.575144053 CEST497701556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:08.580116034 CEST15564977078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:08.612903118 CEST15564977078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:08.612951994 CEST497701556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:12.402360916 CEST497701556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:12.404994011 CEST497711556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:12.407196999 CEST15564977078.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:12.409816980 CEST15564977178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:12.409908056 CEST497711556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:12.460640907 CEST497711556192.168.2.778.159.112.6
                                      Jul 1, 2024 15:48:12.465507030 CEST15564977178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:14.047869921 CEST15564977178.159.112.6192.168.2.7
                                      Jul 1, 2024 15:48:14.047983885 CEST497711556192.168.2.778.159.112.6

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 1, 2024 15:44:26.966020107 CEST6475453192.168.2.71.1.1.1
                                      Jul 1, 2024 15:44:27.076348066 CEST53647541.1.1.1192.168.2.7
                                      Jul 1, 2024 15:45:26.715554953 CEST5872453192.168.2.71.1.1.1
                                      Jul 1, 2024 15:45:27.342041969 CEST53587241.1.1.1192.168.2.7
                                      Jul 1, 2024 15:46:29.716924906 CEST5403153192.168.2.71.1.1.1
                                      Jul 1, 2024 15:46:29.840271950 CEST53540311.1.1.1192.168.2.7
                                      Jul 1, 2024 15:47:33.372942924 CEST6435453192.168.2.71.1.1.1
                                      Jul 1, 2024 15:47:33.498661995 CEST53643541.1.1.1192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jul 1, 2024 15:44:26.966020107 CEST192.168.2.71.1.1.10xb09bStandard query (0)rwanco.duckdns.orgA (IP address)IN (0x0001)false
                                      Jul 1, 2024 15:45:26.715554953 CEST192.168.2.71.1.1.10xf31bStandard query (0)rwanco.duckdns.orgA (IP address)IN (0x0001)false
                                      Jul 1, 2024 15:46:29.716924906 CEST192.168.2.71.1.1.10x5d62Standard query (0)rwanco.duckdns.orgA (IP address)IN (0x0001)false
                                      Jul 1, 2024 15:47:33.372942924 CEST192.168.2.71.1.1.10xe25bStandard query (0)rwanco.duckdns.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jul 1, 2024 15:44:12.227207899 CEST1.1.1.1192.168.2.70xb215No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                      Jul 1, 2024 15:44:12.227207899 CEST1.1.1.1192.168.2.70xb215No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                      Jul 1, 2024 15:44:27.076348066 CEST1.1.1.1192.168.2.70xb09bNo error (0)rwanco.duckdns.org78.159.112.6A (IP address)IN (0x0001)false
                                      Jul 1, 2024 15:45:27.342041969 CEST1.1.1.1192.168.2.70xf31bNo error (0)rwanco.duckdns.org78.159.112.6A (IP address)IN (0x0001)false
                                      Jul 1, 2024 15:46:29.840271950 CEST1.1.1.1192.168.2.70x5d62No error (0)rwanco.duckdns.org78.159.112.6A (IP address)IN (0x0001)false
                                      Jul 1, 2024 15:47:33.498661995 CEST1.1.1.1192.168.2.70xe25bNo error (0)rwanco.duckdns.org78.159.112.6A (IP address)IN (0x0001)false

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:1
                                      Start time:09:44:07
                                      Start date:01/07/2024
                                      Path:C:\Users\user\Desktop\3SBlY301oa.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\3SBlY301oa.exe"
                                      Imagebase:0x1a9bd5c0000
                                      File size:1'974'292 bytes
                                      MD5 hash:F5B72B219B9DC802075066951E0F5AAD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1537030307.000001A9BF5B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1543708251.000001A9CF43B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1537030307.000001A9BF28B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:09:44:08
                                      Start date:01/07/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                      Imagebase:0x950000
                                      File size:47'584 bytes
                                      MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3783921795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3783921795.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:moderate
                                      Has exited:false

                                      General

                                      Target ID:4
                                      Start time:09:44:08
                                      Start date:01/07/2024
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                      Wow64 process (32bit):
                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                      Imagebase:
                                      File size:47'584 bytes
                                      MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:false

                                      General

                                      Target ID:7
                                      Start time:09:44:08
                                      Start date:01/07/2024
                                      Path:C:\Windows\System32\WerFault.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7544 -s 1000
                                      Imagebase:0x7ff7c73c0000
                                      File size:570'736 bytes
                                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:09:44:12
                                      Start date:01/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'
                                      Imagebase:0xe90000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:09:44:12
                                      Start date:01/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:09:44:15
                                      Start date:01/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jsc.exe'
                                      Imagebase:0xe90000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:09:44:15
                                      Start date:01/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:09:44:18
                                      Start date:01/07/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\jsc.exe'
                                      Imagebase:0xe90000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:09:44:18
                                      Start date:01/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:11:28:22
                                      Start date:01/07/2024
                                      Path:C:\Users\user\AppData\Roaming\jsc.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\jsc.exe"
                                      Imagebase:0x2d0000
                                      File size:47'584 bytes
                                      MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:11:28:22
                                      Start date:01/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:11:28:30
                                      Start date:01/07/2024
                                      Path:C:\Users\user\AppData\Roaming\jsc.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\jsc.exe"
                                      Imagebase:0x3d0000
                                      File size:47'584 bytes
                                      MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:11:28:30
                                      Start date:01/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:9.2%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:3
                                        Total number of Limit Nodes:0
                                        execution_graph 17204 7ffaab79314a 17205 7ffaab793159 VirtualProtect 17204->17205 17207 7ffaab793231 17205->17207

                                        Executed Functions

                                        Function 00007FFAAB798720 Relevance: 10.9, Strings: 8, Instructions: 923COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 238 7ffaab798720-7ffaab79cf85 240 7ffaab79cf87-7ffaab79cfce 238->240 241 7ffaab79cfcf-7ffaab79cff9 238->241 240->241 244 7ffaab79d012 241->244 245 7ffaab79cffb-7ffaab79d010 241->245 246 7ffaab79d014-7ffaab79d019 244->246 245->246 247 7ffaab79d116-7ffaab79d136 246->247 248 7ffaab79d01f-7ffaab79d02e 246->248 252 7ffaab79d187-7ffaab79d192 247->252 255 7ffaab79d038-7ffaab79d039 248->255 256 7ffaab79d030-7ffaab79d036 248->256 253 7ffaab79d194-7ffaab79d1a3 252->253 254 7ffaab79d138-7ffaab79d13e 252->254 262 7ffaab79d1a5-7ffaab79d1b7 253->262 263 7ffaab79d1b9 253->263 258 7ffaab79d602-7ffaab79d61a 254->258 259 7ffaab79d144-7ffaab79d165 call 7ffaab798700 254->259 257 7ffaab79d03b-7ffaab79d05e 255->257 256->257 264 7ffaab79d0b3-7ffaab79d0be 257->264 267 7ffaab79d664-7ffaab79d691 call 7ffaab794810 258->267 268 7ffaab79d61c-7ffaab79d657 call 7ffaab798f38 258->268 276 7ffaab79d16a-7ffaab79d184 259->276 269 7ffaab79d1bb-7ffaab79d1c0 262->269 263->269 270 7ffaab79d060-7ffaab79d066 264->270 271 7ffaab79d0c0-7ffaab79d0d7 264->271 320 7ffaab79d693-7ffaab79d69b 267->320 321 7ffaab79d69c-7ffaab79d69f 267->321 316 7ffaab79d659-7ffaab79d662 268->316 317 7ffaab79d6a1-7ffaab79d6ab 268->317 274 7ffaab79d1c6-7ffaab79d1e8 call 7ffaab798700 269->274 275 7ffaab79d24c-7ffaab79d260 269->275 270->258 273 7ffaab79d06c-7ffaab79d0b0 call 7ffaab798700 270->273 289 7ffaab79d106-7ffaab79d111 call 7ffaab798768 271->289 290 7ffaab79d0d9-7ffaab79d0ff call 7ffaab798700 271->290 273->264 310 7ffaab79d216-7ffaab79d217 274->310 311 7ffaab79d1ea-7ffaab79d214 274->311 278 7ffaab79d262-7ffaab79d268 275->278 279 7ffaab79d2b0-7ffaab79d2bf 275->279 276->252 285 7ffaab79d287-7ffaab79d2ab 278->285 286 7ffaab79d26a-7ffaab79d285 278->286 299 7ffaab79d2cc 279->299 300 7ffaab79d2c1-7ffaab79d2ca 279->300 308 7ffaab79d458-7ffaab79d4b4 285->308 286->285 289->275 290->289 305 7ffaab79d2ce-7ffaab79d2d3 299->305 300->305 314 7ffaab79d2d9-7ffaab79d2dc 305->314 315 7ffaab79d5df-7ffaab79d5e0 305->315 358 7ffaab79d524-7ffaab79d52e 308->358 359 7ffaab79d4b6-7ffaab79d513 call 7ffaab794748 308->359 313 7ffaab79d219-7ffaab79d220 310->313 311->313 313->275 326 7ffaab79d222-7ffaab79d247 call 7ffaab798728 313->326 328 7ffaab79d324 314->328 329 7ffaab79d2de-7ffaab79d2fb call 7ffaab790248 314->329 327 7ffaab79d5e3 315->327 316->267 324 7ffaab79d6b6-7ffaab79d6c7 317->324 325 7ffaab79d6ad-7ffaab79d6b5 317->325 320->321 321->317 332 7ffaab79d6d2-7ffaab79d70d 324->332 333 7ffaab79d6c9-7ffaab79d6d1 324->333 325->324 326->275 351 7ffaab79d5ce-7ffaab79d5de 326->351 335 7ffaab79d5e5-7ffaab79d5ed 327->335 336 7ffaab79d5ee-7ffaab79d5f2 327->336 331 7ffaab79d326-7ffaab79d32b 328->331 329->328 362 7ffaab79d2fd-7ffaab79d322 329->362 340 7ffaab79d42c-7ffaab79d44f 331->340 341 7ffaab79d331-7ffaab79d33d 331->341 349 7ffaab79d714-7ffaab79d71f 332->349 350 7ffaab79d70f call 7ffaab79b110 332->350 333->332 335->336 345 7ffaab79d5f3-7ffaab79d5fb 336->345 357 7ffaab79d455-7ffaab79d456 340->357 341->258 348 7ffaab79d343-7ffaab79d352 341->348 345->258 353 7ffaab79d365-7ffaab79d372 call 7ffaab790248 348->353 354 7ffaab79d354-7ffaab79d363 348->354 366 7ffaab79d731 349->366 367 7ffaab79d721-7ffaab79d72f 349->367 350->349 370 7ffaab79d378-7ffaab79d37e 353->370 354->370 357->308 368 7ffaab79d530-7ffaab79d565 call 7ffaab794748 358->368 403 7ffaab79d515-7ffaab79d51e 359->403 404 7ffaab79d594 359->404 362->331 371 7ffaab79d733-7ffaab79d738 366->371 367->371 390 7ffaab79d56a-7ffaab79d572 368->390 376 7ffaab79d3b3-7ffaab79d3b8 370->376 377 7ffaab79d380-7ffaab79d3ad 370->377 373 7ffaab79d73a-7ffaab79d74d call 7ffaab7919f0 371->373 374 7ffaab79d74f-7ffaab79d757 call 7ffaab794760 371->374 387 7ffaab79d75c-7ffaab79d763 373->387 374->387 376->258 381 7ffaab79d3be-7ffaab79d3de 376->381 377->376 391 7ffaab79d3f2-7ffaab79d422 call 7ffaab799160 381->391 392 7ffaab79d3e0-7ffaab79d3ee 381->392 390->327 394 7ffaab79d574-7ffaab79d577 390->394 405 7ffaab79d427-7ffaab79d42a 391->405 392->391 394->345 397 7ffaab79d579 394->397 400 7ffaab79d57b-7ffaab79d58e 397->400 401 7ffaab79d5c0-7ffaab79d5cb 397->401 400->404 401->351 403->358 404->368 404->404 405->308
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6g$6g$6g$0#q$0#q$0#q$>R_E$x!q
                                        • API String ID: 0-2017755313
                                        • Opcode ID: 475943d04d27fc4f287cc9e3f77a5f89c12912c5a41b6823db4c9dbb556fed15
                                        • Instruction ID: 247735993252e88f87be10cd4771793ad50bc6193bd19e2b58035259fd8ff1f7
                                        • Opcode Fuzzy Hash: 475943d04d27fc4f287cc9e3f77a5f89c12912c5a41b6823db4c9dbb556fed15
                                        • Instruction Fuzzy Hash: C0520830A0AA098FDBA8DF2CD455A797BE1EF56340F1041BDE44EC72B2DE65EC468781
                                        Function 00007FFAAB798728 Relevance: 7.8, Strings: 5, Instructions: 1592COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: M_L$)M_H$0#q$0#q$X:k
                                        • API String ID: 0-2209140786
                                        • Opcode ID: eaa47a1766a2f0b547df49ecc25cb3ad1e721c8000a08c80487a1eb9962fb2ce
                                        • Instruction ID: 1cc24726e264b6d902dc8e13454a4b82b709116ea0a9808dfc8bc316fdb43262
                                        • Opcode Fuzzy Hash: eaa47a1766a2f0b547df49ecc25cb3ad1e721c8000a08c80487a1eb9962fb2ce
                                        • Instruction Fuzzy Hash: 3EB2D071A0AA49CFEBA8DB18C495AB977F1FF56340F1440BDD04EC76B2DE64AC458B80
                                        Function 00007FFAAB791988 Relevance: 7.0, Strings: 5, Instructions: 716COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 885 7ffaab791988-7ffaab794a71 call 7ffaab794520 892 7ffaab794a94-7ffaab794aa3 885->892 893 7ffaab794a73-7ffaab794a89 call 7ffaab794520 call 7ffaab794570 892->893 894 7ffaab794aa5-7ffaab794abf call 7ffaab794520 call 7ffaab794570 892->894 903 7ffaab794a8b-7ffaab794a92 893->903 904 7ffaab794ac0-7ffaab794b10 893->904 903->892 907 7ffaab794b12-7ffaab794b17 call 7ffaab793788 904->907 908 7ffaab794b1c-7ffaab794b53 904->908 907->908 911 7ffaab794b59-7ffaab794b64 908->911 912 7ffaab794d4f-7ffaab794d77 908->912 913 7ffaab794b66-7ffaab794b74 911->913 914 7ffaab794bd8-7ffaab794bdd 911->914 924 7ffaab794d79-7ffaab794d9f 912->924 913->912 915 7ffaab794b7a-7ffaab794b89 913->915 916 7ffaab794bdf-7ffaab794beb 914->916 917 7ffaab794c50-7ffaab794c5a 914->917 919 7ffaab794b8b-7ffaab794bbb 915->919 920 7ffaab794bbd-7ffaab794bc8 915->920 916->912 923 7ffaab794bf1-7ffaab794c04 916->923 921 7ffaab794c7c-7ffaab794c84 917->921 922 7ffaab794c5c-7ffaab794c69 call 7ffaab7937a8 917->922 919->920 929 7ffaab794c09-7ffaab794c0c 919->929 920->912 926 7ffaab794bce-7ffaab794bd6 920->926 927 7ffaab794c87-7ffaab794c92 921->927 938 7ffaab794c6e-7ffaab794c7a 922->938 923->927 941 7ffaab794da1-7ffaab794db9 924->941 926->913 926->914 927->912 931 7ffaab794c98-7ffaab794ca8 927->931 934 7ffaab794c22-7ffaab794c2a 929->934 935 7ffaab794c0e-7ffaab794c1e 929->935 931->912 936 7ffaab794cae-7ffaab794cbb 931->936 934->912 940 7ffaab794c30-7ffaab794c4f 934->940 935->934 936->912 939 7ffaab794cc1-7ffaab794ce1 936->939 938->921 939->912 946 7ffaab794ce3-7ffaab794cf2 939->946 947 7ffaab794dd6-7ffaab794e00 941->947 948 7ffaab794dbb-7ffaab794dc1 941->948 949 7ffaab794cf4-7ffaab794cff 946->949 950 7ffaab794d3d-7ffaab794d4e 946->950 951 7ffaab794dc3-7ffaab794dd4 948->951 952 7ffaab794e01-7ffaab794e55 948->952 949->950 955 7ffaab794d01-7ffaab794d38 call 7ffaab7937a8 949->955 951->947 951->948 961 7ffaab794e57-7ffaab794e67 952->961 962 7ffaab794e69-7ffaab794ea1 952->962 955->950 961->961 961->962 968 7ffaab794ea3-7ffaab794ea9 962->968 969 7ffaab794ef8-7ffaab794eff 962->969 968->969 970 7ffaab794eab-7ffaab794eac 968->970 971 7ffaab794f42-7ffaab794f6b 969->971 972 7ffaab794f01-7ffaab794f02 969->972 973 7ffaab794eaf-7ffaab794eb2 970->973 974 7ffaab794f05-7ffaab794f08 972->974 976 7ffaab794eb8-7ffaab794ec5 973->976 977 7ffaab794f6c-7ffaab794f81 973->977 974->977 978 7ffaab794f0a-7ffaab794f1b 974->978 981 7ffaab794ec7-7ffaab794eee 976->981 982 7ffaab794ef1-7ffaab794ef6 976->982 987 7ffaab794f83-7ffaab794f8a 977->987 988 7ffaab794f8b-7ffaab795011 977->988 979 7ffaab794f39-7ffaab794f40 978->979 980 7ffaab794f1d-7ffaab794f23 978->980 979->971 979->974 980->977 983 7ffaab794f25-7ffaab794f35 980->983 981->982 982->969 982->973 983->979 987->988
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: WVSH$b4g$b4g$b4g$d
                                        • API String ID: 0-814568605
                                        • Opcode ID: 7e3897b73385219e645ff1e86a75ff9b56594aae318086e44857761c6f4d45ec
                                        • Instruction ID: 200bea3e7ca9a415777bc5747965544c85c7743c7f71621044c6ae0269c46c5b
                                        • Opcode Fuzzy Hash: 7e3897b73385219e645ff1e86a75ff9b56594aae318086e44857761c6f4d45ec
                                        • Instruction Fuzzy Hash: C1226831A1EA4A8FE7A8DB28D4815B177E1FF46350B1482B9C44EC72B7DE25F84687C1
                                        Function 00007FFAAB860055 Relevance: 4.5, Strings: 2, Instructions: 1959COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1554435337.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab860000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6g$"9g
                                        • API String ID: 0-523997891
                                        • Opcode ID: 5f426bff13d89c65fe89c011829e2175c5b6a3e2b7c93f8a224aedea2de469da
                                        • Instruction ID: 9a41ca8d9ead7047bcb47245e7b585768c5f7715daeee8112a0ba2d73d367430
                                        • Opcode Fuzzy Hash: 5f426bff13d89c65fe89c011829e2175c5b6a3e2b7c93f8a224aedea2de469da
                                        • Instruction Fuzzy Hash: 8BD2287190E7868FE756DB2888A56A5BFE0EF5B340F0445FED08DCB1A3DA246849C7C1
                                        Function 00007FFAAB79418C Relevance: 4.2, Strings: 3, Instructions: 455COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1592 7ffaab79418c-7ffaab794193 1593 7ffaab794195-7ffaab79419d 1592->1593 1594 7ffaab79419e-7ffaab7941ee 1592->1594 1593->1594 1596 7ffaab7941f4-7ffaab794256 1594->1596 1597 7ffaab794466-7ffaab794499 1594->1597 1620 7ffaab7942a5-7ffaab7942ae 1596->1620 1621 7ffaab794258-7ffaab794264 call 7ffaab7936b8 1596->1621 1605 7ffaab7944a3-7ffaab7944be 1597->1605 1606 7ffaab79449b-7ffaab7944a2 1597->1606 1608 7ffaab7944f2-7ffaab79451a 1605->1608 1609 7ffaab7944c0-7ffaab7944c2 1605->1609 1606->1605 1623 7ffaab794524-7ffaab79455a 1608->1623 1611 7ffaab7944c4-7ffaab7944c7 call 7ffaab793788 1609->1611 1612 7ffaab7944cc-7ffaab7944d2 1609->1612 1611->1612 1615 7ffaab7944d4-7ffaab7944df 1612->1615 1616 7ffaab7944e1-7ffaab7944f1 1612->1616 1615->1616 1627 7ffaab794292-7ffaab7942a4 call 7ffaab7939e8 call 7ffaab7939f0 1620->1627 1628 7ffaab7942b0-7ffaab7942d9 1620->1628 1629 7ffaab794269-7ffaab794280 1621->1629 1623->1623 1626 7ffaab79455c 1623->1626 1627->1620 1636 7ffaab7942e0 1628->1636 1634 7ffaab7942e2-7ffaab7942f5 1629->1634 1637 7ffaab794282-7ffaab794290 call 7ffaab7939e8 1634->1637 1638 7ffaab7942f7-7ffaab7942f9 1634->1638 1636->1634 1637->1627 1641 7ffaab794352-7ffaab794365 1638->1641 1642 7ffaab794367-7ffaab794369 1641->1642 1643 7ffaab7942fb-7ffaab794350 call 7ffaab7939e8 * 2 call 7ffaab790208 1641->1643 1645 7ffaab79440e-7ffaab794417 1642->1645 1643->1641 1647 7ffaab794418-7ffaab794421 1645->1647 1649 7ffaab794427-7ffaab794465 1647->1649 1650 7ffaab79436e-7ffaab7943a0 call 7ffaab7939e8 1647->1650 1657 7ffaab7943a2-7ffaab7943b8 1650->1657 1658 7ffaab7943ba-7ffaab7943bb 1650->1658 1661 7ffaab7943bd-7ffaab7943c8 1657->1661 1658->1661 1661->1647 1664 7ffaab7943cb-7ffaab794407 call 7ffaab791988 call 7ffaab793790 1661->1664 1668 7ffaab79440c 1664->1668 1668->1645
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: X:k$fish$M_H
                                        • API String ID: 0-1621393981
                                        • Opcode ID: 6449cfd4032d11bd6ab483419b6f2135ecd7843d6354eb65a6b9de664348d3ba
                                        • Instruction ID: 54d6b2ebc47fc4c72ec63bf1dc741d867ab79a682b3bf6015510fb8dbf48ac56
                                        • Opcode Fuzzy Hash: 6449cfd4032d11bd6ab483419b6f2135ecd7843d6354eb65a6b9de664348d3ba
                                        • Instruction Fuzzy Hash: D7D16B31A1EA4A4FE76CAB3894555B577F1FF96350B0481BED04FC32B2DD29A80687C1
                                        Function 00007FFAAB79E48D Relevance: 3.8, Strings: 1, Instructions: 2504COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: [h
                                        • API String ID: 0-2672728364
                                        • Opcode ID: 976608ec52dd2e3105efc4c24a7d29df23bc948f0eebf237276d9ddbbc115d67
                                        • Instruction ID: d9016e29044b675f3c82c59b1354f2e4bd3351625534b69392730aee8a6ddab4
                                        • Opcode Fuzzy Hash: 976608ec52dd2e3105efc4c24a7d29df23bc948f0eebf237276d9ddbbc115d67
                                        • Instruction Fuzzy Hash: 0903363051EB458FD359DB28C4814B5B7F1EF86341B1485BEE48AC72B6DE36E84AC781
                                        Function 00007FFAAB7A034F Relevance: 2.6, Strings: 1, Instructions: 1364COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0#q
                                        • API String ID: 0-2761699095
                                        • Opcode ID: 4bdb847d16c94e2438e2c2686c2be9b6e8f69e8e64f6f0e89ad09c59675127b1
                                        • Instruction ID: 54fd6c6ecbb64f3afe200e6e005cf208a93d5448e58c64eff9caead4ce0eb376
                                        • Opcode Fuzzy Hash: 4bdb847d16c94e2438e2c2686c2be9b6e8f69e8e64f6f0e89ad09c59675127b1
                                        • Instruction Fuzzy Hash: 31726A3161EB498FE399DB28C4415B577E1EF96340F0089BED48EC72B2DE65A84AC7C1
                                        Function 00007FFAAB79BBA9 Relevance: .5, Instructions: 517COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6c3184ab3bef89c0f25319fbf1af7b3af241cf9c043a34c9dfcffa53e346181b
                                        • Instruction ID: c9d3906b930c397d7b8dcdd2af5804e34c9a3defd3d820a6d53d0ac0885d7e09
                                        • Opcode Fuzzy Hash: 6c3184ab3bef89c0f25319fbf1af7b3af241cf9c043a34c9dfcffa53e346181b
                                        • Instruction Fuzzy Hash: 04F16B3151EB868FE35ECB2884511B577E2FF92341B148A7ED4CAC72B5DE26A40AC7C1
                                        Function 00007FFAAB7A4BBE Relevance: .2, Instructions: 174COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 867300aef2961570d7f6aedc4e935f6da320e9fc60f97913776b34000ddc14b9
                                        • Instruction ID: 21013307619b4814b2a80108face8edfb5e7954d0051a9c5705045396751b754
                                        • Opcode Fuzzy Hash: 867300aef2961570d7f6aedc4e935f6da320e9fc60f97913776b34000ddc14b9
                                        • Instruction Fuzzy Hash: 4C41387150E7895FD71E9B3898511B53BE5EB87320B05C2BFD08AC76B3DD24684A83D1
                                        Function 00007FFAAB7A4C0B Relevance: .2, Instructions: 157COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a41e5820e33ef5e39107d5305fb5ff805bd4bc80ba9e24fa585278fc0a612168
                                        • Instruction ID: e3dd924fd444dee3b6808463d1c2ac91cbf2e43129e20b467c3f569962482e52
                                        • Opcode Fuzzy Hash: a41e5820e33ef5e39107d5305fb5ff805bd4bc80ba9e24fa585278fc0a612168
                                        • Instruction Fuzzy Hash: F241367150E7895FD71E9B7888611B53BE5EB87310B06C2BFD08AC72E3DD68580A83D2
                                        Function 00007FFAAB7A4C7D Relevance: .1, Instructions: 107COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b2d92803a953a6b77efedb63b16c3c7149a5c9100095f8a2d87656f3a687f2d
                                        • Instruction ID: 89cf6ac54db51015fb7191c724c65c8a739c9e578895c3c9b987715c8daeb241
                                        • Opcode Fuzzy Hash: 6b2d92803a953a6b77efedb63b16c3c7149a5c9100095f8a2d87656f3a687f2d
                                        • Instruction Fuzzy Hash: 8E217B72A0E6595FE71C9A28882107A77E6D787350B01C33ED18BC32F2DD54680742C1
                                        Function 00007FFAAB79314A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2089 7ffaab79314a-7ffaab793157 2090 7ffaab793162-7ffaab793173 2089->2090 2091 7ffaab793159-7ffaab793161 2089->2091 2092 7ffaab793175-7ffaab79317d 2090->2092 2093 7ffaab79317e-7ffaab79322f VirtualProtect 2090->2093 2091->2090 2092->2093 2096 7ffaab793237-7ffaab79325f 2093->2096 2097 7ffaab793231 2093->2097 2097->2096
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID: UAWA
                                        • API String ID: 544645111-1492024814
                                        • Opcode ID: 42807c998818e10e70ef9678642442e82192e3278b31f7b6141ee33f9ef70249
                                        • Instruction ID: da3363972cc33843eff2269a617aeb284a9907e340cd1ca6adc41e443204e705
                                        • Opcode Fuzzy Hash: 42807c998818e10e70ef9678642442e82192e3278b31f7b6141ee33f9ef70249
                                        • Instruction Fuzzy Hash: A6415A3090CB888FDB19DBA8D8066E9BFF1EF56321F0442AFD049C32A2CF646446C791
                                        Function 00007FFAAB7997E5 Relevance: 1.6, APIs: 1, Instructions: 125memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: de2e49b7b85508ed90c7fc1c25d51b913e26d609054f9dd1d48ff7107a4dcafc
                                        • Instruction ID: 8138a6ff9aca3375b69d695b90c1c2401f8561560b946cdafec61fa4134b9cc6
                                        • Opcode Fuzzy Hash: de2e49b7b85508ed90c7fc1c25d51b913e26d609054f9dd1d48ff7107a4dcafc
                                        • Instruction Fuzzy Hash: 9E31283190CA4C8FDB18DB5CD8496F9BBF1EB55321F14427FE04AC3262CB616856C791
                                        Function 00007FFAAB7A80E9 Relevance: 1.6, APIs: 1, Instructions: 118memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: d8208f055853253a9d5998720c18e179bff20f0e364f1f5a9fe4efb3a75a7587
                                        • Instruction ID: f32adc79cf77fb625857f658224a566abe9d3a134c31381b42439701da6b9715
                                        • Opcode Fuzzy Hash: d8208f055853253a9d5998720c18e179bff20f0e364f1f5a9fe4efb3a75a7587
                                        • Instruction Fuzzy Hash: A231D43190CB5C8FDB18DBA8D8496F9BBF1EB55321F14426FD049C3152CB606856CB81
                                        Function 00007FFAAB8610C9 Relevance: .1, Instructions: 143COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1554435337.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab860000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51d785fd3109e7c09dd7219d7e2bbcdb357681f79d9ed99c77aa2723901d36e9
                                        • Instruction ID: 3807c2e5aa52d7810a7569e1856d4f55760d5809ed3e18bc44dfa2c660b0e5ba
                                        • Opcode Fuzzy Hash: 51d785fd3109e7c09dd7219d7e2bbcdb357681f79d9ed99c77aa2723901d36e9
                                        • Instruction Fuzzy Hash: A2412B3190968A8FDB56EF18C4955E9BBB0FF5A300F0441FAD44ECB163DA25B845C7C0

                                        Non-executed Functions

                                        Function 00007FFAAB79143D Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: /g
                                        • API String ID: 0-1261323631
                                        • Opcode ID: 691061979bdfaf7b786bfc2dda79be0844dc7b8ee6fcec3aefcb5a917931e65d
                                        • Instruction ID: ca82f1a7c1a63ceee4a9bad9566f8092551fb7f173bcc174d2ee1e08484e39a3
                                        • Opcode Fuzzy Hash: 691061979bdfaf7b786bfc2dda79be0844dc7b8ee6fcec3aefcb5a917931e65d
                                        • Instruction Fuzzy Hash: C251F32095F3C29FD797977848A00717FF49F03258B1985FEC0CE8A4B3D84A686AC396
                                        Function 00007FFAAB7A81D4 Relevance: .6, Instructions: 602COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1553546105.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffaab790000_3SBlY301oa.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 91d1ca0052a5a382fef84f3cadec496158e8c27f02dab36837e08d6655174914
                                        • Instruction ID: ca3f5d29705fd44f8005413364e47bdbd18f69b656598bdc4c7acee8651b8a7d
                                        • Opcode Fuzzy Hash: 91d1ca0052a5a382fef84f3cadec496158e8c27f02dab36837e08d6655174914
                                        • Instruction Fuzzy Hash: 0902463050E7868FE359DB2884854B5BBF1FF96341B04467EE48AC72B2DE65E84AC7C1

                                        Execution Graph

                                        Execution Coverage:8.5%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:17
                                        Total number of Limit Nodes:0
                                        execution_graph 15883 2a5bb00 15884 2a5bb46 15883->15884 15888 2a5bce0 15884->15888 15891 2a5bccf 15884->15891 15885 2a5bc33 15895 2a5b874 15888->15895 15892 2a5bcde 15891->15892 15893 2a5b874 DuplicateHandle 15892->15893 15894 2a5bd0e 15893->15894 15894->15885 15896 2a5bd48 DuplicateHandle 15895->15896 15897 2a5bd0e 15896->15897 15897->15885 15898 2a565c0 15899 2a56604 RtlSetProcessIsCritical 15898->15899 15900 2a56661 15899->15900 15901 2a569f0 15902 2a56a34 SetWindowsHookExW 15901->15902 15904 2a56a7a 15902->15904

                                        Executed Functions

                                        Function 02A5BD41 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 2a5bd41-2a5bd47 2 2a5bd48-2a5bddc DuplicateHandle 0->2 3 2a5bde5-2a5be02 2->3 4 2a5bdde-2a5bde4 2->4 4->3
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A5BD0E,?,?,?,?,?), ref: 02A5BDCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789948200.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a50000_jsc.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID: [~2
                                        • API String ID: 3793708945-1171149887
                                        • Opcode ID: 691707054372434ec4f4d94f28ed52e138ef4e4d51b23d61ba2fa8039ee4d2dc
                                        • Instruction ID: cd9f7249979ff7edf2ce6971c3220897366faaefbda7611f37dcc1ebabb9655e
                                        • Opcode Fuzzy Hash: 691707054372434ec4f4d94f28ed52e138ef4e4d51b23d61ba2fa8039ee4d2dc
                                        • Instruction Fuzzy Hash: F721F6B5D002489FDB10CFAAD984ADEBBF8EB48314F20841AE954A3250D778A940CF61
                                        Function 02A565BB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7 2a565bb-2a565fc 9 2a56604-2a5665f RtlSetProcessIsCritical 7->9 10 2a56666-2a5668e 9->10 11 2a56661 9->11 11->10
                                        APIs
                                        • RtlSetProcessIsCritical.NTDLL(?,?), ref: 02A56652
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789948200.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a50000_jsc.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID: [~2
                                        • API String ID: 2695349919-1171149887
                                        • Opcode ID: 502aac76958b4cddc2c8ffe4bfafbbf6a8a13bec96b28dd4ffd2ad2c5756ec16
                                        • Instruction ID: a283cb5c401f28a1fdb7d3df0a9a7209c370e6c2e1a4b2d049eb3a8893db817c
                                        • Opcode Fuzzy Hash: 502aac76958b4cddc2c8ffe4bfafbbf6a8a13bec96b28dd4ffd2ad2c5756ec16
                                        • Instruction Fuzzy Hash: BB2148B6C01259CFDB14CF9AD880BEEBBF4EF59310F14806AE955A3640C738AA44CF65
                                        Function 02A565C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 13 2a565c0-2a5665f RtlSetProcessIsCritical 15 2a56666-2a5668e 13->15 16 2a56661 13->16 16->15
                                        APIs
                                        • RtlSetProcessIsCritical.NTDLL(?,?), ref: 02A56652
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789948200.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a50000_jsc.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID: [~2
                                        • API String ID: 2695349919-1171149887
                                        • Opcode ID: 6eca16a00e9b6e1f1d3568fc7122ae921e135e078aeeea2803e4c278a2bc3ed1
                                        • Instruction ID: 110b85510be25d3b1da5e2e7382f008823686e9a800dcf6522f9922186a9c0e0
                                        • Opcode Fuzzy Hash: 6eca16a00e9b6e1f1d3568fc7122ae921e135e078aeeea2803e4c278a2bc3ed1
                                        • Instruction Fuzzy Hash: 872148B6C01259CFDB14CF9AD880BEEBBF4AF58310F14806AE855A3640C738AA44CF61
                                        Function 02A5B874 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 18 2a5b874-2a5bddc DuplicateHandle 20 2a5bde5-2a5be02 18->20 21 2a5bdde-2a5bde4 18->21 21->20
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A5BD0E,?,?,?,?,?), ref: 02A5BDCF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789948200.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a50000_jsc.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID: [~2
                                        • API String ID: 3793708945-1171149887
                                        • Opcode ID: 96a9c15ca00cde17286e66f2b4fd16de32376ee4344a7c64326b3f6181a4bdf6
                                        • Instruction ID: ed3327f13b56d4b32f80b744c57911f77282fb394ac37f888e95e02d4d5ccdc1
                                        • Opcode Fuzzy Hash: 96a9c15ca00cde17286e66f2b4fd16de32376ee4344a7c64326b3f6181a4bdf6
                                        • Instruction Fuzzy Hash: E121E3B59003589FDB10CF9AD984AEEBBF4EB48314F14841AE954A7350D779A940CFA4
                                        Function 02A569E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 24 2a569e8-2a56a3a 27 2a56a46-2a56a78 SetWindowsHookExW 24->27 28 2a56a3c-2a56a44 24->28 29 2a56a81-2a56aa6 27->29 30 2a56a7a-2a56a80 27->30 28->27 30->29
                                        APIs
                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02A56A6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789948200.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a50000_jsc.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID: [~2
                                        • API String ID: 2559412058-1171149887
                                        • Opcode ID: 37bb7ccb8d593c83b5d10468cb01b800f24ff8c6160dc593eaf1ef2eb0661d47
                                        • Instruction ID: 545f516482de73f6ff66510ce6ff508ab75eedc9ac8d78f777ed505aad2b0c73
                                        • Opcode Fuzzy Hash: 37bb7ccb8d593c83b5d10468cb01b800f24ff8c6160dc593eaf1ef2eb0661d47
                                        • Instruction Fuzzy Hash: 612137B5D002199FCB24CFAAC944BDEBBF5EF88310F10842AE855A7250CB74A941CFA1
                                        Function 02A569F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 35 2a569f0-2a56a3a 37 2a56a46-2a56a78 SetWindowsHookExW 35->37 38 2a56a3c-2a56a44 35->38 39 2a56a81-2a56aa6 37->39 40 2a56a7a-2a56a80 37->40 38->37 40->39
                                        APIs
                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02A56A6B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789948200.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a50000_jsc.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID: [~2
                                        • API String ID: 2559412058-1171149887
                                        • Opcode ID: 014d64fd44601e6db5ce57258e940e30e73813de44b3a16b9a9f6f0edf969674
                                        • Instruction ID: 43c065f86c85d77dc9a4e263bca8c5cfaf5a558a7095742974d158a14f78648f
                                        • Opcode Fuzzy Hash: 014d64fd44601e6db5ce57258e940e30e73813de44b3a16b9a9f6f0edf969674
                                        • Instruction Fuzzy Hash: 59211575D002599FDB14DFAAD944BDFBBF5EF88310F10842AE419A7250CB78A941CFA0
                                        Function 029FD43C Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789539619.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_29fd000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ca67eceff278388d964fcbebb952b02401ad69a1150bbdfdefe017cb502604c4
                                        • Instruction ID: e29b90e35edb3b0b5d7475980bf138e0ff0b2dc5aba0bb0c0c505587d9b2b2a9
                                        • Opcode Fuzzy Hash: ca67eceff278388d964fcbebb952b02401ad69a1150bbdfdefe017cb502604c4
                                        • Instruction Fuzzy Hash: C521D371504204EFDB99DF10D9C0B16BB65FB84314F24C569EA094B696C336E456CBB2
                                        Function 02A0D2B4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789677158.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a0d000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ddc48f722809d76ddbf3c81031887978faa41e20d380cce3580c16259e8e9e7
                                        • Instruction ID: 028b1cd064cdbd61fcbfcf7476f895c34cacac5acd1c876d9572cc2a8af95dfb
                                        • Opcode Fuzzy Hash: 9ddc48f722809d76ddbf3c81031887978faa41e20d380cce3580c16259e8e9e7
                                        • Instruction Fuzzy Hash: A3210776504B04DFDB14DF90E5C0B16BB65FB88314F24C5ADE8494B292C73AD446CA62
                                        Function 02A0D0EC Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789677158.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a0d000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b7ae658d46eea505ae0906002b54c5096cf78c7f808fe3f77b5845554a2a3c4
                                        • Instruction ID: d53c80e56d0b3515fe7457793ebf1e1f5919d0909c00bdbb2d353aef89145a89
                                        • Opcode Fuzzy Hash: 1b7ae658d46eea505ae0906002b54c5096cf78c7f808fe3f77b5845554a2a3c4
                                        • Instruction Fuzzy Hash: A021F276504704AFDB14DF94E9C0B16BB75FB88314F20C56DD80A4F292CB3AD84ACAA1
                                        Function 02A0D1D4 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789677158.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a0d000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f28c523c9090036668d14bf689f0f253cdb3a2d573d18f5cbeb5e6fa1b040cab
                                        • Instruction ID: d8d8d8a6d9a75471bf57b774a898d814a6ff94301afd081fd7b2ac4e50fd2f74
                                        • Opcode Fuzzy Hash: f28c523c9090036668d14bf689f0f253cdb3a2d573d18f5cbeb5e6fa1b040cab
                                        • Instruction Fuzzy Hash: 3721D072504700AFDB14DF94E5C0F26FB65EB8C314F20C66DE80A4B296CB36D846CA61
                                        Function 029FD437 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789539619.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_29fd000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                        • Instruction ID: 5c7e2b32a558dcc9c73f6f0d0c778e2084f136cc270aec235adc3be9bbc6ed08
                                        • Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                        • Instruction Fuzzy Hash: 1011D076504280DFCB56CF10D9C4B16BF72FB84324F24C6AADD494B656C33AD45ACBA2
                                        Function 02A0D0E7 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789677158.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a0d000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                        • Instruction ID: 952d68299c76e1036fe75c09b889ab9d2a6405469203047522b3af671f8d619c
                                        • Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                        • Instruction Fuzzy Hash: A011BE76504640DFDB01CF50E9C0B15FB62FB48314F24C6A9D8494B696C73AD84ACFA1
                                        Function 02A0D2AF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789677158.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a0d000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                        • Instruction ID: b3d2966e70d7bab99407e98d624bdc5d1c1b9ded40f84b7a5fc04988b1c17579
                                        • Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                        • Instruction Fuzzy Hash: 8B119D7A504680DFCB15CF50E5C4B15FFA1FB84318F28C6AAD8494B696C33AD44ACFA2
                                        Function 02A0D1CF Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000003.00000002.3789677158.0000000002A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A0D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_3_2_2a0d000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f45ef4269dcd309926caf90be9fd06c78b632527133492db4ad8851a217e1d2a
                                        • Instruction ID: 6afe321ca330690b4895de0be8f85f6e993db9c20bcceab3b235321b84f66f59
                                        • Opcode Fuzzy Hash: f45ef4269dcd309926caf90be9fd06c78b632527133492db4ad8851a217e1d2a
                                        • Instruction Fuzzy Hash: A211BF76504680CFDB15CF54E5C4B15FFA1FB88318F24C6ADD8494B696C33AD44ACB51

                                        Execution Graph

                                        Execution Coverage:7%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:5
                                        Total number of Limit Nodes:1
                                        execution_graph 22714 89c6a20 22715 89c6a35 22714->22715 22716 89c69da SetThreadToken 22715->22716 22718 89c6a37 22715->22718 22717 89c69f9 22716->22717

                                        Executed Functions

                                        Function 049CB470 Relevance: .3, Instructions: 260COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 967 49cb470-49cb499 968 49cb49e-49cb7d9 call 49cb0ec 967->968 969 49cb49b 967->969 1030 49cb7de-49cb7e5 968->1030 969->968
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8dd8f45145ac1d42a33f32da175b436cc559bc48be22080a8431169fb4b386c
                                        • Instruction ID: cd2d572792ebba9cf547453efd155366fe39f434910dbb6bb3e0d0c662605a49
                                        • Opcode Fuzzy Hash: f8dd8f45145ac1d42a33f32da175b436cc559bc48be22080a8431169fb4b386c
                                        • Instruction Fuzzy Hash: 54916275F017145BEB25EBB88461AAE7BF2EFC4700B00892DD156AF750DF34A9068BC5
                                        Function 049CB480 Relevance: .3, Instructions: 252COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1031 49cb480-49cb499 1032 49cb49e-49cb7d9 call 49cb0ec 1031->1032 1033 49cb49b 1031->1033 1094 49cb7de-49cb7e5 1032->1094 1033->1032
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b24ed2434bfaa1fe00dc4583b1b3481b540d9f3a91d2f817aee3db8225eca485
                                        • Instruction ID: d48cf280aa363e2cad639e46a52fed7226abf2078fd4e4787a8c55f233db266d
                                        • Opcode Fuzzy Hash: b24ed2434bfaa1fe00dc4583b1b3481b540d9f3a91d2f817aee3db8225eca485
                                        • Instruction Fuzzy Hash: E1917375F007185BEB25EBB88421AAE7BF2EFC4700B00892DD156AF750DF34A9068BC5
                                        Function 07852308 Relevance: 11.6, Strings: 8, Instructions: 1595COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1398285393.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7850000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $a0l$$a0l$pi{k$pi{k$pi{k$pi{k$pi{k$|,}k
                                        • API String ID: 0-2883752625
                                        • Opcode ID: b5132bc460de2232ff1ed38e18013640b78c4bef7344b2925e60c2400d21db0b
                                        • Instruction ID: 1a0601f0514589f28260ceca3f0495f08dd657158351d4181d4ebe8424a14086
                                        • Opcode Fuzzy Hash: b5132bc460de2232ff1ed38e18013640b78c4bef7344b2925e60c2400d21db0b
                                        • Instruction Fuzzy Hash: DAB259F1B0435ACFDB218F6988017AABBF1BF96224F1480AAD905CB651DE35CD45CBA1
                                        Function 089C6A20 Relevance: 1.6, APIs: 1, Instructions: 82threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 484 89c6a20-89c6a35 486 89c69da-89c69f7 SetThreadToken 484->486 487 89c6a37-89c6abd 484->487 488 89c69f9-89c69ff 486->488 489 89c6a00-89c6a1d 486->489 494 89c6abf 487->494 495 89c6ac4-89c6add 487->495 488->489 494->495
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1400272784.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_89c0000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 860697f27de6296c2c6d2d249a28b2e7e04754ebd58c7d57dce51db964eab55b
                                        • Instruction ID: ef21f751f3752e3a921d566090c34cd8a356e197da0951537bc4c842cdc6ce6e
                                        • Opcode Fuzzy Hash: 860697f27de6296c2c6d2d249a28b2e7e04754ebd58c7d57dce51db964eab55b
                                        • Instruction Fuzzy Hash: DE318D76C043858FDB21DFA9D4847DEBFF0EF49314F14849ED058A7251C679A944CBA1
                                        Function 089C6988 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 497 89c6988-89c69c3 498 89c69cb-89c69f7 SetThreadToken 497->498 499 89c69f9-89c69ff 498->499 500 89c6a00-89c6a1d 498->500 499->500
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1400272784.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_89c0000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 8b9c86c9110b71bf1ca05b764982a21062257fc877e43b1bc575f43ba3278f6c
                                        • Instruction ID: a4a39f66c7c5f14c42741952448f91796852d9937464eb54e6cfeff9b8ab558d
                                        • Opcode Fuzzy Hash: 8b9c86c9110b71bf1ca05b764982a21062257fc877e43b1bc575f43ba3278f6c
                                        • Instruction Fuzzy Hash: 0C11F5B5D003488FDB20DF9AC885B9EFBF8EB48224F24841AD459A7650C779A944CFA5
                                        Function 089C6980 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 503 89c6980-89c69c3 505 89c69cb-89c69f7 SetThreadToken 503->505 506 89c69f9-89c69ff 505->506 507 89c6a00-89c6a1d 505->507 506->507
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1400272784.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_89c0000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: b477d1c1cde52ee2752f2a9106df4e33ea7486b2c3cf45099b6f9d7368bae185
                                        • Instruction ID: 6cf846f61db63a545bfd6099ab8e83e9c7e8c7b97ec0f6522912f85aa041253f
                                        • Opcode Fuzzy Hash: b477d1c1cde52ee2752f2a9106df4e33ea7486b2c3cf45099b6f9d7368bae185
                                        • Instruction Fuzzy Hash: F51166B5D00348CFCB10DFAAC580BDEFBF4AB88220F24841AD459A7350C779A940CFA5
                                        Function 07853CE8 Relevance: .6, Instructions: 591COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 510 7853ce8-7853d0d 511 7853f00-7853f4a 510->511 512 7853d13-7853d18 510->512 520 7853f50-7853f55 511->520 521 78540ce-78540e6 511->521 513 7853d30-7853d34 512->513 514 7853d1a-7853d20 512->514 518 7853eb0-7853eba 513->518 519 7853d3a-7853d3c 513->519 516 7853d24-7853d2e 514->516 517 7853d22 514->517 516->513 517->513 522 7853ebc-7853ec5 518->522 523 7853ec8-7853ece 518->523 524 7853d4c 519->524 525 7853d3e-7853d4a 519->525 527 7853f57-7853f5d 520->527 528 7853f6d-7853f71 520->528 539 78540ef-7854112 521->539 540 78540e8-78540ee 521->540 529 7853ed4-7853ee0 523->529 530 7853ed0-7853ed2 523->530 526 7853d4e-7853d50 524->526 525->526 526->518 538 7853d56-7853d75 526->538 532 7853f61-7853f6b 527->532 533 7853f5f 527->533 536 7853f77-7853f79 528->536 537 7854080-785408a 528->537 535 7853ee2-7853efd 529->535 530->535 532->528 533->528 542 7853f89 536->542 543 7853f7b-7853f87 536->543 544 7854097-785409d 537->544 545 785408c-7854094 537->545 566 7853d85 538->566 567 7853d77-7853d83 538->567 547 7854228-785425d 539->547 548 7854118-785411d 539->548 540->539 549 7853f8b-7853f8d 542->549 543->549 550 78540a3-78540af 544->550 551 785409f-78540a1 544->551 568 785425f-7854281 547->568 569 785428b-7854295 547->569 554 7854135-7854139 548->554 555 785411f-7854125 548->555 549->537 556 7853f93-7853fb2 549->556 557 78540b1-78540cb 550->557 551->557 559 785413f-7854141 554->559 560 78541da-78541e4 554->560 561 7854127 555->561 562 7854129-7854133 555->562 591 7853fb4-7853fc0 556->591 592 7853fc2 556->592 570 7854151 559->570 571 7854143-785414f 559->571 573 78541e6-78541ee 560->573 574 78541f1-78541f7 560->574 561->554 562->554 576 7853d87-7853d89 566->576 567->576 613 78542d5-78542fe 568->613 614 7854283-7854288 568->614 580 7854297-785429c 569->580 581 785429f-78542a5 569->581 577 7854153-7854155 570->577 571->577 578 78541fd-7854209 574->578 579 78541f9-78541fb 574->579 576->518 584 7853d8f-7853d96 576->584 577->560 587 785415b-785415d 577->587 588 785420b-7854225 578->588 579->588 589 78542a7-78542a9 581->589 590 78542ab-78542b7 581->590 584->511 593 7853d9c-7853da1 584->593 594 7854177-785417e 587->594 595 785415f-7854165 587->595 597 78542b9-78542d2 589->597 590->597 598 7853fc4-7853fc6 591->598 592->598 599 7853da3-7853da9 593->599 600 7853db9-7853dc8 593->600 604 7854196-78541d7 594->604 605 7854180-7854186 594->605 602 7854167 595->602 603 7854169-7854175 595->603 598->537 610 7853fcc-7854003 598->610 611 7853dad-7853db7 599->611 612 7853dab 599->612 600->518 625 7853dce-7853dec 600->625 602->594 603->594 615 7854188 605->615 616 785418a-7854194 605->616 635 7854005-785400b 610->635 636 785401d-7854024 610->636 611->600 612->600 629 7854300-7854326 613->629 630 785432d-785435c 613->630 615->604 616->604 625->518 637 7853df2-7853e17 625->637 629->630 649 7854395-785439f 630->649 650 785435e-785437b 630->650 640 785400d 635->640 641 785400f-785401b 635->641 638 7854026-785402c 636->638 639 785403c-785407d 636->639 637->518 655 7853e1d-7853e24 637->655 644 7854030-785403a 638->644 645 785402e 638->645 640->636 641->636 644->639 645->639 653 78543a1-78543a5 649->653 654 78543a8-78543ae 649->654 661 78543e5-78543ea 650->661 662 785437d-785438f 650->662 657 78543b4-78543c0 654->657 658 78543b0-78543b2 654->658 659 7853e26-7853e41 655->659 660 7853e6a-7853e9d 655->660 663 78543c2-78543e2 657->663 658->663 669 7853e43-7853e49 659->669 670 7853e5b-7853e5f 659->670 678 7853ea4-7853ead 660->678 661->662 662->649 672 7853e4d-7853e59 669->672 673 7853e4b 669->673 675 7853e66-7853e68 670->675 672->670 673->670 675->678
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1398285393.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7850000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af32360adf1771e0ef73cfd7614b83d54fdd8d2afcc9bf9ead5785571a4c7cb3
                                        • Instruction ID: 658669098727b0f28bde7984e273083ffd2ee02259d23890cc5b000a8bec8461
                                        • Opcode Fuzzy Hash: af32360adf1771e0ef73cfd7614b83d54fdd8d2afcc9bf9ead5785571a4c7cb3
                                        • Instruction Fuzzy Hash: 80126AB17043959FCB158F6898107BABBB29FD2264F24807BD809CF651DB32CC85CBA1
                                        Function 078517B8 Relevance: .3, Instructions: 338COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 784 78517b8-78517da 786 78517e0-78517e5 784->786 787 7851969-785197c 784->787 788 78517e7-78517ed 786->788 789 78517fd-7851801 786->789 795 7851997-78519b5 787->795 796 785197e-7851986 787->796 790 78517f1-78517fb 788->790 791 78517ef 788->791 792 7851914-785191e 789->792 793 7851807-785180b 789->793 790->789 791->789 797 7851920-7851929 792->797 798 785192c-7851932 792->798 799 785180d-785181e 793->799 800 785184b 793->800 804 7851b04-7851b22 795->804 805 78519bb-78519c0 795->805 801 785198f-7851996 796->801 802 7851988-785198e 796->802 806 7851934-7851936 798->806 807 7851938-7851944 798->807 799->787 816 7851824-7851829 799->816 803 785184d-785184f 800->803 801->795 802->801 803->792 813 7851855-7851859 803->813 825 7851b24-7851b25 804->825 826 7851b2b-7851b34 804->826 809 78519c2-78519c8 805->809 810 78519d8-78519dc 805->810 811 7851946-7851966 806->811 807->811 814 78519cc-78519d6 809->814 815 78519ca 809->815 819 7851ab4-7851abe 810->819 820 78519e2-78519e4 810->820 813->792 821 785185f-7851863 813->821 814->810 815->810 822 7851841-7851849 816->822 823 785182b-7851831 816->823 829 7851ac0-7851ac9 819->829 830 7851acc-7851ad2 819->830 827 78519f4 820->827 828 78519e6-78519f2 820->828 831 7851865-785186e 821->831 832 7851886 821->832 822->803 833 7851835-785183f 823->833 834 7851833 823->834 837 7851b27-7851b29 825->837 838 7851b88-7851b8d 825->838 840 7851b44 826->840 841 7851b36-7851b42 826->841 839 78519f6-78519f8 827->839 828->839 844 7851ad4-7851ad6 830->844 845 7851ad8-7851ae4 830->845 842 7851875-7851882 831->842 843 7851870-7851873 831->843 836 7851889-7851911 832->836 833->822 834->822 837->826 839->819 847 78519fe-7851a16 839->847 846 7851b46-7851b48 840->846 841->846 850 7851884 842->850 843->850 848 7851ae6-7851b01 844->848 845->848 851 7851b7c-7851b86 846->851 852 7851b4a-7851b50 846->852 862 7851a30-7851a34 847->862 863 7851a18-7851a1e 847->863 850->836 851->838 859 7851b90-7851b96 851->859 857 7851b52-7851b54 852->857 858 7851b5e-7851b79 852->858 857->858 865 7851b9c-7851ba8 859->865 866 7851b98-7851b9a 859->866 873 7851a3a-7851a41 862->873 870 7851a20 863->870 871 7851a22-7851a2e 863->871 869 7851baa-7851bc1 865->869 866->869 870->862 871->862 877 7851a43-7851a46 873->877 878 7851a48-7851aa5 873->878 879 7851aaa-7851ab1 877->879 878->879
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1398285393.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7850000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f275cd75a78d5a48a4c62b7890770cf725d509493cb82bf06171af0e5f43b96
                                        • Instruction ID: 60fd72c5caba260d37cc916a4e33ccc06e7b027b3a713f000f41c1b25f8840d0
                                        • Opcode Fuzzy Hash: 8f275cd75a78d5a48a4c62b7890770cf725d509493cb82bf06171af0e5f43b96
                                        • Instruction Fuzzy Hash: A8B147B5F0424D9FDB219F69C4087AABBE6EFD6221F18807AD805CB241DB31DD41C7A2
                                        Function 049C29E0 Relevance: .2, Instructions: 219COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1095 49c29e0-49c2a0e 1096 49c2a14-49c2a2a 1095->1096 1097 49c2ae5-49c2b27 1095->1097 1098 49c2a2c 1096->1098 1099 49c2a2f-49c2a42 1096->1099 1102 49c2b2d-49c2b46 1097->1102 1103 49c2c41-49c2c67 1097->1103 1098->1099 1099->1097 1104 49c2a48-49c2a55 1099->1104 1105 49c2b48 1102->1105 1106 49c2b4b-49c2b59 1102->1106 1107 49c2a5a-49c2a6c 1104->1107 1108 49c2a57 1104->1108 1105->1106 1106->1103 1112 49c2b5f-49c2b69 1106->1112 1107->1097 1113 49c2a6e-49c2a78 1107->1113 1108->1107 1114 49c2b6b-49c2b6d 1112->1114 1115 49c2b77-49c2b84 1112->1115 1116 49c2a7a-49c2a7c 1113->1116 1117 49c2a86-49c2a96 1113->1117 1114->1115 1115->1103 1118 49c2b8a-49c2b9a 1115->1118 1116->1117 1117->1097 1121 49c2a98-49c2aa2 1117->1121 1119 49c2b9c 1118->1119 1120 49c2b9f-49c2bad 1118->1120 1119->1120 1120->1103 1126 49c2bb3-49c2bc3 1120->1126 1122 49c2aa4-49c2aa6 1121->1122 1123 49c2ab0-49c2ae4 1121->1123 1122->1123 1127 49c2bc8-49c2bd5 1126->1127 1128 49c2bc5 1126->1128 1127->1103 1131 49c2bd7-49c2be7 1127->1131 1128->1127 1132 49c2bec-49c2bf8 1131->1132 1133 49c2be9 1131->1133 1132->1103 1135 49c2bfa-49c2c14 1132->1135 1133->1132 1136 49c2c19 1135->1136 1137 49c2c16 1135->1137 1138 49c2c1e-49c2c28 1136->1138 1137->1136 1139 49c2c2d-49c2c40 1138->1139
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66cb6acb7605cfb9c2e01274912da084a234d36eb91605fc736e0018d7321ccd
                                        • Instruction ID: d55da7da6d070825af8b0ecd30cc946f96dcccc8731ff2a0f0622731fff79b7b
                                        • Opcode Fuzzy Hash: 66cb6acb7605cfb9c2e01274912da084a234d36eb91605fc736e0018d7321ccd
                                        • Instruction Fuzzy Hash: 5491BF74A00205DFCB15CF58C494AAEFBB1FF49310B2486A9D955AB3A5C736FC91CBA0
                                        Function 049CCEB0 Relevance: .2, Instructions: 217COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1140 49cceb0-49cceed 1142 49cceef 1140->1142 1143 49ccef9-49ccfc5 1140->1143 1142->1143 1157 49ccfcc-49cd016 1143->1157 1164 49cd018-49cd028 1157->1164 1165 49cd02a 1157->1165 1166 49cd02f-49cd031 1164->1166 1165->1166 1167 49cd044-49cd05c 1166->1167 1168 49cd033-49cd03c 1166->1168 1170 49cd05e-49cd06e 1167->1170 1171 49cd070 1167->1171 1168->1167 1172 49cd076-49cd0eb 1170->1172 1171->1172 1184 49cd0ed 1172->1184 1185 49cd0f7-49cd10c 1172->1185 1184->1185 1187 49cd10e 1185->1187 1188 49cd113-49cd137 1185->1188 1187->1188 1191 49cd139-49cd145 1188->1191 1192 49cd147 1188->1192 1193 49cd149-49cd18d 1191->1193 1192->1193 1200 49cd18f 1193->1200 1201 49cd197 1193->1201 1200->1201 1202 49cd198 1201->1202 1202->1202
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 482ad31722af264e43c9b7938f3b444edfe46b477a029db9989a950f014d45a2
                                        • Instruction ID: 96b22fe7c820ca930c74df9c935876c87e53db6a551bbaca5fe5634563974f2b
                                        • Opcode Fuzzy Hash: 482ad31722af264e43c9b7938f3b444edfe46b477a029db9989a950f014d45a2
                                        • Instruction Fuzzy Hash: 5C814878A002058FEB28EF68D490FED77F6AF88214F1485A8D105AF761DB75AC468B91
                                        Function 049CCEC0 Relevance: .2, Instructions: 207COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1203 49ccec0-49cceed 1204 49cceef 1203->1204 1205 49ccef9-49ccfc5 1203->1205 1204->1205 1219 49ccfcc-49cd016 1205->1219 1226 49cd018-49cd028 1219->1226 1227 49cd02a 1219->1227 1228 49cd02f-49cd031 1226->1228 1227->1228 1229 49cd044-49cd05c 1228->1229 1230 49cd033-49cd03c 1228->1230 1232 49cd05e-49cd06e 1229->1232 1233 49cd070 1229->1233 1230->1229 1234 49cd076-49cd0eb 1232->1234 1233->1234 1246 49cd0ed 1234->1246 1247 49cd0f7-49cd10c 1234->1247 1246->1247 1249 49cd10e 1247->1249 1250 49cd113-49cd137 1247->1250 1249->1250 1253 49cd139-49cd145 1250->1253 1254 49cd147 1250->1254 1255 49cd149-49cd18d 1253->1255 1254->1255 1262 49cd18f 1255->1262 1263 49cd197 1255->1263 1262->1263 1264 49cd198 1263->1264 1264->1264
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4be63f7e656a6a5046ceb283375a49e4ee3f8872a5d6f41fcaa32b0b87bfe24
                                        • Instruction ID: 5af2fdc1f3df97bc27f25751de5b97e8b09b7c45de992c193b805fe3e70dd673
                                        • Opcode Fuzzy Hash: a4be63f7e656a6a5046ceb283375a49e4ee3f8872a5d6f41fcaa32b0b87bfe24
                                        • Instruction Fuzzy Hash: CD813778A002058FEB28EF68D490FED77F6AF88204F1485A8D145AF761DB75EC46CB91
                                        Function 049CCE90 Relevance: .2, Instructions: 195COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1265 49cce90-49cce9c 1266 49cce9e-49ccea9 1265->1266 1267 49ccf08-49ccfc5 1265->1267 1279 49ccfcc-49cd016 1267->1279 1286 49cd018-49cd028 1279->1286 1287 49cd02a 1279->1287 1288 49cd02f-49cd031 1286->1288 1287->1288 1289 49cd044-49cd05c 1288->1289 1290 49cd033-49cd03c 1288->1290 1292 49cd05e-49cd06e 1289->1292 1293 49cd070 1289->1293 1290->1289 1294 49cd076-49cd0eb 1292->1294 1293->1294 1306 49cd0ed 1294->1306 1307 49cd0f7-49cd10c 1294->1307 1306->1307 1309 49cd10e 1307->1309 1310 49cd113-49cd137 1307->1310 1309->1310 1313 49cd139-49cd145 1310->1313 1314 49cd147 1310->1314 1315 49cd149-49cd18d 1313->1315 1314->1315 1322 49cd18f 1315->1322 1323 49cd197 1315->1323 1322->1323 1324 49cd198 1323->1324 1324->1324
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94232dacbe4f97171302cabb6d0f7e33d63347927aa514b952a26ca3f8c699a2
                                        • Instruction ID: 1e58ee500f69be5147e17da2717c7158598e1cacdc54792fb4900356bc1c9ab1
                                        • Opcode Fuzzy Hash: 94232dacbe4f97171302cabb6d0f7e33d63347927aa514b952a26ca3f8c699a2
                                        • Instruction Fuzzy Hash: 67715A78A002058FDB28EF68D894FED77F2AF88204F1486A8D0459F761DB35ED46CB91
                                        Function 049CBAA0 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80fb4c1fb48e27c2c499191ae22c73078681a651744eec001a16b199d666d000
                                        • Instruction ID: 02cb77db2e70511e1cda56309dcbab3e75ff3798cc109a6878cf355811f4871b
                                        • Opcode Fuzzy Hash: 80fb4c1fb48e27c2c499191ae22c73078681a651744eec001a16b199d666d000
                                        • Instruction Fuzzy Hash: B9615975E012489FDB14CFA9D485ADDFBF5FF88310F18816AE819AB354EB34A806CB51
                                        Function 049C7720 Relevance: .2, Instructions: 157COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a384822197a647c55030694f0f49294aef6124f3ec106f799b8bc02e535d4997
                                        • Instruction ID: 11415634d5eebd89536f8ae5fd9a4b1684db49ce0b2028585b46abb22c65c550
                                        • Opcode Fuzzy Hash: a384822197a647c55030694f0f49294aef6124f3ec106f799b8bc02e535d4997
                                        • Instruction Fuzzy Hash: 1151D1347042069FD714DBB9D854A6ABBEAFFC8214B1585BDD109CB392EB31EC01CB61
                                        Function 049CBAB0 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56f6cc787bc24a11edfc9254372e8d3b716b6d77ef8c60c92e3bb2181f15015b
                                        • Instruction ID: 6c59c9b3594b6ffdcd4513a373d77eec856cb3cae011022f7e2d790d95e18f11
                                        • Opcode Fuzzy Hash: 56f6cc787bc24a11edfc9254372e8d3b716b6d77ef8c60c92e3bb2181f15015b
                                        • Instruction Fuzzy Hash: C2613575E012489FDB14CFA9D484BDDBBF6FF88310F18812AE819AB250EB35A845CB51
                                        Function 07853CCD Relevance: .1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1398285393.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7850000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ea00e9442f095a83e125f9633ed7f11d36ae74460123da201075c50d9b10305
                                        • Instruction ID: 275b4d17e6cfd048e116273fcf8da1ed374b2927beeccd2af2e8febb8903bd60
                                        • Opcode Fuzzy Hash: 0ea00e9442f095a83e125f9633ed7f11d36ae74460123da201075c50d9b10305
                                        • Instruction Fuzzy Hash: E54126F1A10202DFCB258E64C514A6ABBF29F916A8F1840A6DC04DFE51D732DC85CBA1
                                        Function 049C6FC0 Relevance: .1, Instructions: 113COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b9f863c716d6fcc4e8d7e4514ad1015a7b53f9e03f0fbd5fd5f7a421484ddfd
                                        • Instruction ID: 9be3c9bb0be48725489113aeb36959ecb471b2f1b912fb7bdcae8fbbee933409
                                        • Opcode Fuzzy Hash: 0b9f863c716d6fcc4e8d7e4514ad1015a7b53f9e03f0fbd5fd5f7a421484ddfd
                                        • Instruction Fuzzy Hash: AF413934B042058FDB18DFA4C558AAABBF6AF8D611F1444A9E406AB395DB35EC02CF61
                                        Function 07853CE6 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1398285393.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_7850000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d5986627af4e0dd3928da2431e4fce8523623db36d26abf15b7f3315dd23c26
                                        • Instruction ID: a3ca3ade35cbbef56f8d0e97c120f2e94e138b65ded755a31dc978c545f38489
                                        • Opcode Fuzzy Hash: 9d5986627af4e0dd3928da2431e4fce8523623db36d26abf15b7f3315dd23c26
                                        • Instruction Fuzzy Hash: EC3102F1A10202EFCB218E54C514A7ABBF2AF916A8F188065DC05DBE51D732EC84CBA1
                                        Function 049C2AF0 Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93bf775196c27a6bdb1fd84ba98997baf01eef976fb22b9c5dccca973388e6ca
                                        • Instruction ID: 56843e676a09a8e220a6e550c86d43a6da0dc7754ce94a36ff8c7d1fc3321d8c
                                        • Opcode Fuzzy Hash: 93bf775196c27a6bdb1fd84ba98997baf01eef976fb22b9c5dccca973388e6ca
                                        • Instruction Fuzzy Hash: 64414774A002099FCB19CF58C494AFAFBB1FF49310B2585A9D805AB364C736FC91CBA5
                                        Function 049CC378 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db0a0c96cc89b1831443c622336543f4d886c91082b57826eab930efd3d88756
                                        • Instruction ID: 749166de29a529f77966eaae55233ff27439bf1a4154d546841b3126cc11e2bc
                                        • Opcode Fuzzy Hash: db0a0c96cc89b1831443c622336543f4d886c91082b57826eab930efd3d88756
                                        • Instruction Fuzzy Hash: 9E318039701601AFD719EB78E854F9EB7AAEFC4210F048639E509CB750DF75A806CB92
                                        Function 049C6FB1 Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa9a22e1ef091ea92093699b035262abc1578760101ae1aef7d6595f139a809d
                                        • Instruction ID: ea250da960b1f600909fbe97ac3ee039df61fad798ec602dfc6b52f0253f489d
                                        • Opcode Fuzzy Hash: aa9a22e1ef091ea92093699b035262abc1578760101ae1aef7d6595f139a809d
                                        • Instruction Fuzzy Hash: 0C310D34B002068FDB14DFA4D598AAABBF6AB8D715F1450ACD405AB355DB32EC01CF61
                                        Function 049CAE50 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9a8195ee9abd9193f6daeb736f5622e549bfdd72c083c3068ca8376030604af
                                        • Instruction ID: 006058a45abec2b9c7f32558c44b8d909b1aafa2634a58d0ea3d2c0ac712b7ec
                                        • Opcode Fuzzy Hash: e9a8195ee9abd9193f6daeb736f5622e549bfdd72c083c3068ca8376030604af
                                        • Instruction Fuzzy Hash: 16315A74A012099FDB14DFA9D4957EEBBF6EFC8210F108039E405EB750EA7598428BA2
                                        Function 049CD220 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd608ef193d268be495b7da7a5e03c74574b593f82abcfa1215a34b456d56f7c
                                        • Instruction ID: 1e084e4c9c2f5865b315ffb1568c16fb476097f85100c27da91e43a1489bebfc
                                        • Opcode Fuzzy Hash: cd608ef193d268be495b7da7a5e03c74574b593f82abcfa1215a34b456d56f7c
                                        • Instruction Fuzzy Hash: 1031AE78A003449FDB14EF68E48099DBBF6FF85214B0486ADD0499F751DB35ED06CB82
                                        Function 049CAD18 Relevance: .1, Instructions: 88COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c79028e63bc1b2c8cbfad95ef38c5f3abfe8cff22732b638fcb3f8b24601b60
                                        • Instruction ID: 44a5c366819487a57a0f39b61fb87048ee01c76a1830eb2baa4c402ff618259d
                                        • Opcode Fuzzy Hash: 8c79028e63bc1b2c8cbfad95ef38c5f3abfe8cff22732b638fcb3f8b24601b60
                                        • Instruction Fuzzy Hash: CA319478A013089FD704EFA4D854AEE7BB6EFC5300F1184A9D140AF795DA39AD418FA1
                                        Function 049CE1E9 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ab12add06045b7554fea95644321288d3bcef1de566123fd5723b950103a46c
                                        • Instruction ID: 65075322bc1867d7cf5380b6c2921a1423fead50b1a8566c5f76bc461ceaeaac
                                        • Opcode Fuzzy Hash: 2ab12add06045b7554fea95644321288d3bcef1de566123fd5723b950103a46c
                                        • Instruction Fuzzy Hash: A8315879A012048FDB14EF68E458ADEBBF2FB88214F148569D406AB390DF75AC42CF91
                                        Function 049CAE60 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea8ca29222e16e1fd64ad1d354c8e152f593c48aef3cf314ef414edf87caa3d3
                                        • Instruction ID: 37e4551c070af30d6f5871dd491d5f2ea5cf17a8e470c18ca5aeae6daf874fe2
                                        • Opcode Fuzzy Hash: ea8ca29222e16e1fd64ad1d354c8e152f593c48aef3cf314ef414edf87caa3d3
                                        • Instruction Fuzzy Hash: 5A314A74E012099FDB14DFA9D494BAEBBF6AFC8310F108039E405EB750EB759C068B92
                                        Function 049CAF88 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f3fe0e6c6289b3e86cbc3fc7a2c04c56353526a53d001d77269d14a98916f19
                                        • Instruction ID: d1fef914360e88be03729e76324079010c1d56ea886a8e26ced21295eb2ea225
                                        • Opcode Fuzzy Hash: 5f3fe0e6c6289b3e86cbc3fc7a2c04c56353526a53d001d77269d14a98916f19
                                        • Instruction Fuzzy Hash: F721D175A043588FCB14DFAAE8447DEBBF5EBC9220F14842ED409E7340CA79A9058BA5
                                        Function 049CD270 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a2140b7cd9137d06095f4dd9ae0355bf03459d4f14e08795fcb462151c4fba2
                                        • Instruction ID: b64d723ca13e580e38f1df59b2dfa912f9202b285136476b5861c8bd118c1652
                                        • Opcode Fuzzy Hash: 0a2140b7cd9137d06095f4dd9ae0355bf03459d4f14e08795fcb462151c4fba2
                                        • Instruction Fuzzy Hash: 6621BF786053409FE725DB68D980E9ABBE6FF8921870086ADD049CF712CB35EC06CB91
                                        Function 049C93E0 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0aa654eb1aaedfea3bc76567cc9a08bd46dfcca8a3806949ff28f19ba0805038
                                        • Instruction ID: 0aae516408958788c019d4e617fb9a3e1ed629d88a5db84e8af0e5321b9a1b03
                                        • Opcode Fuzzy Hash: 0aa654eb1aaedfea3bc76567cc9a08bd46dfcca8a3806949ff28f19ba0805038
                                        • Instruction Fuzzy Hash: 49319CB59017448FDB60CF6AD0883DAFBF6EF88320F28C46ED84E9B215D67864818B55
                                        Function 049CE1F8 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa2f81fce902cc68bbe965ae8e8423b9a0991744153cb2bfe584942114b77dfd
                                        • Instruction ID: d469ecfb306c1d4c1f974e4cf2da6076fa7cf6a3450343cd25ca3b7e0a8d14da
                                        • Opcode Fuzzy Hash: aa2f81fce902cc68bbe965ae8e8423b9a0991744153cb2bfe584942114b77dfd
                                        • Instruction Fuzzy Hash: E8312578A012048FDB14EF69D468A9EBBF6FF88214F048569D406EB390DF75AC41CF91
                                        Function 049CAD28 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04e96b7c8a38c4dfbe8a365443437a67eca5474d51ddbc19f42d53a7f4db2a88
                                        • Instruction ID: 406b764676f95a6b938b2a5266ab9f9040136bbf7055aa08abe872965f15e6ce
                                        • Opcode Fuzzy Hash: 04e96b7c8a38c4dfbe8a365443437a67eca5474d51ddbc19f42d53a7f4db2a88
                                        • Instruction Fuzzy Hash: BC315278E003089FDB04EFA4D454BEEB7B6EFC5300F1184A8D251AB394DA39AD418F94
                                        Function 0308F3D8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386571149.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_308d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 767129a4d2e1e3f8f712000e81d6d40f824d78b8d9179e553246bcec6499af89
                                        • Instruction ID: 6886acf3eefdeac02a03452b743a3f9fe41e10ef9399e56d86211e3ff6b0bad5
                                        • Opcode Fuzzy Hash: 767129a4d2e1e3f8f712000e81d6d40f824d78b8d9179e553246bcec6499af89
                                        • Instruction Fuzzy Hash: 2E210571604301DFDF05EF60E9C0B16BBA5FB88314F24C5AAE9490F656C33AC456CBA1
                                        Function 0308F02C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386571149.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_308d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 328908bf5497fc450f93a3a89437ecba37043f15315f729d10ef31e7879366e0
                                        • Instruction ID: aec2c5ea25713510a389abefeba8fee40c52c41e57ed76bf54742779fbb6af7c
                                        • Opcode Fuzzy Hash: 328908bf5497fc450f93a3a89437ecba37043f15315f729d10ef31e7879366e0
                                        • Instruction Fuzzy Hash: BA213771505304DFDB14EF24E9C0B16BBA5EB84314F24C9ADD9494F242C33AD446CE62
                                        Function 049CD280 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 78f90ae54b3908713c20a143112db1cdb18c56219659aad21653a20633b34b9c
                                        • Instruction ID: d73a5d3022d8ada93c85fc9c37d5b85136f4d5abb4661223c30c3751e0d47be0
                                        • Opcode Fuzzy Hash: 78f90ae54b3908713c20a143112db1cdb18c56219659aad21653a20633b34b9c
                                        • Instruction Fuzzy Hash: 60219A787003009FD724DB69D880E9AB7EAEF8921470086ADE4499F711DB34EC06CB91
                                        Function 049C93F0 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 02607f48bdb4cf8724db53a7031373f2bd6d1e6b751559e65ed901da7cff35c0
                                        • Instruction ID: 35852c111841fa094b57c36b24f22e39812052e7c713c357290de01a8e454a71
                                        • Opcode Fuzzy Hash: 02607f48bdb4cf8724db53a7031373f2bd6d1e6b751559e65ed901da7cff35c0
                                        • Instruction Fuzzy Hash: 85217CB59017488FEB60CF6AC4887CAFBF6EB89310F28C46ED84E97245D6746441CB65
                                        Function 049C765C Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd331c7f8cd9b423c7e6a77e19c832bb0c15bbec8751244c84adbe34914da873
                                        • Instruction ID: 7568a4d9ecda6622770dda1f8b3301646e55ed3827410fdab36862233f19ff99
                                        • Opcode Fuzzy Hash: dd331c7f8cd9b423c7e6a77e19c832bb0c15bbec8751244c84adbe34914da873
                                        • Instruction Fuzzy Hash: 3E113339B001148FCF14DFADD940ADD77F6EBC8661B0440A8D509DB355DB35DD028BA1
                                        Function 049CE0B9 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40b922beb58a829c4de89ee041dff8579325f0cfe760ded7fca73c439577206c
                                        • Instruction ID: 2d3fa79d98f451ea236ffbc7fda553bf79d0ffd33458ef94a0910aecd11e0c67
                                        • Opcode Fuzzy Hash: 40b922beb58a829c4de89ee041dff8579325f0cfe760ded7fca73c439577206c
                                        • Instruction Fuzzy Hash: CD113335209750CFC725DF35D4508A6BBF6EF8631932485AED04A8BBA1C732E945CF50
                                        Function 0308F3D3 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386571149.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_308d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cec652083d875b15267482a4806cf92d2830ce69a7e1a418b01774896923d323
                                        • Instruction ID: eba36b50c0c8aac55ed98ac910a9e4c6c13273c23bdde667f955787ba09bf1eb
                                        • Opcode Fuzzy Hash: cec652083d875b15267482a4806cf92d2830ce69a7e1a418b01774896923d323
                                        • Instruction Fuzzy Hash: 7C218E76504240DFCF06DF60D5C4B16BFB2FB48314F28C5AAD9494A666C33AD45ACBA1
                                        Function 049CBCD0 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04bf92f8dabc1a75ca8bec9fe1f7463c1859f91a9b704e2f0c78de07cba810ba
                                        • Instruction ID: 467eee67771df3364ffe06e5d08911eb1de6030e9dda6fc583c4cffd32b9cab3
                                        • Opcode Fuzzy Hash: 04bf92f8dabc1a75ca8bec9fe1f7463c1859f91a9b704e2f0c78de07cba810ba
                                        • Instruction Fuzzy Hash: 8401C0356093449FD714DB36E894AAA7BE5EF85220B1484AED04ACB6A2CB35F846C741
                                        Function 049CDE79 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0065970296a1131b349458712fc91138619d1f6f753733edbb51da99ba5a0d25
                                        • Instruction ID: 3f92f29652c68eff16c5eee2b8ee83bfa9585ad52a5dc4c4ab4247cd178750b2
                                        • Opcode Fuzzy Hash: 0065970296a1131b349458712fc91138619d1f6f753733edbb51da99ba5a0d25
                                        • Instruction Fuzzy Hash: 4A01F136B19104AFDB009A64FC048EDBBB6FB88220F14897FD4069B211DE226C4687E2
                                        Function 0308F027 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386571149.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_308d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d546771ad39d2b39eae4d47c8fd2747dfff2c820a11f06dee2d413c70bed4b17
                                        • Instruction ID: 418e68fc287bd55232f729dc8ca091a226b094414d5bdd2c140bd50694c5402a
                                        • Opcode Fuzzy Hash: d546771ad39d2b39eae4d47c8fd2747dfff2c820a11f06dee2d413c70bed4b17
                                        • Instruction Fuzzy Hash: 3A11DD75505280CFCB11DF24E5C0B15FFA1FB84328F28C6AAD8894B656C33AD44ACF61
                                        Function 049CE0C8 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b1caad417bb67684b1d69081fe8b27b31e5ff0d5874dd605589b3fca3695952
                                        • Instruction ID: ebaefb7e4596b655505eab577ed4ad05ba21cfbc54bee35368ea9a7a5f5024f7
                                        • Opcode Fuzzy Hash: 4b1caad417bb67684b1d69081fe8b27b31e5ff0d5874dd605589b3fca3695952
                                        • Instruction Fuzzy Hash: 04110935204750CFC729DF75D440896BBF6EF8921972089ADD08A8BBA0CB32E845CB50
                                        Function 049CE038 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bc8cf5937e1c4337a00a2422183aa6f24626abe2d461b0ffe37851111d9dc2d
                                        • Instruction ID: 8a9b8ac4af53781c3a99f9e444f07aca3b77a854557272ac6f9fc7a2eb68937a
                                        • Opcode Fuzzy Hash: 5bc8cf5937e1c4337a00a2422183aa6f24626abe2d461b0ffe37851111d9dc2d
                                        • Instruction Fuzzy Hash: B0019E36B02214DFCB119F74E808AEEBBF5FB88315F04447AE91AD3241DB36A915CB91
                                        Function 049CBF00 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 91571e11e010a13c17fd0f22f3e9e3d45ccd8d52f239abd4b3de076f4a8ae606
                                        • Instruction ID: c827634badb3cedfa026e522b2f2cdf63462b836d2cac59727ee5f4102792d7a
                                        • Opcode Fuzzy Hash: 91571e11e010a13c17fd0f22f3e9e3d45ccd8d52f239abd4b3de076f4a8ae606
                                        • Instruction Fuzzy Hash: F6F0A43630E3A41FE7118A796C909BBBFE9EF8662071541ABF444C7352CA65CD048760
                                        Function 049CBF60 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1157a942382b79fdd8e9e412f63eac6e5836e09f1274f83e6e2b3f018f27cdcf
                                        • Instruction ID: 2fa6d3391697361866f244cc1b8cc7b0c284fc8412ff63765dac0ac2154931bb
                                        • Opcode Fuzzy Hash: 1157a942382b79fdd8e9e412f63eac6e5836e09f1274f83e6e2b3f018f27cdcf
                                        • Instruction Fuzzy Hash: 1801287270D2D04FD7154B68A8D19BA7FE8EFA6211B4844FEF480CB263C764D904DB11
                                        Function 0308D01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386571149.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_308d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a708f2e73f032bcb927f9c75e2b35f711f3a3d84ae531d6d21d53251aeff78bd
                                        • Instruction ID: 7aa088834b906fa8b19321f524b18d50e4ee422296341311d4b53f11af3e6360
                                        • Opcode Fuzzy Hash: a708f2e73f032bcb927f9c75e2b35f711f3a3d84ae531d6d21d53251aeff78bd
                                        • Instruction Fuzzy Hash: 8E01F7314063449FE720EB15DD84B67FBD8DF41224F08C65ADD884F682C6799441CEB6
                                        Function 0308D007 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386571149.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_308d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15d34e35038a2ba757c1ef70050a891b6397594d01bafdbeda195f3bb027174b
                                        • Instruction ID: c68cdbbe5d5371882d5e71e724cec695565bf56d357e8a42f37066abc4bcc5a8
                                        • Opcode Fuzzy Hash: 15d34e35038a2ba757c1ef70050a891b6397594d01bafdbeda195f3bb027174b
                                        • Instruction Fuzzy Hash: C701007140E3C49FD7128B258D94B52BFB8DF47224F1D81DBD9888F5A7C2695844CB72
                                        Function 049CDE28 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d78631994a4c096400420aeb34726dc5ec589ab2d8b6b36cfb99e16192c724aa
                                        • Instruction ID: b6d09d474cb1124f0b0aa5eeced5ea7faab9cc035d7d31021e0eb8a92002592e
                                        • Opcode Fuzzy Hash: d78631994a4c096400420aeb34726dc5ec589ab2d8b6b36cfb99e16192c724aa
                                        • Instruction Fuzzy Hash: 51F02E3770A7149F971252597C108EFBBAEDEC61B1300057FE119C7500DA25A90547F3
                                        Function 049C90C8 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd1439ac7c23953ea4c28e84f8ff1304d6bc985cbe7bbbef10d4ed06f71480c7
                                        • Instruction ID: e5006a4120a16b3dbe5e7c4e59d804bbf98c8fbc3fce68fda870b4d50a56de6a
                                        • Opcode Fuzzy Hash: fd1439ac7c23953ea4c28e84f8ff1304d6bc985cbe7bbbef10d4ed06f71480c7
                                        • Instruction Fuzzy Hash: 00F0287A6096045FE311AB78E4153EB7FA5EFC5328F20816BC4455B782CE3A6806C7E1
                                        Function 049C7938 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 870f416a3f94739e75b587e3ab97d50c67e08bebfca9a480ffa7fe1f340fa453
                                        • Instruction ID: e72cee6c4dabed79dd899400b8d910a00525140ddce408c03267a3d741409e08
                                        • Opcode Fuzzy Hash: 870f416a3f94739e75b587e3ab97d50c67e08bebfca9a480ffa7fe1f340fa453
                                        • Instruction Fuzzy Hash: F7F046317052426FD72197A4A84496FBBE8EBC92707000AAEE159D3341CE24AC458B72
                                        Function 0308D9A7 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386571149.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_308d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 384ffcd346b755a5abe9b09e8339aa565db3d8ac4b45d3ff1b9db0b50fa4fa03
                                        • Instruction ID: f809d76f1520becf446f98c0f9071de4455d1bc499a52057b8d91f25b08ae1da
                                        • Opcode Fuzzy Hash: 384ffcd346b755a5abe9b09e8339aa565db3d8ac4b45d3ff1b9db0b50fa4fa03
                                        • Instruction Fuzzy Hash: B0F0FF76600600AFD760DF0AD985C27FBADEBD4670719C55AE88A8B651C671FC42CEA0
                                        Function 049C9148 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d78710896460e59e852a66572ed5064fd8def72f96329bf9e0c40e0c0f79e38
                                        • Instruction ID: e6730941baa83c53ff34dce2164872b3af676f41a481b89a851c55b5791ac6c0
                                        • Opcode Fuzzy Hash: 2d78710896460e59e852a66572ed5064fd8def72f96329bf9e0c40e0c0f79e38
                                        • Instruction Fuzzy Hash: 12F0897550A3045FD3619B78E8A93D6BFE4FB81320F0445BAD15DCB242DB3A6985CB90
                                        Function 049CDFD8 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13a8611a47ce3e3e3e29e597f6e03ec10f8f8f2893d11848c2fb321e63bffcc7
                                        • Instruction ID: 9ceb5e97c4f04a3f9a1dc362959658f6c5f21733291904803fc3dd5e6d01cc62
                                        • Opcode Fuzzy Hash: 13a8611a47ce3e3e3e29e597f6e03ec10f8f8f2893d11848c2fb321e63bffcc7
                                        • Instruction Fuzzy Hash: 37F054397042504FC3108B1DE4548B6BBF99FCA61531910AAE185CB732DA61DC02CB91
                                        Function 049C7948 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f6cd1cd2b0f0008f8096f2c07d798b4dd8754f6ab1e903ed34fbae75a52f8a6a
                                        • Instruction ID: fba8eea2b8b15fec45adcfd6fc670481370c2075c1a9d38dabc1fd35b715e480
                                        • Opcode Fuzzy Hash: f6cd1cd2b0f0008f8096f2c07d798b4dd8754f6ab1e903ed34fbae75a52f8a6a
                                        • Instruction Fuzzy Hash: 39F0A7357006199FD7149B59E844A6FB7E9EBC8671B00052DE14DD7340DF35AC018BA5
                                        Function 049C894A Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d91a6147406597ccea83dceaf9968bacd87603587124847e7f85ee2e4f20599
                                        • Instruction ID: 7ff84de79384b1754aae0ee48d0cb89cad99bb5b66f3379528eb900c6535526f
                                        • Opcode Fuzzy Hash: 9d91a6147406597ccea83dceaf9968bacd87603587124847e7f85ee2e4f20599
                                        • Instruction Fuzzy Hash: F8F0E23A30A3545FD7062774A8592E9BF51FBC2628F0401ABD50587282CF294D0A87E1
                                        Function 0308D998 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386571149.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_308d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c1511abb37ede2b8fbb1f62a5e2894dd5adb0e3234d1535170fb3b3d01e0de3
                                        • Instruction ID: 18d70c6ba87c65a88b7902d6f2ede97b94dd9f16cb99597fff80de0aa1a37f04
                                        • Opcode Fuzzy Hash: 0c1511abb37ede2b8fbb1f62a5e2894dd5adb0e3234d1535170fb3b3d01e0de3
                                        • Instruction Fuzzy Hash: A8F01D75100680AFD765CF06CD85D23BBBAEB85620B19C589F89A8B752C671FC42CF60
                                        Function 049C7677 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13bf3546f0e5e35e34070ecc7414516e806b727874419f7c74f52372a669a588
                                        • Instruction ID: c41b3a81b0a5e4eb29f637ef0024be19650bf9c77497507eaf7f6a1c84148fc9
                                        • Opcode Fuzzy Hash: 13bf3546f0e5e35e34070ecc7414516e806b727874419f7c74f52372a669a588
                                        • Instruction Fuzzy Hash: F8F0A0397002148FCB10EBADDA0069AB7E6EBC8B5570541E8E509CB355DF24DC028FA2
                                        Function 049C90D8 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8474b49c18acfbbe675e972f3879c70b844e53fd94e52c58a753e031423b6c19
                                        • Instruction ID: 8ce9654ca6281e1f6c25ba0c100ba8c06ff3206e64b25400fcc8f4b4d931cc7e
                                        • Opcode Fuzzy Hash: 8474b49c18acfbbe675e972f3879c70b844e53fd94e52c58a753e031423b6c19
                                        • Instruction Fuzzy Hash: D1F052B96006081BE300FBA8C0093DB7BD6EBC4314F10802EC5052BB85DE3A6802C7D0
                                        Function 049CAF78 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bedd34de381e9989bb7d94430b1dc821ab776c0e75beec167643bad2f804f1c4
                                        • Instruction ID: c3bfbce92420f9c3fc744ada9f6b73eef80c83562abe16a3c4cccdde49ab36f7
                                        • Opcode Fuzzy Hash: bedd34de381e9989bb7d94430b1dc821ab776c0e75beec167643bad2f804f1c4
                                        • Instruction Fuzzy Hash: 31E0DF3331D3990B9B16803E3C540E6BF6BCAC723031881BBE040CF286DC129D8643A2
                                        Function 049CDFE8 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac6eba2a10f5ec3bf312a940c000e90837e8d5b3b45d32863201579f781cb968
                                        • Instruction ID: 73a2e43c193a988e25d0eedd3632e0bea1eb55e865186485049e3a5f07eae81a
                                        • Opcode Fuzzy Hash: ac6eba2a10f5ec3bf312a940c000e90837e8d5b3b45d32863201579f781cb968
                                        • Instruction Fuzzy Hash: A1E0E5357002108F8714DB1DE498D66B7EAEFCEB2532910A9F54ACB721DA62EC02CB90
                                        Function 049C9539 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 62f99635eb7bfde289ec6117fb1efe6640a51dac6cfb3dec51bcfaa431bd0ab3
                                        • Instruction ID: 19833252a15fe4a6024f3eaccf9f150f6f456527b3dc80aea174443b4a3c5cf6
                                        • Opcode Fuzzy Hash: 62f99635eb7bfde289ec6117fb1efe6640a51dac6cfb3dec51bcfaa431bd0ab3
                                        • Instruction Fuzzy Hash: E8E012E775151A1B2754F1FA28106FB56CF8AC45A5705007E9909C7742EC40EC0743E3
                                        Function 049C8719 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 351920e4ffdffd7953e2210800cbda9a5c87b4429fd6b2e3d66ef408d8ee2683
                                        • Instruction ID: 90617ed98d354e5514e79446d52ea58026f26f3f5980daf25ffe37abde06c368
                                        • Opcode Fuzzy Hash: 351920e4ffdffd7953e2210800cbda9a5c87b4429fd6b2e3d66ef408d8ee2683
                                        • Instruction Fuzzy Hash: B2E048368091099BC705FB74F8474FDBF30FE40311F10017AD50651541DA33158ACBC1
                                        Function 049C9158 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8005a772d59b7c181c372b42c8dc4089631f7d971e6d1a7c3f254d6d51102bc5
                                        • Instruction ID: 33a049c2b678393ccf7a8a83882ed495360e6f185d1ec0cf427ca9dc6f355d6a
                                        • Opcode Fuzzy Hash: 8005a772d59b7c181c372b42c8dc4089631f7d971e6d1a7c3f254d6d51102bc5
                                        • Instruction Fuzzy Hash: 1BF06D749013045BD360DF78D89D7DA7BE9FB84310F004479D25EC7240DB3AA8858B90
                                        Function 049C8958 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e3e09df02b2bc46629dd6b9dd5c675740e5f7d61ee48b7d1e15ad21bfc8b8f3b
                                        • Instruction ID: f47a496e839eae70e53c921705b5b2a4f2c6108fb085bf25f751345f76de5b2f
                                        • Opcode Fuzzy Hash: e3e09df02b2bc46629dd6b9dd5c675740e5f7d61ee48b7d1e15ad21bfc8b8f3b
                                        • Instruction Fuzzy Hash: EDE02639305614ABCB087B79A80E2EE7A56FBC4724F00003ED60A83340CF3E5C0697E5
                                        Function 049C9540 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 425e34e4fcfe6ae904a5ffa0b5909b2f2988f385f62c44712a4ba36f20c0ebc1
                                        • Instruction ID: a5c21d1f75e0a3ecfc8b5d23ae22e0f95852ba1f9982602d3ab4ab6df118be85
                                        • Opcode Fuzzy Hash: 425e34e4fcfe6ae904a5ffa0b5909b2f2988f385f62c44712a4ba36f20c0ebc1
                                        • Instruction Fuzzy Hash: FDD05ED279152A1B2754F1FA18107BB95CF8AC45A6B05007E9E09C3382EC40EC0743E3
                                        Function 049C87E0 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 47a643c48b46f559e2f7eaa9ac7577474fe51334c1268e1b06bf8ce2a64a5256
                                        • Instruction ID: 33ba4aa6e937e5fa31c422db5265b36e8384026e6586425b6ea4eb5212ec618c
                                        • Opcode Fuzzy Hash: 47a643c48b46f559e2f7eaa9ac7577474fe51334c1268e1b06bf8ce2a64a5256
                                        • Instruction Fuzzy Hash: F6E0D836A0934A8FC704EBB4E8834E9FFB4FB45205F004166DD0993340D6325845DBC1
                                        Function 049CDE88 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: 722b729cecdb651e6aa11ccba0767d810367add45fd2856e69b607cde78b604e
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: 9CE08631B10014978B089559D4104D9F7ABEBCC220F04847ED90AA7340DA32691586E2
                                        Function 049CDE38 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 765d1a453036905383042d26e48bfbcaa45b3654b9fa086f4f8e00db7516e05f
                                        • Instruction ID: 65369e7b26aa3c4091ce0130c55a6b25c325ecaebe9f4332f167dc258ec7baf9
                                        • Opcode Fuzzy Hash: 765d1a453036905383042d26e48bfbcaa45b3654b9fa086f4f8e00db7516e05f
                                        • Instruction Fuzzy Hash: E9E0C239700B14978216A62EA81489FB7EEDFC99B1300453EE059CB300EF69EC068BD6
                                        Function 049CF600 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a6a8c2ed6dd63a2214ad1e8c0d750c0ffa02f3634a2f1693cfa9c6beb7690d42
                                        • Instruction ID: fbf1855f9bea22ce8dd8bbecc5c63f1cda15dffb6fd61ac05b891d5b350dc42b
                                        • Opcode Fuzzy Hash: a6a8c2ed6dd63a2214ad1e8c0d750c0ffa02f3634a2f1693cfa9c6beb7690d42
                                        • Instruction Fuzzy Hash: 0CE0C27090425A8ECB45DFACC981169FFF0EF09314B1089AED948D7211E7324A11DB92
                                        Function 049CF610 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: 404535b5b275c31a3886e839217bc4dc1039605ddaa93868034ba0e4cc259b65
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: 26D042B0D042099F8B80EFA9894156EFBF5AB48214B6085AE8919E7251E6329A128BD1
                                        Function 049C87F0 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 957de3bd4d48e5275f652520268c903affcfa92d3951cf1ce698f4cbb31c04aa
                                        • Instruction ID: ccab5c8d26009f251bb4940ae5234f86d780a53dd3ab6335fa968cb09ce3c406
                                        • Opcode Fuzzy Hash: 957de3bd4d48e5275f652520268c903affcfa92d3951cf1ce698f4cbb31c04aa
                                        • Instruction Fuzzy Hash: 0FD01234E052099BC744EFA4D44746DBBB5EB45201F004169DD0593350EA315845DBC1
                                        Function 049C8728 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1bf6b18aad9ae76353510a60526997159f22216dbdb8b42804626a4065ec08aa
                                        • Instruction ID: c06f5b551f8b4359438c75fecdd7161ec883ce8705e17f97dd10deead6f2e28e
                                        • Opcode Fuzzy Hash: 1bf6b18aad9ae76353510a60526997159f22216dbdb8b42804626a4065ec08aa
                                        • Instruction Fuzzy Hash: 24D067319051099BCB08EBA5E85B4FEBB74FE94302F404579DA0752590EA362A5ADFC1
                                        Function 049C7E80 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4540f0c8687230533c7e1751c295877de7166319b9b694b386bb85a58e4bb396
                                        • Instruction ID: 4f9a84757383e68cced6e160e6e1dc9539d4b05ec785c68d0d8e3ff80184f211
                                        • Opcode Fuzzy Hash: 4540f0c8687230533c7e1751c295877de7166319b9b694b386bb85a58e4bb396
                                        • Instruction Fuzzy Hash: 60C08C139082C08FEF0283B81C6D0097F70454324630605D29920DB132D834CC14C603
                                        Function 049C7918 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f6f9420bafb3cf94d2a3d3aafe24586588e4969a2f1de84de53857b254e4155
                                        • Instruction ID: 65e321b19d6065bb470220474c86fae1f7d49751ade80b6a46102f82db88c861
                                        • Opcode Fuzzy Hash: 8f6f9420bafb3cf94d2a3d3aafe24586588e4969a2f1de84de53857b254e4155
                                        • Instruction Fuzzy Hash: 1CD022300043488FC20B1F7858080083B19DBC230538008ECF0296B2B3DA66A82ACF06
                                        Function 049C7920 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1386931134.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_49c0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11332a6aa352bd47cf67a5c94f1ea23477d5f162f130bd6e6c34bb16fd8db6d1
                                        • Instruction ID: 8572a4edb507e7540dc01eba03b01ed632f52127bac96b9792240f19aff5a9b8
                                        • Opcode Fuzzy Hash: 11332a6aa352bd47cf67a5c94f1ea23477d5f162f130bd6e6c34bb16fd8db6d1
                                        • Instruction Fuzzy Hash: 5DB092300447088FC25A6F79A414818B72AEB4021538004A8E80E1A2928E76E895CB49

                                        Execution Graph

                                        Execution Coverage:5.9%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:3
                                        Total number of Limit Nodes:0
                                        execution_graph 21527 89b64c8 21528 89b650b SetThreadToken 21527->21528 21529 89b6539 21528->21529

                                        Executed Functions

                                        Function 049AB488 Relevance: .3, Instructions: 258COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 614 49ab488-49ab4b1 615 49ab4b3 614->615 616 49ab4b6-49ab7f1 call 49aa99c 614->616 615->616 677 49ab7f6-49ab7fd 616->677
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72cfab4f414307319eb19e663bfb9e41ad97ac3bd7b35563b491b3b46cf4b546
                                        • Instruction ID: cb0f4c943f621b0b957fd03b298006c39d251c5597e52825d9473f72400c8afd
                                        • Opcode Fuzzy Hash: 72cfab4f414307319eb19e663bfb9e41ad97ac3bd7b35563b491b3b46cf4b546
                                        • Instruction Fuzzy Hash: E7913071F007149BEB25DBB98854AAE7BF3EF84B00B008929E156AB740DF3469068BD5
                                        Function 049AB498 Relevance: .3, Instructions: 252COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 678 49ab498-49ab4b1 679 49ab4b3 678->679 680 49ab4b6-49ab7f1 call 49aa99c 678->680 679->680 741 49ab7f6-49ab7fd 680->741
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80b4996979c0b8cd5d1fa2e7285a87a2231bca060b39e7433b20a3323341fb8e
                                        • Instruction ID: f09eeacf936615b438cad971d14bf14c9bd2f577737720d269b5d355cbf5c5a2
                                        • Opcode Fuzzy Hash: 80b4996979c0b8cd5d1fa2e7285a87a2231bca060b39e7433b20a3323341fb8e
                                        • Instruction Fuzzy Hash: DA911071F007149BEB29DBB98854AAE7BF3EF84B00B00892DD116AB744DF7469068BD5
                                        Function 07832308 Relevance: 8.1, Strings: 6, Instructions: 638COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1432228213.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7830000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: pi{k$pi{k$pi{k$pi{k$pi{k$|,}k
                                        • API String ID: 0-3595369795
                                        • Opcode ID: 4d96b40dd1072a242209899cf7c2e9a1a87afc8d1e1e27beb9e49a3d9f6e736a
                                        • Instruction ID: 595e5a5a69e18795bec865bd1189662c4bfa8fb0b914971e326390143b25f4aa
                                        • Opcode Fuzzy Hash: 4d96b40dd1072a242209899cf7c2e9a1a87afc8d1e1e27beb9e49a3d9f6e736a
                                        • Instruction Fuzzy Hash: 5C2224B1B0030ADFDB249F6DC4407AAB7E6FF96221F14806AD905CB251DB35D945CBE1
                                        Function 089B64C0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 200 89b64c0-89b6503 201 89b650b-89b6537 SetThreadToken 200->201 202 89b6539-89b653f 201->202 203 89b6540-89b655d 201->203 202->203
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1435833022.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_89b0000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 498e13175037fbcca3000e6bd8cb2f7856dd6e1a2f76be665c7cd77704517e63
                                        • Instruction ID: e366fbbe1d95809ce7eef0ae5922f87dc0a2a130772ace99db1b8d6b5dbddd3d
                                        • Opcode Fuzzy Hash: 498e13175037fbcca3000e6bd8cb2f7856dd6e1a2f76be665c7cd77704517e63
                                        • Instruction Fuzzy Hash: B3113475D002488FDB20CF9AD444BDEFBF4AB48220F248419D419A7310C6B8A944CFA5
                                        Function 089B64C8 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 206 89b64c8-89b6537 SetThreadToken 208 89b6539-89b653f 206->208 209 89b6540-89b655d 206->209 208->209
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1435833022.00000000089B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_89b0000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 1aea3987a56f7ab46ebd45a9e8bf0df0fb8e956200605191e89f102286a4e960
                                        • Instruction ID: 7a000bb99c9e1456c3d68f3d05278747f080a8a057e105986864401dc4416c20
                                        • Opcode Fuzzy Hash: 1aea3987a56f7ab46ebd45a9e8bf0df0fb8e956200605191e89f102286a4e960
                                        • Instruction Fuzzy Hash: EF11F5B5D003488FDB20DF9AD544BDEFBF8EB48224F24845AD418A7350D779A944CFA5
                                        Function 07833CE8 Relevance: .6, Instructions: 579COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 241 7833ce8-7833d0d 242 7833d13-7833d18 241->242 243 7833f00-7833f4a 241->243 244 7833d30-7833d34 242->244 245 7833d1a-7833d20 242->245 251 7833f50-7833f55 243->251 252 78340ce-7834112 243->252 249 7833eb0-7833eba 244->249 250 7833d3a-7833d3c 244->250 247 7833d22 245->247 248 7833d24-7833d2e 245->248 247->244 248->244 253 7833ec8-7833ece 249->253 254 7833ebc-7833ec5 249->254 255 7833d3e-7833d4a 250->255 256 7833d4c 250->256 257 7833f57-7833f5d 251->257 258 7833f6d-7833f71 251->258 270 7834228-783425d 252->270 271 7834118-783411d 252->271 259 7833ed0-7833ed2 253->259 260 7833ed4-7833ee0 253->260 261 7833d4e-7833d50 255->261 256->261 263 7833f61-7833f6b 257->263 264 7833f5f 257->264 268 7834080-783408a 258->268 269 7833f77-7833f79 258->269 266 7833ee2-7833efd 259->266 260->266 261->249 267 7833d56-7833d75 261->267 263->258 264->258 307 7833d77-7833d83 267->307 308 7833d85 267->308 273 7834097-783409d 268->273 274 783408c-7834094 268->274 275 7833f7b-7833f87 269->275 276 7833f89 269->276 299 783428b-7834295 270->299 300 783425f-7834281 270->300 278 7834135-7834139 271->278 279 783411f-7834125 271->279 282 78340a3-78340af 273->282 283 783409f-78340a1 273->283 281 7833f8b-7833f8d 275->281 276->281 289 78341da-78341e4 278->289 290 783413f-7834141 278->290 285 7834127 279->285 286 7834129-7834133 279->286 281->268 287 7833f93-7833fb2 281->287 288 78340b1-78340cb 282->288 283->288 285->278 286->278 324 7833fc2 287->324 325 7833fb4-7833fc0 287->325 292 78341f1-78341f7 289->292 293 78341e6-78341ee 289->293 297 7834143-783414f 290->297 298 7834151 290->298 303 78341f9-78341fb 292->303 304 78341fd-7834209 292->304 301 7834153-7834155 297->301 298->301 305 7834297-783429c 299->305 306 783429f-78342a5 299->306 335 7834283-7834288 300->335 336 78342d5-78342fe 300->336 301->289 312 783415b-783415d 301->312 313 783420b-7834225 303->313 304->313 315 78342a7-78342a9 306->315 316 78342ab-78342b7 306->316 314 7833d87-7833d89 307->314 308->314 318 7834177-783417e 312->318 319 783415f-7834165 312->319 314->249 323 7833d8f-7833d96 314->323 322 78342b9-78342d2 315->322 316->322 329 7834180-7834186 318->329 330 7834196-78341d7 318->330 327 7834167 319->327 328 7834169-7834175 319->328 323->243 333 7833d9c-7833da1 323->333 334 7833fc4-7833fc6 324->334 325->334 327->318 328->318 337 783418a-7834194 329->337 338 7834188 329->338 341 7833da3-7833da9 333->341 342 7833db9-7833dc8 333->342 334->268 345 7833fcc-7834003 334->345 356 7834300-7834326 336->356 357 783432d-783435c 336->357 337->330 338->330 343 7833dab 341->343 344 7833dad-7833db7 341->344 342->249 352 7833dce-7833dec 342->352 343->342 344->342 365 7834005-783400b 345->365 366 783401d-7834024 345->366 352->249 364 7833df2-7833e17 352->364 356->357 367 7834395-783439f 357->367 368 783435e-783437b 357->368 364->249 391 7833e1d-7833e24 364->391 374 783400f-783401b 365->374 375 783400d 365->375 369 7834026-783402c 366->369 370 783403c-783407d 366->370 371 78343a1-78343a5 367->371 372 78343a8-78343ae 367->372 383 78343e5-78343ea 368->383 384 783437d-783438f 368->384 376 7834030-783403a 369->376 377 783402e 369->377 379 78343b0-78343b2 372->379 380 78343b4-78343c0 372->380 374->366 375->366 376->370 377->370 385 78343c2-78343e2 379->385 380->385 383->384 384->367 393 7833e26-7833e41 391->393 394 7833e6a-7833e9d 391->394 398 7833e43-7833e49 393->398 399 7833e5b-7833e5f 393->399 404 7833ea4-7833ead 394->404 400 7833e4b 398->400 401 7833e4d-7833e59 398->401 403 7833e66-7833e68 399->403 400->399 401->399 403->404
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1432228213.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7830000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f2d82c95850b3c32bc05ed4189c5f68b1138c0dadab8142230ee7041c2404771
                                        • Instruction ID: bd5f3010ae75352ddc4c0b1f0b13a7e52d4dfa2d79e6f576802c9924b59c9bb0
                                        • Opcode Fuzzy Hash: f2d82c95850b3c32bc05ed4189c5f68b1138c0dadab8142230ee7041c2404771
                                        • Instruction Fuzzy Hash: 191247B1B04395DFDB259F6C98107BABBA2AFD2224F14806AD409CF651DB36DC41CBE1
                                        Function 078317B8 Relevance: .3, Instructions: 337COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 512 78317b8-78317da 513 78317e0-78317e5 512->513 514 7831969-783197c 512->514 515 78317e7-78317ed 513->515 516 78317fd-7831801 513->516 522 7831997-78319b5 514->522 523 783197e-7831985 514->523 518 78317f1-78317fb 515->518 519 78317ef 515->519 520 7831807-783180b 516->520 521 7831914-783191e 516->521 518->516 519->516 526 783184b 520->526 527 783180d-783181e 520->527 524 7831920-7831929 521->524 525 783192c-7831932 521->525 531 7831b04-7831b25 522->531 532 78319bb-78319c0 522->532 528 78319f0-78319f2 523->528 529 7831987-7831996 523->529 533 7831934-7831936 525->533 534 7831938-7831944 525->534 530 783184d-783184f 526->530 527->514 546 7831824-7831829 527->546 541 78319f6-78319f8 528->541 529->522 530->521 540 7831855-7831859 530->540 556 7831b27-7831b34 531->556 557 7831b7f-7831b86 531->557 536 78319c2-78319c8 532->536 537 78319d8-78319dc 532->537 538 7831946-7831966 533->538 534->538 544 78319ca 536->544 545 78319cc-78319d6 536->545 542 7831ab4-7831abe 537->542 548 78319e2-78319e4 537->548 540->521 550 783185f-7831863 540->550 541->542 543 78319fe-7831a16 541->543 558 7831ac0-7831ac9 542->558 559 7831acc-7831ad2 542->559 580 7831a30-7831a34 543->580 581 7831a18-7831a1e 543->581 544->537 545->537 551 7831841-7831849 546->551 552 783182b-7831831 546->552 554 78319e6-78319ef 548->554 555 78319f4 548->555 560 7831886 550->560 561 7831865-783186e 550->561 551->530 565 7831833 552->565 566 7831835-783183f 552->566 554->528 555->541 573 7831b36-7831b42 556->573 574 7831b44 556->574 562 7831b90-7831b96 557->562 563 7831b88-7831b8d 557->563 570 7831ad4-7831ad6 559->570 571 7831ad8-7831ae4 559->571 567 7831889-7831911 560->567 568 7831870-7831873 561->568 569 7831875-7831882 561->569 576 7831b98-7831b9a 562->576 577 7831b9c-7831ba8 562->577 565->551 566->551 578 7831884 568->578 569->578 579 7831ae6-7831b01 570->579 571->579 575 7831b46-7831b48 573->575 574->575 584 7831b4a-7831b50 575->584 585 7831b7c 575->585 587 7831baa-7831bc1 576->587 577->587 578->567 596 7831a3a-7831a41 580->596 590 7831a22-7831a2e 581->590 591 7831a20 581->591 592 7831b52-7831b54 584->592 593 7831b5e-7831b79 584->593 585->557 590->580 591->580 592->593 600 7831a43-7831a46 596->600 601 7831a48-7831aa5 596->601 605 7831aaa-7831ab1 600->605 601->605
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1432228213.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7830000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1748f051e49110f164db7cd3165d0750ae69c469aaf23509ab36a4492fea249e
                                        • Instruction ID: 200cbeba03d433a1b27576c5c49b0cba15196386c0d58113c399e65ce4f1f8d0
                                        • Opcode Fuzzy Hash: 1748f051e49110f164db7cd3165d0750ae69c469aaf23509ab36a4492fea249e
                                        • Instruction Fuzzy Hash: B2B103B2F0064D9FDB109F6DC4087AABBE6EF96621F18807AD509CB251DB32D841C7E1
                                        Function 049A29F0 Relevance: .2, Instructions: 205COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 742 49a29f0-49a2a1e 743 49a2a24-49a2a3a 742->743 744 49a2af5-49a2b37 742->744 745 49a2a3f-49a2a52 743->745 746 49a2a3c 743->746 749 49a2b3d-49a2b56 744->749 750 49a2c51-49a2c61 744->750 745->744 751 49a2a58-49a2a65 745->751 746->745 752 49a2b5b-49a2b69 749->752 753 49a2b58 749->753 754 49a2a6a-49a2a7c 751->754 755 49a2a67 751->755 752->750 759 49a2b6f-49a2b79 752->759 753->752 754->744 762 49a2a7e-49a2a88 754->762 755->754 760 49a2b7b-49a2b7d 759->760 761 49a2b87-49a2b94 759->761 760->761 761->750 763 49a2b9a-49a2baa 761->763 764 49a2a8a-49a2a8c 762->764 765 49a2a96-49a2aa6 762->765 766 49a2baf-49a2bbd 763->766 767 49a2bac 763->767 764->765 765->744 768 49a2aa8-49a2ab2 765->768 766->750 773 49a2bc3-49a2bd3 766->773 767->766 769 49a2ac0-49a2af4 768->769 770 49a2ab4-49a2ab6 768->770 770->769 774 49a2bd8-49a2be5 773->774 775 49a2bd5 773->775 774->750 778 49a2be7-49a2bf7 774->778 775->774 779 49a2bf9 778->779 780 49a2bfc-49a2c08 778->780 779->780 780->750 782 49a2c0a-49a2c24 780->782 783 49a2c29 782->783 784 49a2c26 782->784 785 49a2c2e-49a2c38 783->785 784->783 786 49a2c3d-49a2c50 785->786
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 132c7bdda2673d1dcce953a4e8bf8520193ed2a58642c126ad131d65654a0cc6
                                        • Instruction ID: 683bfdc757a6eb3c32e945f4ceb16ba651e83aae82689a54b7d55ddbd0718fa7
                                        • Opcode Fuzzy Hash: 132c7bdda2673d1dcce953a4e8bf8520193ed2a58642c126ad131d65654a0cc6
                                        • Instruction Fuzzy Hash: 6491AF74A00645DFCB15CF58C494AAEFBB1FF49310B2485A9D815AB3A5C73AFC91CBA0
                                        Function 049ABAB8 Relevance: .2, Instructions: 159COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 921 49abab8-49abac0 922 49abac2-49abaed 921->922 923 49abaf3-49abb58 921->923 922->923 927 49abb5a 923->927 928 49abb5e-49abb69 923->928 927->928 929 49abb6b 928->929 930 49abb6e-49abbc8 call 49aafa0 928->930 929->930 937 49abbca-49abbcf 930->937 938 49abc19-49abc1d 930->938 937->938 941 49abbd1-49abbf4 937->941 939 49abc2e 938->939 940 49abc1f-49abc29 938->940 942 49abc33-49abc35 939->942 940->939 945 49abbfa-49abc05 941->945 943 49abc5a 942->943 944 49abc37-49abc58 942->944 946 49abc62-49abc66 943->946 947 49abc5d call 49aa694 943->947 944->946 948 49abc0e-49abc17 945->948 949 49abc07-49abc0d 945->949 951 49abc68-49abc91 946->951 952 49abc9f-49abcce 946->952 947->946 948->942 949->948 951->952
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2bd868928518bae2129e156df8f1cb1c0eb406c0f9784258a65c7528e697c532
                                        • Instruction ID: e7b599f21143d73a95cd3aba94470984e00ccf92af763956771284c571f584c7
                                        • Opcode Fuzzy Hash: 2bd868928518bae2129e156df8f1cb1c0eb406c0f9784258a65c7528e697c532
                                        • Instruction Fuzzy Hash: 4E615E74E013489FDB14CFA9D444B9DFBF1EF89310F15816AE919AB351EB34A845CB90
                                        Function 049A7728 Relevance: .2, Instructions: 156COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 962 49a7728-49a775e 965 49a7760-49a7762 962->965 966 49a7767-49a7770 962->966 967 49a7811-49a7816 965->967 969 49a7779-49a7797 966->969 970 49a7772-49a7774 966->970 973 49a7799-49a779b 969->973 974 49a779d-49a77a1 969->974 970->967 973->967 975 49a77a3-49a77a8 974->975 976 49a77b0-49a77b7 974->976 975->976 977 49a77b9-49a77e2 976->977 978 49a7817-49a7848 976->978 981 49a77f0 977->981 982 49a77e4-49a77ee 977->982 988 49a78ca-49a78ce 978->988 989 49a784e-49a78a5 978->989 984 49a77f2-49a77fe 981->984 982->984 990 49a7800-49a7802 984->990 991 49a7804-49a780b 984->991 1002 49a78d1 call 49a791a 988->1002 1003 49a78d1 call 49a7928 988->1003 998 49a78b1-49a78bf 989->998 999 49a78a7 989->999 990->967 991->967 993 49a78d4-49a78d9 998->988 1001 49a78c1-49a78c9 998->1001 999->998 1002->993 1003->993
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c240f08ce9b52e94ebe54d9a8b11d6ea5a4493bd38680aa786e584b8cd813da5
                                        • Instruction ID: 12004c6aff9f5d4633486751d2b0b6589649804d35351040942bba9d4e362c87
                                        • Opcode Fuzzy Hash: c240f08ce9b52e94ebe54d9a8b11d6ea5a4493bd38680aa786e584b8cd813da5
                                        • Instruction Fuzzy Hash: 1F51D0307042049FD714DBA9D988A7A77EAFFC9714B1588B9D50ACB351EB31EC02CBA1
                                        Function 049ABAC8 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1004 49abac8-49abb58 1008 49abb5a 1004->1008 1009 49abb5e-49abb69 1004->1009 1008->1009 1010 49abb6b 1009->1010 1011 49abb6e-49abbc8 call 49aafa0 1009->1011 1010->1011 1018 49abbca-49abbcf 1011->1018 1019 49abc19-49abc1d 1011->1019 1018->1019 1022 49abbd1-49abbf4 1018->1022 1020 49abc2e 1019->1020 1021 49abc1f-49abc29 1019->1021 1023 49abc33-49abc35 1020->1023 1021->1020 1026 49abbfa-49abc05 1022->1026 1024 49abc5a 1023->1024 1025 49abc37-49abc58 1023->1025 1027 49abc62-49abc66 1024->1027 1028 49abc5d call 49aa694 1024->1028 1025->1027 1029 49abc0e-49abc17 1026->1029 1030 49abc07-49abc0d 1026->1030 1032 49abc68-49abc91 1027->1032 1033 49abc9f-49abcce 1027->1033 1028->1027 1029->1023 1030->1029 1032->1033
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e31ac75559276a1c8ce0583ed742a95ed6dda27ccc1f2c84c5ff4540795ea413
                                        • Instruction ID: 455c6bd5a87425a15e0507436f550e2f7812d2b20e0d1ca06c5e5e7b0cd5ce4c
                                        • Opcode Fuzzy Hash: e31ac75559276a1c8ce0583ed742a95ed6dda27ccc1f2c84c5ff4540795ea413
                                        • Instruction Fuzzy Hash: CF613670E002488FDB14CFA9D584B9DFBF6EF88310F15816AE919AB350EB34AC45CB90
                                        Function 049A6FC8 Relevance: .1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb3ac851d3b0ecc4f9b38e601e3fba191fce1fc91934f819df5af41d87cd3e75
                                        • Instruction ID: becf19f8d69ad64d9f3253d9de7b4f0e302a4652c48c7eb9de5b88760d474091
                                        • Opcode Fuzzy Hash: bb3ac851d3b0ecc4f9b38e601e3fba191fce1fc91934f819df5af41d87cd3e75
                                        • Instruction Fuzzy Hash: 38415C34B042148FDB14CFA4C558AAEBBF6EF8D710F1544A9E402EB391DA31EC02CBA1
                                        Function 07833CE6 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1432228213.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7830000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9ba58266727577d67d21e1bca9bad6de5152869e6673272d9555cb07b05af8f
                                        • Instruction ID: cd38593027a43d463f8e4d635901687da973e33b5aecf9f9c82ed7e83e6a044a
                                        • Opcode Fuzzy Hash: f9ba58266727577d67d21e1bca9bad6de5152869e6673272d9555cb07b05af8f
                                        • Instruction Fuzzy Hash: 633102F1B14252EBDB208E5CC500ABABBA2AF90614F148165D804DFE55DB36EC85CBE1
                                        Function 049A2B00 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1627854ed71e5271f76b8b818fe02e86588e7b6bcc7e9ca49317fe979c8a6c61
                                        • Instruction ID: a6f7aa2ba449b5e56b2015bea3266daa138b7b7676c850a14dfc0b892124661d
                                        • Opcode Fuzzy Hash: 1627854ed71e5271f76b8b818fe02e86588e7b6bcc7e9ca49317fe979c8a6c61
                                        • Instruction Fuzzy Hash: D9414B74A006059FCB15CF58C498AEAF7B1FF48310B1185A9D916AB364C736FCA1CB94
                                        Function 049AC390 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 75c9e2507bae727bbbc03d3a0d24d6122f2e4b8127e3c756aaf8fc02dfe8a94a
                                        • Instruction ID: 87dd533fd0bc09ead7eb7d219f7ae1ec5072b86f328d885c5dedf8797d84377e
                                        • Opcode Fuzzy Hash: 75c9e2507bae727bbbc03d3a0d24d6122f2e4b8127e3c756aaf8fc02dfe8a94a
                                        • Instruction Fuzzy Hash: 5F31C0393006059FE718EB78E844BAAB7A6EFC5215F008579D609CB351DF74E806CBE1
                                        Function 049A6FB9 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6e80e31b57368a366c20dce2b6b424f598c907b8a7873985af22b73604035ae1
                                        • Instruction ID: d35c78eb3c9f45e4b3ea172f3ea452c38d69c6489899f281045038d6c760f0ea
                                        • Opcode Fuzzy Hash: 6e80e31b57368a366c20dce2b6b424f598c907b8a7873985af22b73604035ae1
                                        • Instruction Fuzzy Hash: 34315034B042598FDB14CFA4C599AAEBBF6AF8D714F1484A8E402EB351DB31ED11CB60
                                        Function 049AAE68 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c7a13846d509eec77781e328e2c6dc73342d0ec9820f614c39a0a2a108b5fa63
                                        • Instruction ID: 5a9ec5d4254c1aa141ef4f9565e31972ae103acb2859dd227152f9765fa781b1
                                        • Opcode Fuzzy Hash: c7a13846d509eec77781e328e2c6dc73342d0ec9820f614c39a0a2a108b5fa63
                                        • Instruction Fuzzy Hash: 68315874E012089FDB18DFB9D4947AEBBF6EF88354F148069E405EB250EB749C42CB95
                                        Function 049AAD30 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73f0e32812dc8b59b762322a2269b056582563548bdccbaf190ac61f31cbbbc5
                                        • Instruction ID: ea41de57818901e22ead986de9aae80ac34747949b395bf4299be9657fabf32f
                                        • Opcode Fuzzy Hash: 73f0e32812dc8b59b762322a2269b056582563548bdccbaf190ac61f31cbbbc5
                                        • Instruction Fuzzy Hash: 2D3170B4E002489FDB05DFA4D958ABEBBB7EF85304F1584A9D211AB395CA399D01CF90
                                        Function 049AAE78 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea36a244e5d9cda661b037bff68bcf9d34e1dbe0ab116d4758f6f505cb09866c
                                        • Instruction ID: 3c944aa72c4cd1a7f414673a768bbfd172997a98f9ec0d2b89b7fb2cc580ad45
                                        • Opcode Fuzzy Hash: ea36a244e5d9cda661b037bff68bcf9d34e1dbe0ab116d4758f6f505cb09866c
                                        • Instruction Fuzzy Hash: EF314570E012099FDB18DFA9D4847AEBBF6EFC8344F148029E401EB350EA749C01CBA4
                                        Function 049AAFA0 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9fce18e5c84f306a2ce9398a9f860c856ffd52fa58f37ab58e4e94f900eca6b
                                        • Instruction ID: 9d4fd621494cb5d2e4e1d04ed50bcab44c4a8ef728bca1bf1fb4ceb1f00cb500
                                        • Opcode Fuzzy Hash: e9fce18e5c84f306a2ce9398a9f860c856ffd52fa58f37ab58e4e94f900eca6b
                                        • Instruction Fuzzy Hash: 7C21AE75E042588FDB24DFAAD404B9EBBF5EF89320F14846AD418A7340CA79A905CBE5
                                        Function 049AD280 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad39987e902e0f6af41c35c065481546d8ee55c37febb0c35550afadce748d54
                                        • Instruction ID: 0fb634c7d93fd7b254e5588885a8e338a9c45511b070c0730ccbd08e7930f2b8
                                        • Opcode Fuzzy Hash: ad39987e902e0f6af41c35c065481546d8ee55c37febb0c35550afadce748d54
                                        • Instruction Fuzzy Hash: C5218D746003409FDB15CB69D884DAABBF6EF8925870486A9D44ACF752CB34EC06CB91
                                        Function 049AAD40 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 277f134abfa541d184c0f3f2342deac1c7518e378993ce4c06bda69d8b4d4f15
                                        • Instruction ID: c79e5cbd559ba55b5259d85ce6362964a389c96cf6310222f368b4ac4388671b
                                        • Opcode Fuzzy Hash: 277f134abfa541d184c0f3f2342deac1c7518e378993ce4c06bda69d8b4d4f15
                                        • Instruction Fuzzy Hash: 0A3110B4E002089FDB04DFA4D958ABEB7B7EF85704F1184A9D611AB394DB399D018F94
                                        Function 02F6F3D8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1418410084.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2f6d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b972f9fe77c948b8e955a3addc38a35e195ebd6a6371f0eea3521ab269b5c1b3
                                        • Instruction ID: 3db3936ba0084027ea913b007d1282b9f611ee37dfb55225f8637ca339062f16
                                        • Opcode Fuzzy Hash: b972f9fe77c948b8e955a3addc38a35e195ebd6a6371f0eea3521ab269b5c1b3
                                        • Instruction Fuzzy Hash: 0921E772604300DFDF05DF50E6C4B26BB65FB88314F24C699DA0A4BE56C336D456CB61
                                        Function 049A93F8 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d801316c130d8ad7a65e9069c532241269aad0dbbcc85e5fab05297dde168da
                                        • Instruction ID: e9640982e860823b718b894592544a4cd64f7afc5d4c04ba71b0680b3c17d12e
                                        • Opcode Fuzzy Hash: 4d801316c130d8ad7a65e9069c532241269aad0dbbcc85e5fab05297dde168da
                                        • Instruction Fuzzy Hash: 04318BB49053448EEB60CF6AD08878AFFF2FF88320F28886DD85D9B205D67464958B91
                                        Function 02F6F02C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1418410084.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2f6d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea9ae1a4ef66dead360885b04842d506b9a09124578f55a6893d0a882dab62bd
                                        • Instruction ID: e81c79a38b852d1a4d5d32f455f7a47c49a51055e6ce4b0ad9fe0b48d203e66a
                                        • Opcode Fuzzy Hash: ea9ae1a4ef66dead360885b04842d506b9a09124578f55a6893d0a882dab62bd
                                        • Instruction Fuzzy Hash: 82213772A04300EFDB14DF14E9C8B26BB65EB94714F20C66DDA0B4BA56C33AD446CB61
                                        Function 049A9408 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b20e4577fc73040255d639861f2f60fa17e79af5bf7aa714cc2fceee91790e8
                                        • Instruction ID: 5405d42f4d5de385f3f6d9a8547973284017b272d9ff4377c0845be992ae2018
                                        • Opcode Fuzzy Hash: 4b20e4577fc73040255d639861f2f60fa17e79af5bf7aa714cc2fceee91790e8
                                        • Instruction Fuzzy Hash: CF217CB49017448EEB60CF6AD08838AFBF6FF88314F28C82ED85D97205D7746490CBA1
                                        Function 049AD290 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a96548985e3ac049148892654d32ef3a9fd6420c07c703b7d55df3d4406d3c26
                                        • Instruction ID: f9386ef50db3e68aa516b84b735629d4023d0fa786781977d8a946c0b871c542
                                        • Opcode Fuzzy Hash: a96548985e3ac049148892654d32ef3a9fd6420c07c703b7d55df3d4406d3c26
                                        • Instruction Fuzzy Hash: F6216D747003009FD714DF69D884E5AB7FAEF892587008569D40A8F751DB35EC16CB91
                                        Function 049A7664 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a22c9a3b641b8524337b3ff16200ff380465770b9da96789069c0cf3c41d2c40
                                        • Instruction ID: 54056ca0faeac7b22fa7f8ca89669a49affc733db3f59abc141003c5986fe242
                                        • Opcode Fuzzy Hash: a22c9a3b641b8524337b3ff16200ff380465770b9da96789069c0cf3c41d2c40
                                        • Instruction Fuzzy Hash: 51113D36B002288FDF14DFA8E844AED77F6EFC8655B0540A4E50ADB711DA35EC128B91
                                        Function 02F6F3D3 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1418410084.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2f6d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cec652083d875b15267482a4806cf92d2830ce69a7e1a418b01774896923d323
                                        • Instruction ID: 680852246b9d7a352da1e4d797a28bf27c6b0702b8d1f673842e4379737c5b76
                                        • Opcode Fuzzy Hash: cec652083d875b15267482a4806cf92d2830ce69a7e1a418b01774896923d323
                                        • Instruction Fuzzy Hash: 9B218E76904240DFCF06CF50D6C4B15BF72FB48314F24C6A9D9494AA56C33AD456CB91
                                        Function 02F6F027 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1418410084.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2f6d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d546771ad39d2b39eae4d47c8fd2747dfff2c820a11f06dee2d413c70bed4b17
                                        • Instruction ID: 74c4c547bbc68f40c29d71b89834dcfaa95ec3d6b9d0df9b46d3221382495fc8
                                        • Opcode Fuzzy Hash: d546771ad39d2b39eae4d47c8fd2747dfff2c820a11f06dee2d413c70bed4b17
                                        • Instruction Fuzzy Hash: E811DD75904280DFCB11CF14E5C4B25BFB1FB84328F28C6AAD94A4BA56C33AD44ACB61
                                        Function 049ABCE8 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0bf0f912a30c14188d0667887c98c5b4d1ef9c960ed2b2a620df67ed40a51e8
                                        • Instruction ID: 8ea3f306df4ea8a84238b6ea0bb6ded854ffef754b7d6eecde1a48e2715f5d73
                                        • Opcode Fuzzy Hash: a0bf0f912a30c14188d0667887c98c5b4d1ef9c960ed2b2a620df67ed40a51e8
                                        • Instruction Fuzzy Hash: 370122306083848FD724CB79E598A5A7FF4EF46250F1848EED08ECB6A2CA20F845C741
                                        Function 049ABF18 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 65fb906d4635bbbb32756a94a20ed0e5823b8df9967904d27409cc4b20268da1
                                        • Instruction ID: 27db86707e930a6504e724f647f64ced77e7f544a2e2eb8cf820160b08add5e0
                                        • Opcode Fuzzy Hash: 65fb906d4635bbbb32756a94a20ed0e5823b8df9967904d27409cc4b20268da1
                                        • Instruction Fuzzy Hash: E1F0F4357093D01FD7118A7AAC549BBBFE9DF8661071941BFF485C7262C5B0CC048760
                                        Function 02F6D01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1418410084.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2f6d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a449859fc2764216051d5d8cb924fda7e75eca8d5f6b9e08b617132ef06ac00
                                        • Instruction ID: 4689085b14f68ac4194995c94b0c7a47bbd7db5436804ef560d89cdfcbb59922
                                        • Opcode Fuzzy Hash: 0a449859fc2764216051d5d8cb924fda7e75eca8d5f6b9e08b617132ef06ac00
                                        • Instruction Fuzzy Hash: 67012B31A04340BFEB204E11CD88B77FB98DF816A4F18C01ADE484F246C7789445CBB5
                                        Function 02F6D005 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1418410084.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2f6d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7fa449723fb0328404f22aac9b25cce4cea87cb17bb74fc67cf1c663d366e09
                                        • Instruction ID: dbf8eee59cfb5f2c29575996528f5d6d86c3436375b1aedeeba18db497c13428
                                        • Opcode Fuzzy Hash: a7fa449723fb0328404f22aac9b25cce4cea87cb17bb74fc67cf1c663d366e09
                                        • Instruction Fuzzy Hash: 7D01527150E3C05FD7128B258894762BFB4DF43624F1D81DBD9888F1A7C2695849C772
                                        Function 049AC36A Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1b76b63c666806fad80817e27bf2a6e472e66466ae59d03ba0b0bf71a474d04
                                        • Instruction ID: 16156b32259bdf4c4fb0d9e0eafff45d9734ad2fe5fc18e8e8ae1f80a2adb84b
                                        • Opcode Fuzzy Hash: f1b76b63c666806fad80817e27bf2a6e472e66466ae59d03ba0b0bf71a474d04
                                        • Instruction Fuzzy Hash: 4FF0B4753083814FD3168779A824A677FE5DFD6351F1940BED5C9CB2A3D8258806C7A1
                                        Function 049A7940 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bdc95c7da1e1f2b14d9ecb5e06c4b5cdadbaa52453f78c9b6679a88256d2b664
                                        • Instruction ID: 0bfe37dd1edb76d8e2f132f9e81762d01382f9af5c716d46374a4df7bbd62427
                                        • Opcode Fuzzy Hash: bdc95c7da1e1f2b14d9ecb5e06c4b5cdadbaa52453f78c9b6679a88256d2b664
                                        • Instruction Fuzzy Hash: 6DF0F4312053446FC3129765A84492F7FE9EF8652470005AED249CB252CF74AC05C7A1
                                        Function 049AC4C8 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 930d6dff6475392b1a40d8f6f17c881eb94dd0f6e845e5299ee54f098b4eca07
                                        • Instruction ID: ad9b8c929ca1c95889180478b9eb83eeaebece6ba8adc539f24221e4dfa80758
                                        • Opcode Fuzzy Hash: 930d6dff6475392b1a40d8f6f17c881eb94dd0f6e845e5299ee54f098b4eca07
                                        • Instruction Fuzzy Hash: 10F0F6316043846FD3159728E85497ABBA6EFC265970486BEC14EDF611CF36AC0ACBA1
                                        Function 049ACB62 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa7e4f82112001f8a3cc11c717d6e061587fb8da640fc3975e5bfc573b33255e
                                        • Instruction ID: 33166b157c4fe8252a5eff4a3adae9c5a13c40f1d5cd6e16b0e5a64a495c57cf
                                        • Opcode Fuzzy Hash: aa7e4f82112001f8a3cc11c717d6e061587fb8da640fc3975e5bfc573b33255e
                                        • Instruction Fuzzy Hash: 96F027302093801FD71A972C6C9487E7FBADEC316431846BBC09ADBA51CA394C0B8B71
                                        Function 02F6D9A7 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1418410084.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2f6d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f7505cc548d324d5592240f926ec163a9a34d6a7ebe6bf00f0c7ef346b9676b
                                        • Instruction ID: 11c3cc7b0bd9f5d3ce312154daafc0249cede83c18ac374c6001f6e34a68e300
                                        • Opcode Fuzzy Hash: 9f7505cc548d324d5592240f926ec163a9a34d6a7ebe6bf00f0c7ef346b9676b
                                        • Instruction Fuzzy Hash: 59F0F476600600AF9760CF0AD985C27FBBDEFD4674719C59AE94A8B712C671EC42CEA0
                                        Function 049A9549 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 19c2e8523773465eceb36c82cc698eb1de36042291f163291ec6936d7283de19
                                        • Instruction ID: 203e6d56ef6829d5f3b13421aed59fd4c42a909101db3b34eb0316ddb082ba36
                                        • Opcode Fuzzy Hash: 19c2e8523773465eceb36c82cc698eb1de36042291f163291ec6936d7283de19
                                        • Instruction Fuzzy Hash: 61F0AB21B062400B8751A2B814002BE7EEAFEC21E931C247ECE83CB142D810DC278BD2
                                        Function 049A90E0 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc014a793ec4426b024bc80eade38822eb1b272ad703c60acbdc90605d4b9768
                                        • Instruction ID: 6566ffb5d19765a4906ba2de59c37a6cf73dbd0f0f536e3277f75546abe0c869
                                        • Opcode Fuzzy Hash: fc014a793ec4426b024bc80eade38822eb1b272ad703c60acbdc90605d4b9768
                                        • Instruction Fuzzy Hash: 88F04C357042544FD715AF28D01936B7FA2DFC2354F1040AFC5059B742DE391802CBE1
                                        Function 049ADFE0 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eefac724b5d8cf4801e2b96372a7e2e7f6ad144bb0375976ba7b4219ddeb8843
                                        • Instruction ID: 885e47d6dcd337006993dab1fb9bc2259b9fada3ac855154d902fb9c6ff176e0
                                        • Opcode Fuzzy Hash: eefac724b5d8cf4801e2b96372a7e2e7f6ad144bb0375976ba7b4219ddeb8843
                                        • Instruction Fuzzy Hash: 87F05E387481508FC7118B2DE49487ABBF59FCA61532911EEE585DF732DA61DC12CB90
                                        Function 02F6D998 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1418410084.0000000002F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_2f6d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9777c05616edb1019e96c8905e224575d1d5bbea2c3c0e6e4b66685b6890f7bc
                                        • Instruction ID: 1a94dffd14fc0f5353557ca63137750745bb52421c6f4582c4951d72275d0b77
                                        • Opcode Fuzzy Hash: 9777c05616edb1019e96c8905e224575d1d5bbea2c3c0e6e4b66685b6890f7bc
                                        • Instruction Fuzzy Hash: C1F01275500640AFD765CF06CD85D23BBB9EF85664B198589F8594B712C731FC41CFA0
                                        Function 049A7950 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bbe755058207d3851564ed7c42d3ff815affa013c89026173e61bd2efa7e8576
                                        • Instruction ID: 22703adc119d1f991323024b2a7e6a44408778d53c7db0b9110425a1676a4f5a
                                        • Opcode Fuzzy Hash: bbe755058207d3851564ed7c42d3ff815affa013c89026173e61bd2efa7e8576
                                        • Instruction Fuzzy Hash: 81F0A736700618AFD7149A55E844A7F77E9EBC8675B00052DE20AD3740DF34AC05C7A1
                                        Function 049AC4D8 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0aed0bba680af39602e38600f9959b69d00366b5893692079699486b70b46b7
                                        • Instruction ID: cacd5cb85e8c6c6c0eea5a370c18aa394bf46ecba42804d40f135832dd5192e8
                                        • Opcode Fuzzy Hash: c0aed0bba680af39602e38600f9959b69d00366b5893692079699486b70b46b7
                                        • Instruction Fuzzy Hash: 60F082316003046BD314AA25D88496AB7AAEFC1655B408A7ED20D9F710DF76AC0A8BE1
                                        Function 049A9160 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 67928e6cb8a1f6a43de9b04541d847a7ba265e50acf0cdef25adb6ea25a82b99
                                        • Instruction ID: 3aeb3e169482d1741ed03195ed16d4a1c4c4819110ef22345e46b4e3b0f5d11a
                                        • Opcode Fuzzy Hash: 67928e6cb8a1f6a43de9b04541d847a7ba265e50acf0cdef25adb6ea25a82b99
                                        • Instruction Fuzzy Hash: 46F0B4745093544FD7219F78D49C7967FE0EF02310F0004AED58EC7242DB355881C750
                                        Function 049A767F Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6e1d6df34e8c77c2dcd8583d5331f9f1cebaa94fe886f8f14de4f35492be7eea
                                        • Instruction ID: fb42abc716f81ec29102565d7a826f09146a9f43f8ab371215ae2974a11c48df
                                        • Opcode Fuzzy Hash: 6e1d6df34e8c77c2dcd8583d5331f9f1cebaa94fe886f8f14de4f35492be7eea
                                        • Instruction Fuzzy Hash: 57F03035B002188FDB10AFADAC406A977AAEBC869571A41A4E50ACB715DE25DC134B91
                                        Function 049A90F0 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cb51f06055015ab36971db25648479d7459100580e5ece95e95c4cf9616d8e94
                                        • Instruction ID: c348d422ddb019fdf760cfbac9a816547291f4b85e05b0a4f5a76919c1e88aeb
                                        • Opcode Fuzzy Hash: cb51f06055015ab36971db25648479d7459100580e5ece95e95c4cf9616d8e94
                                        • Instruction Fuzzy Hash: EDF027757041144BE714AF68D0183ABBB96DFC5768F10816ACA0957B84DF392802CBE1
                                        Function 049ADE30 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 78f8aa83a331691cbb0cfad4e2f7f520688bb0a0435052c4537dc1c88ef07a7e
                                        • Instruction ID: 66c573fd1045274e138fefae1e55f7f0fafa30e826a82eaf36f55d0d8f1d447d
                                        • Opcode Fuzzy Hash: 78f8aa83a331691cbb0cfad4e2f7f520688bb0a0435052c4537dc1c88ef07a7e
                                        • Instruction Fuzzy Hash: 9EF023356097845BC317932DA814CAF7FFACEC357030401EED056DB512CA55D806C7E2
                                        Function 049ADFF0 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3ef7501d2c0eb7eeb42405af6af07ae77853cd8dc261998a0870c7cc08e4bfcf
                                        • Instruction ID: a4d073e1c903d83dce27b8ccc6ef22974c8224d68dd1644256a6e7780430083a
                                        • Opcode Fuzzy Hash: 3ef7501d2c0eb7eeb42405af6af07ae77853cd8dc261998a0870c7cc08e4bfcf
                                        • Instruction Fuzzy Hash: F1E012357401108F87109F1DD454C6AB7FAEFCEB1531510A9E545CF721DB61EC11CB90
                                        Function 049A8969 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6c22d7074f5134ab745a0be8f47e44ae30c85947260b97634e0494bbcb60fd9
                                        • Instruction ID: 3c301ac6eb8d78642b2d7ecef480a893e324204d3837aab8e8fe17d18f0e3a45
                                        • Opcode Fuzzy Hash: c6c22d7074f5134ab745a0be8f47e44ae30c85947260b97634e0494bbcb60fd9
                                        • Instruction Fuzzy Hash: 9DF082357082945FDB0A6B74A41C6AD7FA2EF86625F0500AEEA4A87283CE65480687D5
                                        Function 049ADE81 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f7daf89399f66bae5fa799a7de13946e63cbf82c36e841404f8f33931ed8f891
                                        • Instruction ID: 72dc5658ce829b709718264feefd10d7a93357164b7f9a8ec80df6b559618d14
                                        • Opcode Fuzzy Hash: f7daf89399f66bae5fa799a7de13946e63cbf82c36e841404f8f33931ed8f891
                                        • Instruction Fuzzy Hash: A6E02B35704044578B08C25DE8048FAFFB3DFCA220F04857ED497A7250CA31642697D0
                                        Function 049AAF90 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8699d5f9fb9cbce7ec4c5c0b7bbabdbbdb0b92253a5dcd3d84b0f34e45b4dfb
                                        • Instruction ID: 015aaa52255af08116a8461878af7d47b351c107c4d977cfc5421f961f2170fd
                                        • Opcode Fuzzy Hash: a8699d5f9fb9cbce7ec4c5c0b7bbabdbbdb0b92253a5dcd3d84b0f34e45b4dfb
                                        • Instruction Fuzzy Hash: 94E0DF2634D2D51B8B1A823DA4504AA6F768AC326032D81FAE4C5CF247C8518C4683A1
                                        Function 049ACB78 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4bc18bc9c21326bb8a6d3f828850e87be905d03ffb20fe5acff527feb851221d
                                        • Instruction ID: 14bb0f3d45809a987bd6d73c847fe0b91a77e6dc8f77deb4bfb8ee449d08e737
                                        • Opcode Fuzzy Hash: 4bc18bc9c21326bb8a6d3f828850e87be905d03ffb20fe5acff527feb851221d
                                        • Instruction Fuzzy Hash: ACE0483160170417952CA75EAC4086EB69FDFC56A4754493DD10E97600DF756C074BA1
                                        Function 049A9170 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11dcf1c3e2817a1679e5e0285f0c6304cc789a6f08a24ff90b4e8d1f518ddbf0
                                        • Instruction ID: f756aedc68f0a2b6961fee251c10e2574d3401422f3085079cf65e14e1e32c5c
                                        • Opcode Fuzzy Hash: 11dcf1c3e2817a1679e5e0285f0c6304cc789a6f08a24ff90b4e8d1f518ddbf0
                                        • Instruction Fuzzy Hash: D9F06D749003184BD7609F78E89C79ABBE9FB44310F00486DE20EC7240DB756880CB90
                                        Function 049A8978 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34b408b74de0250e0fc20f5d85a7ecc5a2d4f9bbf51b803fb757c449b5c1a9c9
                                        • Instruction ID: 12de0f001a857a0fec2e2d2adae5fa655be3682a689fc835f90e0627554ca616
                                        • Opcode Fuzzy Hash: 34b408b74de0250e0fc20f5d85a7ecc5a2d4f9bbf51b803fb757c449b5c1a9c9
                                        • Instruction Fuzzy Hash: 6AE0263930462847CB083B79B40C2AE7A56EBC4B24F00006EE70B83381CFB8580287D9
                                        Function 049A9558 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd868e8f2d3e4e8805451c92b1b4d3f8051761704075773165aa2ea2cf77d439
                                        • Instruction ID: e178daca06dee0b1649995258cec89732c031eb736e4683b3400b8ff033feb88
                                        • Opcode Fuzzy Hash: fd868e8f2d3e4e8805451c92b1b4d3f8051761704075773165aa2ea2cf77d439
                                        • Instruction Fuzzy Hash: 5FD05E527012211B5758B0AA18006BBB5DE9AC54A970514369E05C7241ED40FC294BF2
                                        Function 049ADE90 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: 90ea9707eb2022ba5c1b3e48e8d842808693e85ee0086b98a0a7221a8547b2bf
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: 13E08631B10014978B089599D8104D9F7A7DFCC220F04847AD91AA7740DA32691686D1
                                        Function 049ADE40 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7221272d70f948f0375e5cfff889af0a5861f4948c8d6a35a14b1f5ed7eaf2f
                                        • Instruction ID: 8a54071e7b04446a10bc65e24f0b3ba10c178d172252fbe5c2bb0a1d51256152
                                        • Opcode Fuzzy Hash: a7221272d70f948f0375e5cfff889af0a5861f4948c8d6a35a14b1f5ed7eaf2f
                                        • Instruction Fuzzy Hash: 5BE08C35700B18578225661EA8048AEB6EFDFC5AA5310442EE119C7600DF65E80687D5
                                        Function 049AF580 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ca4a5e5c60d337987a3a48e66fa313892683a355a2227e5bca5cb63159f0230
                                        • Instruction ID: e221ac828b6d66a785bf27fae6bb325faa126760ef64b0c07839f35735093e75
                                        • Opcode Fuzzy Hash: 1ca4a5e5c60d337987a3a48e66fa313892683a355a2227e5bca5cb63159f0230
                                        • Instruction Fuzzy Hash: EFE0ED70D0021ADF8740DFACC942559FBF4EF09200F5585ADC948D7212E7329A12DBD1
                                        Function 049AC990 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae7b8a60ddfe702a4db948671654aedff0243f90f6d4258ce65340f38af1af2c
                                        • Instruction ID: db178fe417e7112b953110f1742d37c14a19b4ec2bb84f7fe40d2954512474c7
                                        • Opcode Fuzzy Hash: ae7b8a60ddfe702a4db948671654aedff0243f90f6d4258ce65340f38af1af2c
                                        • Instruction Fuzzy Hash: C5E0CD357091501F9301537CB81546D7FE1EFD76D131500FFE64AD7352D9554C058B91
                                        Function 049A8739 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4e6d3596e178f561e70da152162c6bfc7f2dbdb7996800ba9f92e626607f8ba4
                                        • Instruction ID: 0049e5374481a5d8c75043034e716156d8ea2a15475b24974ce15bd4e8fe10fd
                                        • Opcode Fuzzy Hash: 4e6d3596e178f561e70da152162c6bfc7f2dbdb7996800ba9f92e626607f8ba4
                                        • Instruction Fuzzy Hash: C0E04F3890405D8BCB09BBA0F45A8AD7F70FE05301B0005ECE9A752192EA61095BCBC1
                                        Function 049A8800 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dfad7abb4dbd3a2e169914044f9d1e1136a4c8c2d8cbee509e00678133b91277
                                        • Instruction ID: 5a6aaa3b0c53fbe99e73e750e41f0f8a9480a381e221a639403a099baf577ac4
                                        • Opcode Fuzzy Hash: dfad7abb4dbd3a2e169914044f9d1e1136a4c8c2d8cbee509e00678133b91277
                                        • Instruction Fuzzy Hash: 51E0D838D0824A8BCB04DBB8E00946EBFF0FF45240B1012ADE94697202D6300442CFC1
                                        Function 049AC9A0 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f6b0de27cc4f55ef33931acce1a3f3650a1c3efc846181b3822fd3efec37801
                                        • Instruction ID: a9a304d0a5924f7b7dc2f15aca4ea80b4dbffbe119af201ae81297de7aa47123
                                        • Opcode Fuzzy Hash: 4f6b0de27cc4f55ef33931acce1a3f3650a1c3efc846181b3822fd3efec37801
                                        • Instruction Fuzzy Hash: 74D0A7353001142B5204635DF80946977EADBCAAA6301007FE60DC3340DE619C0587E4
                                        Function 049AF590 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: 8c507952bdb2efefe1a37e88797c8ca1d6e83dc1d4945a0e0393463ef7d8e367
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: A0D042B1D042099F8780EFA9894166EFBF4AB48204B6485AA8919E7215E7329A128BD1
                                        Function 049A8748 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52c891a05667d5b2c7539a097148a3b808bd570c4d4c206ea6bb9b0aa0631692
                                        • Instruction ID: 6f7bed1441d34a0807035499ef7259ea5fe1fc2907ab0d3d0b22b20f1b2521dd
                                        • Opcode Fuzzy Hash: 52c891a05667d5b2c7539a097148a3b808bd570c4d4c206ea6bb9b0aa0631692
                                        • Instruction Fuzzy Hash: 09D0173880411D8BCB08EBA4F81A4BDBB74FA00301F4001ADE91752192EA702A5ACAC0
                                        Function 049A8810 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf3a25edd170a5c466f2e0167a8c3a5944b3cd7523c149bb7e36e4e739548ad9
                                        • Instruction ID: c1fb3bb89dfcc2dddcc49eadb8c624e5326d8a4668539680a5bcdbe014e3f401
                                        • Opcode Fuzzy Hash: cf3a25edd170a5c466f2e0167a8c3a5944b3cd7523c149bb7e36e4e739548ad9
                                        • Instruction Fuzzy Hash: 48D01738A0820E8BCB48EFA4E44A86EBBB5EB44200F0041A9ED0A93340EA306911CBC1
                                        Function 049A791A Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b0436f8dc2e435f822b0604e0fd3645413ea31471970f3bc18c366d260eaadb0
                                        • Instruction ID: fca94f64fa2a334b1f7b13eb7b7604b012a0ade937d96d7d1f693c8ad99f558d
                                        • Opcode Fuzzy Hash: b0436f8dc2e435f822b0604e0fd3645413ea31471970f3bc18c366d260eaadb0
                                        • Instruction Fuzzy Hash: C7D0C93444E3C49FC72B9F7995A48187F71AE0322431905DED9968F2B3CA768849CF06
                                        Function 049A7E90 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2964704d610fb833f92f93f0041bd1bcef869d22b9ca1804b2435f58fb74ff2
                                        • Instruction ID: bfdaf7b44277974dc9d0a3b94674bed5338591f4a4f4e0c03345685903d22da3
                                        • Opcode Fuzzy Hash: b2964704d610fb833f92f93f0041bd1bcef869d22b9ca1804b2435f58fb74ff2
                                        • Instruction Fuzzy Hash: D9C08C1040F3C00FEF0B873509282033F720E4340430B45DFC0C2CA8A3CE640809CB12
                                        Function 049A7928 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1419795946.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_49a0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5179b685c2e82a5d569ab0998819f65271fe676504ca75a9f7f3f3cbc0f3c1d4
                                        • Instruction ID: dde29e80f6d2bdf9ffbc84c7188777e12378aaf6ed2959e28a612a7fc3d998fd
                                        • Opcode Fuzzy Hash: 5179b685c2e82a5d569ab0998819f65271fe676504ca75a9f7f3f3cbc0f3c1d4
                                        • Instruction Fuzzy Hash: 61B092350447088FC2A8AF79A414819B72AEB4021538008A8E90E0A2938E36E885CB44

                                        Execution Graph

                                        Execution Coverage:5.9%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:3
                                        Total number of Limit Nodes:0
                                        execution_graph 21479 8e06848 21480 8e0688b SetThreadToken 21479->21480 21481 8e068b9 21480->21481

                                        Executed Functions

                                        Function 04D8B490 Relevance: 6.5, Strings: 5, Instructions: 258COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 208 4d8b490-4d8b4b9 209 4d8b4bb 208->209 210 4d8b4be-4d8b7f9 call 4d8a9a4 208->210 209->210 271 4d8b7fe-4d8b805 210->271
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: KUbn^$[Ubn^$kUbn^${Ubn^$\bn^
                                        • API String ID: 0-2405747947
                                        • Opcode ID: 58b772f9ad76ff1ea81c5b4ed352e6d7d10f093ef78e5f5334f8d6929f6f0e70
                                        • Instruction ID: 3ad0dcdab91feec08f5c5c14d40153118a7f434d864de53e37dbe9f4eb002e5e
                                        • Opcode Fuzzy Hash: 58b772f9ad76ff1ea81c5b4ed352e6d7d10f093ef78e5f5334f8d6929f6f0e70
                                        • Instruction Fuzzy Hash: FD915175B007149BDB25EFB98410AAE7BB2EFC5700B01C92EE156AF344DF3869068BD5
                                        Function 04D8B4A0 Relevance: 6.5, Strings: 5, Instructions: 252COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 272 4d8b4a0-4d8b4b9 273 4d8b4bb 272->273 274 4d8b4be-4d8b7f9 call 4d8a9a4 272->274 273->274 335 4d8b7fe-4d8b805 274->335
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: KUbn^$[Ubn^$kUbn^${Ubn^$\bn^
                                        • API String ID: 0-2405747947
                                        • Opcode ID: 7472ce71d27fad77932da5de39d09f0cb400c75ddbc43bc126c17964ed6e5a15
                                        • Instruction ID: 3f395f0c08511ae6823f68a0aae5eac7fb6264c1fd4c59e5743986ad46fc5746
                                        • Opcode Fuzzy Hash: 7472ce71d27fad77932da5de39d09f0cb400c75ddbc43bc126c17964ed6e5a15
                                        • Instruction Fuzzy Hash: 8D914075F006149BDB69EFB98410AAE7BB2EFC4700B00C92DE156AF344DF3869068BD5
                                        Function 07C92308 Relevance: 8.1, Strings: 6, Instructions: 644COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1476107714.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7c90000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: pi{k$pi{k$pi{k$pi{k$pi{k$|,}k
                                        • API String ID: 0-3595369795
                                        • Opcode ID: 47362b7d075a99bdfbc9228718d15048461d15f4891ac1a12ba0c0dc2713f6b6
                                        • Instruction ID: f0ba0aa4371696001551238b4cffa3ee23d9d79a5a053a87ad663c4db59c0c53
                                        • Opcode Fuzzy Hash: 47362b7d075a99bdfbc9228718d15048461d15f4891ac1a12ba0c0dc2713f6b6
                                        • Instruction Fuzzy Hash: 822224B1B00206EFDF649F69C8887AAB7F5FF85220F04807AD5858B641DB35CE45CBA1
                                        Function 08E06840 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 503 8e06840-8e06844 504 8e06846-8e06883 503->504 505 8e06838-8e0683e 503->505 507 8e0688b-8e068b7 SetThreadToken 504->507 505->503 508 8e068c0-8e068dd 507->508 509 8e068b9-8e068bf 507->509 509->508
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1484188527.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_8e00000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: 38df8a0fe362de16d0ec5627b781b5c75882c39bf1dc62e0e2d6857da3a8fa2e
                                        • Instruction ID: 091b0bdc9eb5f7a95eb92e3fdefea6608d9918e8947986d4b4a5e795761cbff7
                                        • Opcode Fuzzy Hash: 38df8a0fe362de16d0ec5627b781b5c75882c39bf1dc62e0e2d6857da3a8fa2e
                                        • Instruction Fuzzy Hash: 2C2159759043888FCB11CF9AC844B9EFFF4EF8A220F14845AD454A7361D778A844CFA5
                                        Function 08E06848 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 512 8e06848-8e068b7 SetThreadToken 514 8e068c0-8e068dd 512->514 515 8e068b9-8e068bf 512->515 515->514
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1484188527.0000000008E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_8e00000_powershell.jbxd
                                        Similarity
                                        • API ID: ThreadToken
                                        • String ID:
                                        • API String ID: 3254676861-0
                                        • Opcode ID: f6201c1d86581a88307e8debccd6987ea88a68e3981bd5aa71dc9b3125ce0d20
                                        • Instruction ID: 2c16a9a3266f1d8f9f5124df166d65675769af15b817ebd798f5c959707c3717
                                        • Opcode Fuzzy Hash: f6201c1d86581a88307e8debccd6987ea88a68e3981bd5aa71dc9b3125ce0d20
                                        • Instruction Fuzzy Hash: 4C11F5B5D003488FDB20DF9AD544BDEFBF8EB88324F14842AD418A7250D779A944CFA5
                                        Function 07C93CE8 Relevance: .6, Instructions: 585COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 539 7c93ce8-7c93d0d 540 7c93f00-7c93f4a 539->540 541 7c93d13-7c93d18 539->541 559 7c940ce-7c94112 540->559 560 7c93f50-7c93f55 540->560 542 7c93d1a-7c93d20 541->542 543 7c93d30-7c93d34 541->543 545 7c93d22 542->545 546 7c93d24-7c93d2e 542->546 547 7c93d3a-7c93d3c 543->547 548 7c93eb0-7c93eba 543->548 545->543 546->543 551 7c93d4c 547->551 552 7c93d3e-7c93d4a 547->552 549 7c93ec8-7c93ece 548->549 550 7c93ebc-7c93ec5 548->550 556 7c93ed0-7c93ed2 549->556 557 7c93ed4-7c93ee0 549->557 554 7c93d4e-7c93d50 551->554 552->554 554->548 558 7c93d56-7c93d75 554->558 561 7c93ee2-7c93efd 556->561 557->561 585 7c93d85 558->585 586 7c93d77-7c93d83 558->586 583 7c94228-7c9425d 559->583 584 7c94118-7c9411d 559->584 563 7c93f6d-7c93f71 560->563 564 7c93f57-7c93f5d 560->564 567 7c94080-7c9408a 563->567 568 7c93f77-7c93f79 563->568 570 7c93f5f 564->570 571 7c93f61-7c93f6b 564->571 572 7c9408c-7c94094 567->572 573 7c94097-7c9409d 567->573 574 7c93f89 568->574 575 7c93f7b-7c93f87 568->575 570->563 571->563 580 7c9409f-7c940a1 573->580 581 7c940a3-7c940af 573->581 579 7c93f8b-7c93f8d 574->579 575->579 579->567 587 7c93f93-7c93fb2 579->587 588 7c940b1-7c940cb 580->588 581->588 620 7c9428b-7c94295 583->620 621 7c9425f-7c94281 583->621 589 7c9411f-7c94125 584->589 590 7c94135-7c94139 584->590 591 7c93d87-7c93d89 585->591 586->591 618 7c93fc2 587->618 619 7c93fb4-7c93fc0 587->619 593 7c94129-7c94133 589->593 594 7c94127 589->594 597 7c941da-7c941e4 590->597 598 7c9413f-7c94141 590->598 591->548 595 7c93d8f-7c93d96 591->595 593->590 594->590 595->540 601 7c93d9c-7c93da1 595->601 604 7c941f1-7c941f7 597->604 605 7c941e6-7c941ee 597->605 602 7c94151 598->602 603 7c94143-7c9414f 598->603 607 7c93db9-7c93dc8 601->607 608 7c93da3-7c93da9 601->608 610 7c94153-7c94155 602->610 603->610 613 7c941f9-7c941fb 604->613 614 7c941fd-7c94209 604->614 607->548 639 7c93dce-7c93dec 607->639 616 7c93dab 608->616 617 7c93dad-7c93db7 608->617 610->597 622 7c9415b-7c9415d 610->622 615 7c9420b-7c94225 613->615 614->615 616->607 617->607 626 7c93fc4-7c93fc6 618->626 619->626 624 7c9429f-7c942a5 620->624 625 7c94297-7c9429c 620->625 651 7c94283-7c94288 621->651 652 7c942d5-7c942fe 621->652 628 7c9415f-7c94165 622->628 629 7c94177-7c9417e 622->629 636 7c942ab-7c942b7 624->636 637 7c942a7-7c942a9 624->637 626->567 638 7c93fcc-7c94003 626->638 630 7c94169-7c94175 628->630 631 7c94167 628->631 634 7c94180-7c94186 629->634 635 7c94196-7c941d7 629->635 630->629 631->629 641 7c94188 634->641 642 7c9418a-7c94194 634->642 643 7c942b9-7c942d2 636->643 637->643 662 7c9401d-7c94024 638->662 663 7c94005-7c9400b 638->663 639->548 658 7c93df2-7c93e17 639->658 641->635 642->635 665 7c9432d-7c9435c 652->665 666 7c94300-7c94326 652->666 658->548 676 7c93e1d-7c93e24 658->676 669 7c9403c-7c9407d 662->669 670 7c94026-7c9402c 662->670 667 7c9400d 663->667 668 7c9400f-7c9401b 663->668 681 7c9435e-7c9437b 665->681 682 7c94395-7c9439f 665->682 666->665 667->662 668->662 673 7c9402e 670->673 674 7c94030-7c9403a 670->674 673->669 674->669 679 7c93e6a-7c93e9d 676->679 680 7c93e26-7c93e41 676->680 704 7c93ea4-7c93ead 679->704 695 7c93e5b-7c93e5f 680->695 696 7c93e43-7c93e49 680->696 692 7c9437d-7c9438f 681->692 693 7c943e5-7c943ea 681->693 684 7c943a8-7c943ae 682->684 685 7c943a1-7c943a5 682->685 687 7c943b0-7c943b2 684->687 688 7c943b4-7c943c0 684->688 694 7c943c2-7c943e2 687->694 688->694 692->682 693->692 702 7c93e66-7c93e68 695->702 698 7c93e4b 696->698 699 7c93e4d-7c93e59 696->699 698->695 699->695 702->704
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1476107714.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7c90000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8e1729aabbf02e727f5c67d77c5a97e191aee7884e7edf5897ed60705c270afb
                                        • Instruction ID: 2d0fc713cc09e15c85cb58c313706e961dae9406462aa10b3499a85997773260
                                        • Opcode Fuzzy Hash: 8e1729aabbf02e727f5c67d77c5a97e191aee7884e7edf5897ed60705c270afb
                                        • Instruction Fuzzy Hash: 01126BB1B04391CFCF555B6994547BBBBB2AFC2620F1480BAD405CB681DB36CE42CBA1
                                        Function 04D829F0 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 711 4d829f0-4d82a1e 712 4d82a24-4d82a3a 711->712 713 4d82af5-4d82b37 711->713 714 4d82a3c 712->714 715 4d82a3f-4d82a52 712->715 717 4d82b3d-4d82b56 713->717 718 4d82c51-4d82c67 713->718 714->715 715->713 722 4d82a58-4d82a65 715->722 720 4d82b58 717->720 721 4d82b5b-4d82b69 717->721 720->721 721->718 729 4d82b6f-4d82b79 721->729 724 4d82a6a-4d82a7c 722->724 725 4d82a67 722->725 724->713 730 4d82a7e-4d82a88 724->730 725->724 731 4d82b7b-4d82b7d 729->731 732 4d82b87-4d82b94 729->732 733 4d82a8a-4d82a8c 730->733 734 4d82a96-4d82aa6 730->734 731->732 732->718 735 4d82b9a-4d82baa 732->735 733->734 734->713 736 4d82aa8-4d82ab2 734->736 737 4d82bac 735->737 738 4d82baf-4d82bbd 735->738 739 4d82ac0-4d82af4 736->739 740 4d82ab4-4d82ab6 736->740 737->738 738->718 743 4d82bc3-4d82bd3 738->743 740->739 744 4d82bd8-4d82be5 743->744 745 4d82bd5 743->745 744->718 748 4d82be7-4d82bf7 744->748 745->744 749 4d82bf9 748->749 750 4d82bfc-4d82c08 748->750 749->750 750->718 752 4d82c0a-4d82c24 750->752 753 4d82c29 752->753 754 4d82c26 752->754 755 4d82c2e-4d82c38 753->755 754->753 756 4d82c3d-4d82c50 755->756
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a71633522a7b6ad62a7e6b9da43a523d4dd2435af42b007b06ff43d4abf2a86
                                        • Instruction ID: d91402796051fb7cf5717d288fad397f5655a96c9e24cd79c901628b28908331
                                        • Opcode Fuzzy Hash: 0a71633522a7b6ad62a7e6b9da43a523d4dd2435af42b007b06ff43d4abf2a86
                                        • Instruction Fuzzy Hash: FB917B74A002058FCB15DF58C494ABEFBB1FF89310B2485A9D915AB3A5C736FC91CBA0
                                        Function 04D87740 Relevance: .2, Instructions: 156COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 895 4d87740-4d87776 898 4d87778-4d8777a 895->898 899 4d8777f-4d87788 895->899 900 4d87829-4d8782e 898->900 902 4d8778a-4d8778c 899->902 903 4d87791-4d877af 899->903 902->900 906 4d877b1-4d877b3 903->906 907 4d877b5-4d877b9 903->907 906->900 908 4d877c8-4d877cf 907->908 909 4d877bb-4d877c0 907->909 910 4d8782f-4d87860 908->910 911 4d877d1-4d877fa 908->911 909->908 918 4d878e2-4d878e6 910->918 919 4d87866-4d878bd 910->919 914 4d87808 911->914 915 4d877fc-4d87806 911->915 917 4d8780a-4d87816 914->917 915->917 924 4d87818-4d8781a 917->924 925 4d8781c-4d87823 917->925 934 4d878e9 call 4d8793d 918->934 935 4d878e9 call 4d87940 918->935 930 4d878c9-4d878d7 919->930 931 4d878bf 919->931 923 4d878ec-4d878f1 924->900 925->900 930->918 933 4d878d9-4d878e1 930->933 931->930 934->923 935->923
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9db1ec9eeb903336cba68cb48a86965297d78e4a77254832a5168c77ef6811bf
                                        • Instruction ID: d5b3c15f3c1a3c638b92f4deceec464dbd856cf9b877fde5eec5c6c12bfd9d08
                                        • Opcode Fuzzy Hash: 9db1ec9eeb903336cba68cb48a86965297d78e4a77254832a5168c77ef6811bf
                                        • Instruction Fuzzy Hash: F3519A357042099FD714EB69DC44A7AB7EAFFC8314B2585AED449CB351EB35E802CBA0
                                        Function 04D8BAD0 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 936 4d8bad0-4d8bb60 940 4d8bb62 936->940 941 4d8bb66-4d8bb71 936->941 940->941 942 4d8bb73 941->942 943 4d8bb76-4d8bbd0 call 4d8afa8 941->943 942->943 950 4d8bc21-4d8bc25 943->950 951 4d8bbd2-4d8bbd7 943->951 952 4d8bc36 950->952 953 4d8bc27-4d8bc31 950->953 951->950 954 4d8bbd9-4d8bbfc 951->954 955 4d8bc3b-4d8bc3d 952->955 953->952 958 4d8bc02-4d8bc0d 954->958 956 4d8bc3f-4d8bc60 955->956 957 4d8bc62-4d8bc65 call 4d8a69c 955->957 962 4d8bc6a-4d8bc6e 956->962 957->962 960 4d8bc0f-4d8bc15 958->960 961 4d8bc16-4d8bc1f 958->961 960->961 961->955 964 4d8bc70-4d8bc99 962->964 965 4d8bca7-4d8bcd6 962->965 964->965
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18d7bf03a9fc13d3218ae5bb413ad3187bd4804d8a2ab26ad55e4fe6366b7a4c
                                        • Instruction ID: 37c0b63a9a5b86b0e618c9847ae074a70efeaf13c837c229eb7e39a6b1f18cab
                                        • Opcode Fuzzy Hash: 18d7bf03a9fc13d3218ae5bb413ad3187bd4804d8a2ab26ad55e4fe6366b7a4c
                                        • Instruction Fuzzy Hash: A1610475E002489FDB14DFA9D584A9DFBF1FF88310F18812AE819AB354EB34A845CB60
                                        Function 04D8BAC0 Relevance: .1, Instructions: 149COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b899a95c3591710b0e46a3f049db84404498a8a16a8589f184fdec21a4fc606c
                                        • Instruction ID: c9be463516662196830f9d9929b6d7c26664ead54cd418ea2c1a105861f82b09
                                        • Opcode Fuzzy Hash: b899a95c3591710b0e46a3f049db84404498a8a16a8589f184fdec21a4fc606c
                                        • Instruction Fuzzy Hash: 09511675E012489FDB54DFA9D584A9DFBF1FF88310F18802AE819AB355EB34A845CB60
                                        Function 07C93CCC Relevance: .1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1476107714.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_7c90000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6ead5328740fb1889a92b57cad8b12937a4472e464f163c064362c36b72707e
                                        • Instruction ID: 0d62deffff38622afe005ee1344d47db2b9d935d38ff544f84b30e5643d8e78b
                                        • Opcode Fuzzy Hash: d6ead5328740fb1889a92b57cad8b12937a4472e464f163c064362c36b72707e
                                        • Instruction Fuzzy Hash: 7F4127F2B10282DFCFA18F25C5986BABBB29F81614F0540B6D8049F251D736DE85CBA1
                                        Function 04D86FE0 Relevance: .1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30b2e5e06d67a9a924f40fafc415b17e2bf7da1c832d5278ec9a17cce48feb4e
                                        • Instruction ID: 9490cfe832e29e5259d8f257c83841610c761e693274153b02d7f697c86ff4fa
                                        • Opcode Fuzzy Hash: 30b2e5e06d67a9a924f40fafc415b17e2bf7da1c832d5278ec9a17cce48feb4e
                                        • Instruction Fuzzy Hash: 17412935B042048FDB14DFA4D858AAEBBF2EF8D715F244099D446AB391DB35EC02CB61
                                        Function 04D82B00 Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c21c96086597ab16a912b832e72725430123edbcb8b985b9f7b3ccc1be697d6
                                        • Instruction ID: 0202a4d75229fd490074ba6cc1544b42f28f7d44daa379a86c3514ba43c8e144
                                        • Opcode Fuzzy Hash: 3c21c96086597ab16a912b832e72725430123edbcb8b985b9f7b3ccc1be697d6
                                        • Instruction Fuzzy Hash: D6412674A006059FCB15DF58C598ABEFBB1FF48310B1185A9D815AB364C736FC91CBA0
                                        Function 04D8C398 Relevance: .1, Instructions: 101COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8675b46c44fee57dcf52d92c9ca925441c7fb6090c3981b2dee9b5ad2d21755f
                                        • Instruction ID: da78acca5dcdabd068b9a45188e71faf730dac4aed0314ede84162005e8f0f28
                                        • Opcode Fuzzy Hash: 8675b46c44fee57dcf52d92c9ca925441c7fb6090c3981b2dee9b5ad2d21755f
                                        • Instruction Fuzzy Hash: 293190393002009FD715EB79E884BAAB7A6EFC4211F00852DD609CB351EF75EC06C7A1
                                        Function 04D86FD1 Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa8cd67e461aa0bc20f646959053def118c7f10dd9f443817ae6ea8d7c908877
                                        • Instruction ID: 6a15d1fa5ccf2010d14d4d22e38c303ed4db543cfc440df804a685f14c597ecf
                                        • Opcode Fuzzy Hash: aa8cd67e461aa0bc20f646959053def118c7f10dd9f443817ae6ea8d7c908877
                                        • Instruction Fuzzy Hash: 3E31F835B002158FCB14DFA5C958AAEBBF1EB8D715F2450A8E846AB351DB31EC02CB60
                                        Function 04D8AE70 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3d9f00a25d800ce815e7ddc0c13c692e814c331d8d8266180302544095b9d7c
                                        • Instruction ID: 62671f2e460a2ed73a0e5e24715887f5e72e89e34f7127e2fbe5123c945c333d
                                        • Opcode Fuzzy Hash: f3d9f00a25d800ce815e7ddc0c13c692e814c331d8d8266180302544095b9d7c
                                        • Instruction Fuzzy Hash: 1A312970A002098FDB15EF69D495BBEBBF6EFC8310F14802EE505EB351EA349C018B65
                                        Function 04D8AD38 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0786803c22847d0a20be23e7fb7dcfb21f7c25129c280db590c73f8738cc629
                                        • Instruction ID: b03d08cc681da769233aa48ed4a0ecb33a658a221af97f990f330c0f6e5e4ca9
                                        • Opcode Fuzzy Hash: c0786803c22847d0a20be23e7fb7dcfb21f7c25129c280db590c73f8738cc629
                                        • Instruction Fuzzy Hash: DF3190B8A002489FDB04EFA5D854AFE7BB6EF85300F10846ED110AF3A5DA399D01CB55
                                        Function 04D8AE80 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 14c166b5660da5568f0c49e61e7561a4bdf8f03c538d00b59b8022429fd49363
                                        • Instruction ID: 1754b8e4e133d9bfc85eb617d8633abc34649e3330a8ef7975244888bdc99d12
                                        • Opcode Fuzzy Hash: 14c166b5660da5568f0c49e61e7561a4bdf8f03c538d00b59b8022429fd49363
                                        • Instruction Fuzzy Hash: 5A313874B002098FDB15EFA9D4947BEBBF6EFC8240F14802EE505EB351EA349C058B64
                                        Function 04D8AFA8 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9b1b3549e295e1a3e6f6e32efdefc0db97fae56bc220da90e92b3d915892af0
                                        • Instruction ID: c5e643b2685f880b8ceb79593d6347de5cdb2cd7056d921e7fe801cfe72dd7d0
                                        • Opcode Fuzzy Hash: e9b1b3549e295e1a3e6f6e32efdefc0db97fae56bc220da90e92b3d915892af0
                                        • Instruction Fuzzy Hash: ED21A175A043588FCB14DFAAE4007AEBBF5EF89320F14846EE418E7340CA75A905CBA5
                                        Function 04D8AD48 Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49c9c6a25e1a44467d85b8eb56f8e64ebcbdd0f10cdb2a1416c46a85a1e64c4e
                                        • Instruction ID: 6b9d2b47abd40de3ee1f5e67451336dfcabd525b1bc55ff41d48f64196d67ef4
                                        • Opcode Fuzzy Hash: 49c9c6a25e1a44467d85b8eb56f8e64ebcbdd0f10cdb2a1416c46a85a1e64c4e
                                        • Instruction Fuzzy Hash: F7315EB8E002089FEB44EFA5D854AFE7BB6EF85300F10846ED151AF394DA399D018B94
                                        Function 034CF3D8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453005234.00000000034CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_34cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 442a4fd6b6b8887fa2b421a2c1f196bc06ac0e8e8e1ee20e33a9234522138444
                                        • Instruction ID: ef7ff99f1d2145a857a4e5b26f69c247892705b5314e0ad64baa50aba01d3549
                                        • Opcode Fuzzy Hash: 442a4fd6b6b8887fa2b421a2c1f196bc06ac0e8e8e1ee20e33a9234522138444
                                        • Instruction Fuzzy Hash: 6C212379514340EFCB44CF50D9C0B16BB66EB88214F24C5AEE9090E252C33AC45ACBA9
                                        Function 04D89400 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84651ec50e849a34442775c03a43ab09ba7467e2b68c26b631f095650ad14931
                                        • Instruction ID: 44efe9db2ab940aee09500507f5563bb96a6d353f86b67ddf2ee2ad551319eed
                                        • Opcode Fuzzy Hash: 84651ec50e849a34442775c03a43ab09ba7467e2b68c26b631f095650ad14931
                                        • Instruction Fuzzy Hash: BD319CB4A013448FDB60DF6AD0883AAFFF2EF89310F28849ED48D9B215D774A445CB65
                                        Function 034CF02C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453005234.00000000034CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_34cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2764ae2b06e6e0836093415271ee4b529cba1a8db74bfa6e328e69415dbc3ff7
                                        • Instruction ID: 4d59c48c8cb3aea32d8c510a2328d3b54329535f4b9c373b72c65ab260468656
                                        • Opcode Fuzzy Hash: 2764ae2b06e6e0836093415271ee4b529cba1a8db74bfa6e328e69415dbc3ff7
                                        • Instruction Fuzzy Hash: 40212279514280DFDB54DF24D9C0B16BBA6EB84714F24C5AED80A4F342C33AD84ACB66
                                        Function 04D89410 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a320e6194f1c0d33bf9cc2766efa64a915c86d58a491b3b8205005516a4def29
                                        • Instruction ID: 8e5c96d524dd3263944653d7acc84827b2ab1acfa7c6026c4116941dd13e1b4a
                                        • Opcode Fuzzy Hash: a320e6194f1c0d33bf9cc2766efa64a915c86d58a491b3b8205005516a4def29
                                        • Instruction Fuzzy Hash: FD217EB4A017448FDB60DF6AD0883EAFBF2FB89310F28C45ED49D97205D77464418B65
                                        Function 04D8767C Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0382b14b0cde88bc52f3019ebff48b20d3d596e2ee8318c1057c91f66f6a7fd0
                                        • Instruction ID: c37c91ff5f5db039168925159686f318effea5dcd6e14a8a8b105c92d9596145
                                        • Opcode Fuzzy Hash: 0382b14b0cde88bc52f3019ebff48b20d3d596e2ee8318c1057c91f66f6a7fd0
                                        • Instruction Fuzzy Hash: DE111F7AB001188FCF14DBA9D840AED77F6FBC8715B1440A9E509DB310DB34EC068B90
                                        Function 04D8DF20 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f761f39d5c185f50702c6e4c076bfb0ec70c0c5dcf11165398c1cbb3f1366c33
                                        • Instruction ID: 8c1137b49fee5b8657ba3403edfd54d59c6416dfe26baf1c65af32346c6aa031
                                        • Opcode Fuzzy Hash: f761f39d5c185f50702c6e4c076bfb0ec70c0c5dcf11165398c1cbb3f1366c33
                                        • Instruction Fuzzy Hash: 6611CA35B04244CFCB15DB64E8458ECBBB1EF89320B1584ADE455DB362DB31AC16DF61
                                        Function 034CF3D3 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453005234.00000000034CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_34cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cec652083d875b15267482a4806cf92d2830ce69a7e1a418b01774896923d323
                                        • Instruction ID: 185d7e2a54961fe8cc272f235d4b91a2a88c1dbfd4a3090a9c927255a55a4f77
                                        • Opcode Fuzzy Hash: cec652083d875b15267482a4806cf92d2830ce69a7e1a418b01774896923d323
                                        • Instruction Fuzzy Hash: 00216A7A504280DFCB06CF50D9C4B56BF72FB88314F28C5AED9494E656C33AD46ACBA1
                                        Function 04D8DECF Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f55858f5f012c5b044dc5a7e7f759ae8cf2dd12eb691338e05ec978fe3e56c99
                                        • Instruction ID: 76e8b442ded7521529411b233e9e55ae8e931fbdf2c9b61eea6366ef4fe860fb
                                        • Opcode Fuzzy Hash: f55858f5f012c5b044dc5a7e7f759ae8cf2dd12eb691338e05ec978fe3e56c99
                                        • Instruction Fuzzy Hash: 1B0149357002509BC705AB5EE8008ADB7BBDFC9220700846FE409DB391DF61AC05C7E5
                                        Function 034CF027 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453005234.00000000034CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_34cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d546771ad39d2b39eae4d47c8fd2747dfff2c820a11f06dee2d413c70bed4b17
                                        • Instruction ID: b96146d7f07b44bc95af4556d81f442a722122264290c9d2a76521b3ef534bcc
                                        • Opcode Fuzzy Hash: d546771ad39d2b39eae4d47c8fd2747dfff2c820a11f06dee2d413c70bed4b17
                                        • Instruction Fuzzy Hash: F11179795042809FCB15CF14D584B16BFA2EB84628F28C6AED8494F756C33AD44ACB62
                                        Function 04D8BCF0 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3639169d0e31fccff7cdc9f21d2d13052544d76a051ecf748fe7f4382dfbd9f5
                                        • Instruction ID: 420c5facc6c52f7d1b4be8234c17eb37e208ac5f641ea534dd2c4db2ff6b5301
                                        • Opcode Fuzzy Hash: 3639169d0e31fccff7cdc9f21d2d13052544d76a051ecf748fe7f4382dfbd9f5
                                        • Instruction Fuzzy Hash: 25116D316083449FD718DB76D498A6A7BF5EF4A210F1488AEE08ACB6A2DA31F845C741
                                        Function 04D8E0E0 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 804072b90fc791bf8fbed0c56b26c5024095bbec9a0c09f79af8f08b9df7da6f
                                        • Instruction ID: d23bceff564ac7603aff1896dfd5810316714e44052a5d44835b0776e319d13c
                                        • Opcode Fuzzy Hash: 804072b90fc791bf8fbed0c56b26c5024095bbec9a0c09f79af8f08b9df7da6f
                                        • Instruction Fuzzy Hash: 58014C36B002149FCB11AB74E848AAEBBF6FBC8315B14406DE51AD3242DB32A911CB91
                                        Function 04D8DE58 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c0dc7a9756ca49e980fcf78a1a2bf03105802d5c774d908c67a133f6b8a3da41
                                        • Instruction ID: 2cb18350c6f73dbb254e4a5e2b87e481fc81047a367df55bf237b50addc8c0ff
                                        • Opcode Fuzzy Hash: c0dc7a9756ca49e980fcf78a1a2bf03105802d5c774d908c67a133f6b8a3da41
                                        • Instruction Fuzzy Hash: 97110935204750CFC729DF75D440896BBF6EF8921572089ADD08A8BBA0CB32E845CB50
                                        Function 034CD006 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453005234.00000000034CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_34cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5577281c45c4ec46443e4c99c4635fe921a298be4ff86330cd5c98393ab65800
                                        • Instruction ID: 46eb02ad8ab3b060e6642542deb1adab9e7249ebe19fbecf8b296fa7fefd959b
                                        • Opcode Fuzzy Hash: 5577281c45c4ec46443e4c99c4635fe921a298be4ff86330cd5c98393ab65800
                                        • Instruction Fuzzy Hash: 7401407140E3C09FD7228B258D94B52BFB8DF47224F1D81DBD8888F2A3C2695844C776
                                        Function 034CD01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453005234.00000000034CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_34cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9029613f2fb21730b0577d7b925821a1c5d1e5f3c85c54068a9e5eaa2ef90b53
                                        • Instruction ID: 2a4821b2d5a1288348f0edbf4be241cd2fd987f0b9d20cba078af76a9af8d10f
                                        • Opcode Fuzzy Hash: 9029613f2fb21730b0577d7b925821a1c5d1e5f3c85c54068a9e5eaa2ef90b53
                                        • Instruction Fuzzy Hash: A401F7358043809FE760CA1ACD84B67FB98DF42228F08847FDC580F243C3789442CAB9
                                        Function 04D8BF20 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f57e363524201bce408119affbd44f9fb804644e63ed1d5db8e167c6a602b60e
                                        • Instruction ID: a99638792f6e4f1b56d4a9f4dd13996e5fc14046d10d7c749d00e6f618e2152f
                                        • Opcode Fuzzy Hash: f57e363524201bce408119affbd44f9fb804644e63ed1d5db8e167c6a602b60e
                                        • Instruction Fuzzy Hash: 1CF0AF317093A06FD7118A6A9C5497B7FF9EF8A25070544ABF884CB362DA70CD00C760
                                        Function 04D87958 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 036d9f8c155c5d73508fcf4d3c115909176d08f2f1d9791e82c0bc9f73c13df6
                                        • Instruction ID: 11cdff616db094c145f8de7267c09c5a8718ea7e1a06d0cebf035b94907c50d1
                                        • Opcode Fuzzy Hash: 036d9f8c155c5d73508fcf4d3c115909176d08f2f1d9791e82c0bc9f73c13df6
                                        • Instruction Fuzzy Hash: 96F046B67053405FC7219A65EC80ABF7BF9EB89225700062EE08AC7341DE349C068B71
                                        Function 04D879C2 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db386f615b9af31ed5bc0c555f5d1661344d86370e6c8851d3c7ffa451276134
                                        • Instruction ID: 369ad650b0a11599271b524b15dd08694676673d413da7e35643d0c7056d3c2c
                                        • Opcode Fuzzy Hash: db386f615b9af31ed5bc0c555f5d1661344d86370e6c8851d3c7ffa451276134
                                        • Instruction Fuzzy Hash: F3F0C2766043505FD721AB65F880ABE7BF9EB8A225710052ED089D7641CA35AD068B71
                                        Function 04D890E8 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf3256c47a1edc75e82e8e964d0b0ac0cbd0755fa2797d5e6122edb6607e61e9
                                        • Instruction ID: 8c35a7fdee606293e36ead99857e621e4aba72468142de87e82b96be27b9267a
                                        • Opcode Fuzzy Hash: bf3256c47a1edc75e82e8e964d0b0ac0cbd0755fa2797d5e6122edb6607e61e9
                                        • Instruction Fuzzy Hash: 26F0FF396042048FD712AF69C0183AA3B71EFC6314F0081AED6458F3A6CE392806CBA5
                                        Function 034CD9A7 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453005234.00000000034CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_34cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eea8e1f3c3c5af6fab42cdeeafe737d863663affe3e1d8c9c52b96ed17d33dee
                                        • Instruction ID: a174bd3e59c21ecfc01e09ddfec7921bffc702c4df3ef5369dbf96daaa0b8304
                                        • Opcode Fuzzy Hash: eea8e1f3c3c5af6fab42cdeeafe737d863663affe3e1d8c9c52b96ed17d33dee
                                        • Instruction Fuzzy Hash: 1DF0497A600640AFC760CF0AD985C23FBBDEBC5630319C06AE85A4B712C631EC42CEA0
                                        Function 04D8E081 Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f57715b8d3954cc8d3cc465a761ed6ef191d5697a0938ccb8b0d9697a8cdcaf
                                        • Instruction ID: 484e5e7d26da031aa941fdc677410458896ff768a557fd3756b95fdb7d42d51a
                                        • Opcode Fuzzy Hash: 6f57715b8d3954cc8d3cc465a761ed6ef191d5697a0938ccb8b0d9697a8cdcaf
                                        • Instruction Fuzzy Hash: 19F09A343042408FC7129B29E45486ABBF1EFCB61131A05DEE485CF372CA61EC02DB50
                                        Function 034CD998 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453005234.00000000034CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034CD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_34cd000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 67ecb8e0852834fa2fb5492489bf179d648e48725fe89e9fae2fcf2937fe427e
                                        • Instruction ID: c45b27c1bb7ae1d5952803d0a7f47c91ade82aca8f2164c7c3fe6209aa391e03
                                        • Opcode Fuzzy Hash: 67ecb8e0852834fa2fb5492489bf179d648e48725fe89e9fae2fcf2937fe427e
                                        • Instruction Fuzzy Hash: 95F0F979510680AFD765CF06C985D23FBB9EB8A620B19849DE85A5B712C631FC42CFA0
                                        Function 04D87968 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae14c8900aa3f11d1a8b6a79bac41021c64751b6bde71da54676242109d43247
                                        • Instruction ID: de30cdc73057127be8a14a4336ebc3f194c38360edeaa9835aa5f1981e6abcb4
                                        • Opcode Fuzzy Hash: ae14c8900aa3f11d1a8b6a79bac41021c64751b6bde71da54676242109d43247
                                        • Instruction Fuzzy Hash: D3F0A0767007149FD724AA6AE884A7FB7F9EB88669B00052DE14AD7340DF34AC0187B5
                                        Function 04D87697 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2e13c0287084f33cf6d994cc7b7626a339e8007508dec33306668173076266c
                                        • Instruction ID: ba85bb924a2a8cc4d20c99bd5bc9d36173083d1f1a3a232f6ee968d4dc96190a
                                        • Opcode Fuzzy Hash: a2e13c0287084f33cf6d994cc7b7626a339e8007508dec33306668173076266c
                                        • Instruction Fuzzy Hash: 2EF01279B001148FDB10EA6D98406AA77A6FBC87557254199E909CB314DF24DC068B91
                                        Function 04D890F8 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6bf67cd38fbb81918eec42b5826a3ce2395309abe4fa2b13482c45ad2e581bbf
                                        • Instruction ID: 9742bced31f21e0d2385f9e89bc49e57a5a58e866385b4b2d9ad2c83f1643c0a
                                        • Opcode Fuzzy Hash: 6bf67cd38fbb81918eec42b5826a3ce2395309abe4fa2b13482c45ad2e581bbf
                                        • Instruction Fuzzy Hash: 59F0E2797002048BE714BF69C0487EB7BA6DFC4315F10813EC6099B385CE3E68068BE4
                                        Function 04D89168 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be4e72666d4f822db5ae1a33864f559ebe6ff7741d3a4183d80728a5d90ef451
                                        • Instruction ID: b6fad852cc1b34608b6fe4b12b0887504c7f0a2b0202245d429dc5fdfd9f0ff7
                                        • Opcode Fuzzy Hash: be4e72666d4f822db5ae1a33864f559ebe6ff7741d3a4183d80728a5d90ef451
                                        • Instruction Fuzzy Hash: 90F0BE74A0A3408FD3619F78D4A83AA7FB0EF41310F00489EE099CB292DB786881CB61
                                        Function 04D8E090 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 42e4cf06c765a963dab42d0b5162d5e07167ba902b4367a51cfa736f5c0a6417
                                        • Instruction ID: df369c68dd539b0bde71a914ac8dc20ad72e5fab2a1d9f3bb1bb546835802efe
                                        • Opcode Fuzzy Hash: 42e4cf06c765a963dab42d0b5162d5e07167ba902b4367a51cfa736f5c0a6417
                                        • Instruction Fuzzy Hash: C8E06D357001118F87109B1DD444C26B7EAEFCEA1131504ADE545CB725CA61EC018B90
                                        Function 04D8AF98 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8482a030b34d4e7b8a95b0d73ebb9a360e3f6ffd64c0c4c833b649c6fe7ff76d
                                        • Instruction ID: 43a311846f43431652861dcc0942eee6e68a4570d0e8d80af1fd51c8ac2bbc6e
                                        • Opcode Fuzzy Hash: 8482a030b34d4e7b8a95b0d73ebb9a360e3f6ffd64c0c4c833b649c6fe7ff76d
                                        • Instruction Fuzzy Hash: 1EE092213183915BC716A629A8104657B77DFC722030944FBF040CF356DD51AC02C3A1
                                        Function 04D89559 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c048ac82506c1f7872f471f1dc9f4fc8b0938daa5abd0031a2f0ebd4543872f5
                                        • Instruction ID: 454b20d19cf0c980327c5b6faf248c8700adda81d603aebcca1d1b5e19b51eec
                                        • Opcode Fuzzy Hash: c048ac82506c1f7872f471f1dc9f4fc8b0938daa5abd0031a2f0ebd4543872f5
                                        • Instruction Fuzzy Hash: CCE02B227411114B265871FA185477776CFCFD44A53C100BDEB05C7341EC10EC0643F0
                                        Function 04D89178 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d02163e3963f04801e53f53f7be21f6533d53600f2318ba0fa1396dfb6447cb
                                        • Instruction ID: 846b7ff37ee4fbd1428fa9b188f63611447ad5df39a86497199c5ffd56adf261
                                        • Opcode Fuzzy Hash: 2d02163e3963f04801e53f53f7be21f6533d53600f2318ba0fa1396dfb6447cb
                                        • Instruction Fuzzy Hash: 08F0ED749043049FD764DF79D49C7AA7BE5FB44350F00486DD55ED7240DB39A8818B90
                                        Function 04D88978 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ebd4cfc2839f8e7ea071c7861ab338563e795238f4c85f6c834421fc910e68c
                                        • Instruction ID: 1a6414baaff2b49a5eea8e207562c3da35d08911d28521d6bc5824408fe4a245
                                        • Opcode Fuzzy Hash: 9ebd4cfc2839f8e7ea071c7861ab338563e795238f4c85f6c834421fc910e68c
                                        • Instruction Fuzzy Hash: 6BE0263930461487CB093B79A40C2EE7B5AEBC4735F00002FD60AC7341CF38680287E9
                                        Function 04D88973 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6dce90201fa4745a5081a845e4cd898016a424de1e4d06b09f3efe29a371985e
                                        • Instruction ID: 9e209e2fe7a050276c777b07e1b84dd54db189eaccf323151d8d17958b1fb2f6
                                        • Opcode Fuzzy Hash: 6dce90201fa4745a5081a845e4cd898016a424de1e4d06b09f3efe29a371985e
                                        • Instruction Fuzzy Hash: 8FE0D8357005508BDB0D7B34904C2EE7B62EBC4325F00002FD516C7341CF7868028795
                                        Function 04D89560 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7fceec83c15fac62dc080a9a5a2a2f9255f07d058e8abd44056c1b45c3d1fb80
                                        • Instruction ID: a70ff9ec4c1a164a237765f33910011f479ef3e2ef054f5cb7d1255c3f00ee63
                                        • Opcode Fuzzy Hash: 7fceec83c15fac62dc080a9a5a2a2f9255f07d058e8abd44056c1b45c3d1fb80
                                        • Instruction Fuzzy Hash: F6D05E123411254B265470BA181477BA5CECBD44A57C600BEEB09C3242EC40EC0653F1
                                        Function 04D8DEE0 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15e57fd4bde840cc08bccf61c8d57a5caebc1b76f664c8b147d27c2f542f501a
                                        • Instruction ID: d6258feb861d4a1db4500bd5724219b88adfbe8ed7f6c07bb033be43c5cb6447
                                        • Opcode Fuzzy Hash: 15e57fd4bde840cc08bccf61c8d57a5caebc1b76f664c8b147d27c2f542f501a
                                        • Instruction Fuzzy Hash: 52E08635700714474215761F680085EB7ABDBC5561310402ED0598B780DE64EC0147D5
                                        Function 04D8DF30 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction ID: 210d4c3f17ebf1e9ef8b3a1e828a1a344429ff729130c2c0013c827bcf231544
                                        • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                        • Instruction Fuzzy Hash: 7AE08631B00014978B089599D8504E9F7A5DBCC224F04847ED95AE7740EA32A91A8AE1
                                        Function 04D88739 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b655fe14595a0d9c1944d0713c4178ae6ed38991f464c70e72dbaedcd89a5ae9
                                        • Instruction ID: 6098aa8a8197637c30b6ff34f8587ba6c82ee5edecf2668ce7da8cb6138a3e98
                                        • Opcode Fuzzy Hash: b655fe14595a0d9c1944d0713c4178ae6ed38991f464c70e72dbaedcd89a5ae9
                                        • Instruction Fuzzy Hash: ECE01A34804209CFCB0ABFA4E8194ADBB30FF55301B4001ADE556872A1EB301946CBC5
                                        Function 04D88800 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cd915edbe81837cf3d486ca560e04fcea001ad3a7453cbad93f6e00cba919d9e
                                        • Instruction ID: 089602c854160fc72663c3a1b3d1c8e5a979a85e76cf5865f498eff839df1029
                                        • Opcode Fuzzy Hash: cd915edbe81837cf3d486ca560e04fcea001ad3a7453cbad93f6e00cba919d9e
                                        • Instruction Fuzzy Hash: 65E04F35A1924ACFCB09EFA4E18546ABFB0EF5A205B0045A9E85597355EB305844DF81
                                        Function 04D8F620 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0116aaf0b36ad0c99f6e367c8593ee872b8b7175d1c89ccfc9eb53a3f38f06a7
                                        • Instruction ID: d63ef2863502bb4b629b2b0952168e11b67f8bfd795b5557d9265140987810f7
                                        • Opcode Fuzzy Hash: 0116aaf0b36ad0c99f6e367c8593ee872b8b7175d1c89ccfc9eb53a3f38f06a7
                                        • Instruction Fuzzy Hash: 3EE01A70E0014A9F8784EFB985511AEFFF0AB49200F2085AE9908D7211E63186418B81
                                        Function 04D8F630 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction ID: 2cf9b9ba883f8c5eef790ca98c0c00631f2c95d999cabcd55801cca1ab79fe80
                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                        • Instruction Fuzzy Hash: 98D067B1D042099F8780EFADC94256EFBF4EB48204F6085AE8919E7311F7329A128BD1
                                        Function 04D88748 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d50d2e286a3f81e72b7f93d651b9e710735a3993931b517908d6cf3105665c2e
                                        • Instruction ID: 5d9294e7a119f94188ef0ddd7dcd75a40eb36071c6e2fa83431e5e243dbb7b4e
                                        • Opcode Fuzzy Hash: d50d2e286a3f81e72b7f93d651b9e710735a3993931b517908d6cf3105665c2e
                                        • Instruction Fuzzy Hash: 34D06731D0410A8BCB0CBBA5E85A4BDBB74FA54301F40416DEA2792291EB316A5ACAC5
                                        Function 04D88810 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9861502a2e391c664fb7eb74da4c52ca66c06621f1802bf4a5fa8a3b526b56eb
                                        • Instruction ID: 486c9827fffe04b3947d8cd3a4c6be8b78d555df6239f3f26a3c5b9ab3891f18
                                        • Opcode Fuzzy Hash: 9861502a2e391c664fb7eb74da4c52ca66c06621f1802bf4a5fa8a3b526b56eb
                                        • Instruction Fuzzy Hash: DBD01734A0820A8B8B08EFA4E44686EBFB4EB89201F004169E949D3340EB306801DBC1
                                        Function 04D87EA0 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e01eb0a4ec263ff4f21c0559cdbb8c7f81aa6750889c553b19005b53971b31f
                                        • Instruction ID: f3d6d2ee46ae5c9d52b774d2418f1903f002efce5b11b9175677f2d6644103b7
                                        • Opcode Fuzzy Hash: 5e01eb0a4ec263ff4f21c0559cdbb8c7f81aa6750889c553b19005b53971b31f
                                        • Instruction Fuzzy Hash: 71C02BD78283C00FEF02C2304C61244BF7045C310634701C2D8A0DB1A2C824C802CB71
                                        Function 04D8793D Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e261ee04f53ae8e8b9c610d48ab75348698a945e7f399ff8b25fdd52e60ba750
                                        • Instruction ID: 5db983d526bfa755a1e825a2c7190de4e1cdb41d15d1586ac42ac1d5b29a5ec8
                                        • Opcode Fuzzy Hash: e261ee04f53ae8e8b9c610d48ab75348698a945e7f399ff8b25fdd52e60ba750
                                        • Instruction Fuzzy Hash: 26C04C340453449BC7559F79A0D48597B36EA5126971405ACE80A5B6528A72D84ACF04
                                        Function 04D87940 Relevance: .0, Instructions: 8COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb9b23dcfcbf7c393f2699e350cdbd0f46173aaf77dfc42039fff9254c12b1ac
                                        • Instruction ID: 52862e1ed5e6d4eba25b09e83b6ac1750ed5b504afab85c4e1829a2baea8df67
                                        • Opcode Fuzzy Hash: eb9b23dcfcbf7c393f2699e350cdbd0f46173aaf77dfc42039fff9254c12b1ac
                                        • Instruction Fuzzy Hash: 83B09230044708CFC2586F79A454919773AEB4021978004A8E80E0B2928F36E885CB44

                                        Non-executed Functions

                                        Function 04D84D62 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000F.00000002.1453619528.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_15_2_4d80000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: bn^$bn^$bn^$bn^
                                        • API String ID: 0-672548025
                                        • Opcode ID: f0d317e515babba3c6384b6ca114539acfefe40e05c8ee90d74b55e50ed9dbc0
                                        • Instruction ID: 13b44672bc2cc4109f5475171bc489601bbb06b93da683cb2030ae6694e831ff
                                        • Opcode Fuzzy Hash: f0d317e515babba3c6384b6ca114539acfefe40e05c8ee90d74b55e50ed9dbc0
                                        • Instruction Fuzzy Hash: A2413025A0E3C04FD7179B3C98A49963FF5AFA729471A40DBD0C4CF2A3D9189C0AC766

                                        Executed Functions

                                        Function 04B40812 Relevance: .4, Instructions: 408COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1617053424.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_4b40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 68742ccf36cf720351f873bf6653fe17fdb257fe452f71199917a281deacc25f
                                        • Instruction ID: 1e01e445487ce53227e5ff7c48cd33a7ae398135774f96fcc0cdc2d18f8a6321
                                        • Opcode Fuzzy Hash: 68742ccf36cf720351f873bf6653fe17fdb257fe452f71199917a281deacc25f
                                        • Instruction Fuzzy Hash: 8BE1AE387103009BDF18BB78E4B583E3BA7EBCD715749692AA4169739CDE3C9C42DA50
                                        Function 04B4010C Relevance: .4, Instructions: 408COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1617053424.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_4b40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c307e602d3fc87afd739ba60800b0a01178cf9364ac3521be5164f709d3a2d67
                                        • Instruction ID: 92cb85213b62e0a5bb71836f0ab690992046832c5ab6c043254db08511cfef13
                                        • Opcode Fuzzy Hash: c307e602d3fc87afd739ba60800b0a01178cf9364ac3521be5164f709d3a2d67
                                        • Instruction Fuzzy Hash: AEE19E387103009BDF18BB78E4B583E3BA7EBCD715749692AA4169739CDE3C9C42DA50
                                        Function 04B40FE0 Relevance: .2, Instructions: 200COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1617053424.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_4b40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a96a36ba129cf0f99818a704ba0c76ee1e4588f68662f8cef013b334f437c7a4
                                        • Instruction ID: c291f644b81725a89a33f137ac56fc5ebd90ef6168f3ace6c119274f46f449a6
                                        • Opcode Fuzzy Hash: a96a36ba129cf0f99818a704ba0c76ee1e4588f68662f8cef013b334f437c7a4
                                        • Instruction Fuzzy Hash: B8615270F002145FEB14EB79C86476EBAEBABCC310F148529E40AE7784CE789D029794
                                        Function 04B4012C Relevance: .2, Instructions: 197COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1617053424.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_4b40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf2368daf7b228d805f8556861b6b19ffbeffc69ad3a8bda4c521e76a4ee897a
                                        • Instruction ID: 19466688ab7083b056ba16ca797d11879e4ef2658cb81375016819c93188153b
                                        • Opcode Fuzzy Hash: bf2368daf7b228d805f8556861b6b19ffbeffc69ad3a8bda4c521e76a4ee897a
                                        • Instruction Fuzzy Hash: 45613370F003155FEB14EB79C86476E76EBABCC310F148529E40AE7784DE789D0297A5
                                        Function 024104D4 Relevance: .5, Instructions: 528COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1616322696.0000000002410000.00000040.00000800.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_2410000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6150c2f8d0e2cb86ca81eeb3f285dbe10cd8b9534374a787b6bc371f7c941fce
                                        • Instruction ID: ff78dd2f2203509de2766a7e8766056413457bdcd7bb8c842e0301aa6a7a75b3
                                        • Opcode Fuzzy Hash: 6150c2f8d0e2cb86ca81eeb3f285dbe10cd8b9534374a787b6bc371f7c941fce
                                        • Instruction Fuzzy Hash: 9131C234B002048FDB24EB79C960B6A7BF6EF89310B10957ED40ACB766DB359C41CB91
                                        Function 04B40468 Relevance: .1, Instructions: 147COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1617053424.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_4b40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1afbf08e7bf17269d1b9b071ddfbba758c725de5bbbac49b4f55e47775691633
                                        • Instruction ID: 25ea49b71af6cd98d5e2c19b233bdb5a33407069cf2bd0f7ae7ad8674d453d2b
                                        • Opcode Fuzzy Hash: 1afbf08e7bf17269d1b9b071ddfbba758c725de5bbbac49b4f55e47775691633
                                        • Instruction Fuzzy Hash: C1515B30B002448FEB18EB69C454BAD7BF2EF89314F1540A9D506AB3A1DB75ED01DBA1
                                        Function 02410848 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1616322696.0000000002410000.00000040.00000800.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_2410000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a9456d6db22b736137731d028791fc8501cf70ff781581f437fe097398760897
                                        • Instruction ID: 05f3fe362a8e4834ddac2667782afa9bfb9c66a0b9f9b0f730b7e8952eeb6d26
                                        • Opcode Fuzzy Hash: a9456d6db22b736137731d028791fc8501cf70ff781581f437fe097398760897
                                        • Instruction Fuzzy Hash: 04317A34B002048FDB24EB79C960B6A7BE6EF89710B10946DD40ACB765EB359C428B91
                                        Function 04B41281 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1617053424.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_4b40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dbd67b1b02b67e85786c7cccc65f028bf851e76b58dce01f6d92ae2c78b9f0f2
                                        • Instruction ID: e68fbb19b4fa15f812a62dfd59033125ecf2dda597f66e7cfeae0e1db29a81d3
                                        • Opcode Fuzzy Hash: dbd67b1b02b67e85786c7cccc65f028bf851e76b58dce01f6d92ae2c78b9f0f2
                                        • Instruction Fuzzy Hash: 9821A471F00214AFDB14DE7DD880AAEB7E6EBC8710F144166E519E7344D631AD4297E4
                                        Function 04B40F10 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1617053424.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_4b40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1fe314c233077c4c6686e11a7644d4783d5a2acdd7232783f401eec60cb15f75
                                        • Instruction ID: 8da9ee7e88b00d5dd3e879415779fd68a4eb8d8cf7bc0c6dcb28aceef6952663
                                        • Opcode Fuzzy Hash: 1fe314c233077c4c6686e11a7644d4783d5a2acdd7232783f401eec60cb15f75
                                        • Instruction Fuzzy Hash: F2210574A402198FCB44EF79C444A6EB7B1EF88710B1185A9E90ADB361DB35AD42CF91
                                        Function 04B40458 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1617053424.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_4b40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30b8d6c6f9d405273e7bf6f5d8b15205db8089e93757ef9da7f6989613adb1f0
                                        • Instruction ID: d30754c7571a113ab4a15250a780bd1a4591716edfe57e25b3d1f2da250cbda7
                                        • Opcode Fuzzy Hash: 30b8d6c6f9d405273e7bf6f5d8b15205db8089e93757ef9da7f6989613adb1f0
                                        • Instruction Fuzzy Hash: 8311E931A041448FDB19DB69C454BCEBBF1EF88314F0580E5D404AB352DB76EE068BD1
                                        Function 04B40F4A Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000014.00000002.1617053424.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_20_2_4b40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d56d26e36b4da15ec6de4b11f3bfa078df4f004b592f3c81e79c315ec660100d
                                        • Instruction ID: 9d23aa91eb5cc8c031c98714c4e2b830de8c28a09c0735cffc7dfe80c9f0fc96
                                        • Opcode Fuzzy Hash: d56d26e36b4da15ec6de4b11f3bfa078df4f004b592f3c81e79c315ec660100d
                                        • Instruction Fuzzy Hash: F511FD74B401148FCB58EF78C084A6DB7B1AF88725B1180A8E906DB371CA35EC42CBA0

                                        Executed Functions

                                        Function 04C400FF Relevance: .8, Instructions: 822COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e9484678f6575d32d3f8bc2374d26ef89a4a0550e46792e0c5b166aba4148261
                                        • Instruction ID: a35b7a2a26cbc59009431823a35dc9775e10ee2483367c56e5cb16e71f24586c
                                        • Opcode Fuzzy Hash: e9484678f6575d32d3f8bc2374d26ef89a4a0550e46792e0c5b166aba4148261
                                        • Instruction Fuzzy Hash: A302ED387103008BDF19BB78D4B992A3BE7ABCD3157455929A4029739DEE389C83DF64
                                        Function 04C4010C Relevance: .4, Instructions: 408COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4697ae7a6e1a63e4433aeea3eb7847d169ed4bb9e10c67cef0213632da1dcef
                                        • Instruction ID: ca4b034baafeb250387be2f4a1de0aaed59cc63ba75819d816724dc5f56a9a98
                                        • Opcode Fuzzy Hash: a4697ae7a6e1a63e4433aeea3eb7847d169ed4bb9e10c67cef0213632da1dcef
                                        • Instruction Fuzzy Hash: 0CE1DC387103009BDF19BB78D4B993A3BE7ABCD7157446D29A4025739CEE3898839E64
                                        Function 04C40812 Relevance: .4, Instructions: 405COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc3e3340123c8fb3f41a07170cf378f316224a78440b5883432cfd7936c37943
                                        • Instruction ID: 8523fdb29b296644d9b53ae1045c2a24f4f0d53e4554ef04797aabd9a5b48225
                                        • Opcode Fuzzy Hash: fc3e3340123c8fb3f41a07170cf378f316224a78440b5883432cfd7936c37943
                                        • Instruction Fuzzy Hash: 0CE1DD387103008BDF19BB78D4B593A3BE7ABCD7157456D29A4029739CEE3898839E64
                                        Function 04C400BA Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b24965e6d9382369bd4395618ca34b9248bb0561d667bfc597733a443a34c896
                                        • Instruction ID: 3b1423c6bca762d6df6cc09c545f82eb895b45bf0abd1f24c8d8159fbd7a2222
                                        • Opcode Fuzzy Hash: b24965e6d9382369bd4395618ca34b9248bb0561d667bfc597733a443a34c896
                                        • Instruction Fuzzy Hash: 5F617270B003149FEB14EB7AC864B6F76E7ABCD300F148529E40AE7794DE789D428B94
                                        Function 04C40FE0 Relevance: .2, Instructions: 197COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9dc0e9a6423067921c650f4c5799696700af6eb9ac985b9d99f3c199ccc259c
                                        • Instruction ID: ab19a791e48bc5dad19314796e1e2b480c994e0b02555f741b4126aaab9e8bde
                                        • Opcode Fuzzy Hash: b9dc0e9a6423067921c650f4c5799696700af6eb9ac985b9d99f3c199ccc259c
                                        • Instruction Fuzzy Hash: 0D616174B003149FEB15EB79C86476E7AF7ABCC300F148529E40AE7794DE389D428B94
                                        Function 04C4012C Relevance: .2, Instructions: 197COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 286129424dc875673fbb3f7fecc331270618104929c383a49e85977860cf8ee2
                                        • Instruction ID: ccec5fad1245d068fa05cc3c7d0d8e414f6dcea9154c71cc96da9a601b462b51
                                        • Opcode Fuzzy Hash: 286129424dc875673fbb3f7fecc331270618104929c383a49e85977860cf8ee2
                                        • Instruction Fuzzy Hash: 13615170B002149FEB15EB7AC864B6F76E7ABCC300F148529E40AE7794DE789D428B94
                                        Function 00B004D4 Relevance: .5, Instructions: 525COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1696481394.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_b00000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5edd290a9d897bfcd3439a682d4ec766a0e9cf44f96db8b5e9130dc33b9166a
                                        • Instruction ID: f9f5f83e0e047e6dc38a3c91b32f936da896c899e3ba37e716d26a19600197fc
                                        • Opcode Fuzzy Hash: f5edd290a9d897bfcd3439a682d4ec766a0e9cf44f96db8b5e9130dc33b9166a
                                        • Instruction Fuzzy Hash: 6A317E35B002048FDB24EB79C854A2A7BE6EF89710F1185B9D10ACB7A6EB359C01CB91
                                        Function 04C40157 Relevance: .4, Instructions: 432COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 596727677fc5d1bb3ff558c2eead645f37bf8e7f32401a51f95083eaac04cf84
                                        • Instruction ID: 009afd20de722a0f0f183df826bd60ee4cd7af5aba70fa1f737a174a06012e65
                                        • Opcode Fuzzy Hash: 596727677fc5d1bb3ff558c2eead645f37bf8e7f32401a51f95083eaac04cf84
                                        • Instruction Fuzzy Hash: 91118131A052848FD70ACB69C554788BBF2EF99314F0681EAC045EB663DA759E0ACB91
                                        Function 04C40468 Relevance: .1, Instructions: 147COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 54f17ca50257edc49037cf3935b0126c93fbf1d81c6b79981bb3cb7187736b9a
                                        • Instruction ID: 5e32b3b8658cc51560e162e1c872b3158fd39362d92ff0dbd5f993198fafe11e
                                        • Opcode Fuzzy Hash: 54f17ca50257edc49037cf3935b0126c93fbf1d81c6b79981bb3cb7187736b9a
                                        • Instruction Fuzzy Hash: 6E517C34B002448FEB18DB6AC554BADBBF2EF89314F1540A8D502AB3A1DB75EE05CB91
                                        Function 00B00848 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1696481394.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_b00000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5299f2d65163f1ae81d3b76eb58d1697a10962f4d35f35fc21d165c7c37b6c9
                                        • Instruction ID: b154a35bc5a726fc93e20720884f66886edcb7baca692a086a6c5150b858a675
                                        • Opcode Fuzzy Hash: c5299f2d65163f1ae81d3b76eb58d1697a10962f4d35f35fc21d165c7c37b6c9
                                        • Instruction Fuzzy Hash: 37314E34B106048FDB64EB79D954B2A7BE6FF89710F1084B8D10ACB7A6EF359C018B91
                                        Function 04C41281 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed4dfee9ec7b96f15c6b010c951861a5a6a016960c90b492be93f2e08c07fca0
                                        • Instruction ID: ef8df3baca8fc9500ef408b0d3879a6d7fa8c5317dd2a82884ffabc98a91f0ca
                                        • Opcode Fuzzy Hash: ed4dfee9ec7b96f15c6b010c951861a5a6a016960c90b492be93f2e08c07fca0
                                        • Instruction Fuzzy Hash: CF21D371B002048FDB10DFB9D980AAEBBE7EBC8710F148136E559E7754DA30AD428BA4
                                        Function 04C40F00 Relevance: .1, Instructions: 73COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d3d5c25a4609d0229fc9a5c4bca51894000eac393c3ce3cd8f34e3f37cce4594
                                        • Instruction ID: 9996f5feb095497fb3d81abd7ae6d0a17627478304133f5102a45abeebf965bc
                                        • Opcode Fuzzy Hash: d3d5c25a4609d0229fc9a5c4bca51894000eac393c3ce3cd8f34e3f37cce4594
                                        • Instruction Fuzzy Hash: 6B218574A402058FCB04DF79C084A6DBBB2EF89710B1081A8E906DB3B1DB35AD46CF90
                                        Function 04C40F10 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a5f8dbeb39068c3ea0e295a9c85c0517f81903339f33ee65c19b65464e9eb5a
                                        • Instruction ID: 94e39f2125f9407e47bda2eb92e39bfb9a03e9ae05b0d429bc528658089b3718
                                        • Opcode Fuzzy Hash: 0a5f8dbeb39068c3ea0e295a9c85c0517f81903339f33ee65c19b65464e9eb5a
                                        • Instruction Fuzzy Hash: 5B212774A401158FCB44DF79C444A6DB7F2BF88710B1185A9E90ADB361DB35AD42CF90
                                        Function 00B00A85 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1696481394.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_b00000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a16a12c5cf57a67bdd2a3a6e1d901b1d53422ec797569f10d0f2156847d96f80
                                        • Instruction ID: 18af6e9222deeeb665f6821223c81f7697b07f9538748e6ac5bec6af1349fc4d
                                        • Opcode Fuzzy Hash: a16a12c5cf57a67bdd2a3a6e1d901b1d53422ec797569f10d0f2156847d96f80
                                        • Instruction Fuzzy Hash: 8C112712F2D3945BDB22767C08213DE3FF59A83324B1444EAD5C99F593D608881AD3E7
                                        Function 04C40440 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 27e34dc2979b9ca66d80baf4d9c06b5b046af113e7518c9c008ac05ced406bb1
                                        • Instruction ID: 6c1e343e49bceeb1a2a2f8cf86043e6244084d4ac3b9315b28ae18a4959d0711
                                        • Opcode Fuzzy Hash: 27e34dc2979b9ca66d80baf4d9c06b5b046af113e7518c9c008ac05ced406bb1
                                        • Instruction Fuzzy Hash: BC119031A052848FDB09CB79C554788BBF2AF99314F0681EAC045EB663DB759E0ACB91
                                        Function 04C40F4A Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1697784925.0000000004C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_4c40000_jsc.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 564c5613aaa3604f43fa9f4d2595fbd0adf6b0d4b393b8ff9159c7a05b1dae61
                                        • Instruction ID: 82e336a707a97a834bc196d47f18bb1c7bdf9f20d2b5ebc23a4ebdb01f6dee1a
                                        • Opcode Fuzzy Hash: 564c5613aaa3604f43fa9f4d2595fbd0adf6b0d4b393b8ff9159c7a05b1dae61
                                        • Instruction Fuzzy Hash: 76111074B401148FCB58DF78C084A6DB7B2AF88725B1184A8E906DB371CB35ED42CFA0