Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

Overview

General Information

Sample name:FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
Analysis ID:1466424
MD5:18907f90316aa47034081363dc00f908
SHA1:49b3c6c35c08c824ffb67f3dbcc1b215842a7014
SHA256:d384ba14fe02622e460cd9805eb86a45b6c4f9e787ecdc015bc6034e69410e3d
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe (PID: 3300 cmdline: "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe" MD5: 18907F90316AA47034081363DC00F908)
    • powershell.exe (PID: 7236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7352 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe" MD5: 18907F90316AA47034081363DC00F908)
      • powershell.exe (PID: 7732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4840 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • BhTdjGetAH.exe (PID: 7608 cmdline: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe MD5: 18907F90316AA47034081363DC00F908)
    • schtasks.exe (PID: 7948 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • BhTdjGetAH.exe (PID: 7996 cmdline: "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe" MD5: 18907F90316AA47034081363DC00F908)
  • XClient.exe (PID: 2132 cmdline: "C:\Users\user\AppData\Local\XClient.exe" MD5: 18907F90316AA47034081363DC00F908)
    • schtasks.exe (PID: 7864 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • XClient.exe (PID: 8104 cmdline: "C:\Users\user\AppData\Local\XClient.exe" MD5: 18907F90316AA47034081363DC00F908)
  • XClient.exe (PID: 7380 cmdline: "C:\Users\user\AppData\Local\XClient.exe" MD5: 18907F90316AA47034081363DC00F908)
    • schtasks.exe (PID: 7944 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • XClient.exe (PID: 3140 cmdline: "C:\Users\user\AppData\Local\XClient.exe" MD5: 18907F90316AA47034081363DC00F908)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["futurist2.ddns.net"], "Port": "20506", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x11b86:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x11c23:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x11d38:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x10963:$cnc4: POST / HTTP/1.1
    0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x60566:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x74e4a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x89d06:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x60603:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x74ee7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x89da3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x60718:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74ffc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x89eb8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x5f343:$cnc4: POST / HTTP/1.1
      • 0x73c27:$cnc4: POST / HTTP/1.1
      • 0x88ae3:$cnc4: POST / HTTP/1.1
      00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.BhTdjGetAH.exe.288d464.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          11.2.BhTdjGetAH.exe.288d464.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xff86:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x10023:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x10138:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xed63:$cnc4: POST / HTTP/1.1
          11.2.BhTdjGetAH.exe.2878b80.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            11.2.BhTdjGetAH.exe.2878b80.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xff86:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x10023:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x10138:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xed63:$cnc4: POST / HTTP/1.1
            1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 24 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", ParentImage: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ParentProcessId: 3300, ParentProcessName: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", ProcessId: 7236, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", ParentImage: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ParentProcessId: 7508, ParentProcessName: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe', ProcessId: 7732, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ProcessId: 7508, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", ParentImage: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ParentProcessId: 3300, ParentProcessName: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", ProcessId: 7236, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ProcessId: 7508, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe, ParentImage: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe, ParentProcessId: 7608, ParentProcessName: BhTdjGetAH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp", ProcessId: 7948, ProcessName: schtasks.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", ParentImage: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ParentProcessId: 3300, ParentProcessName: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp", ProcessId: 7352, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", ParentImage: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ParentProcessId: 3300, ParentProcessName: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", ProcessId: 7236, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe", ParentImage: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ParentProcessId: 3300, ParentProcessName: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp", ProcessId: 7352, ProcessName: schtasks.exe

              Snort Signatures

              Timestamp:07/02/24-22:34:38.935488
              SID:2853193
              Source Port:49747
              Destination Port:20506
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/02/24-22:33:11.654513
              SID:2855924
              Source Port:49743
              Destination Port:20506
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["futurist2.ddns.net"], "Port": "20506", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\XClient.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeReversingLabs: Detection: 57%
              Multi AV Scanner detection for submitted file
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeReversingLabs: Detection: 57%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\XClient.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpackString decryptor: futurist2.ddns.net
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpackString decryptor: 20506
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpackString decryptor: <123456789>
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpackString decryptor: <Xwormmm>
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpackString decryptor: GRACEOFGOD
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpackString decryptor: USB.exe
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpackString decryptor: %LocalAppData%
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpackString decryptor: XClient.exe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 4x nop then jmp 0506B5DCh1_2_0506AC43
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 4x nop then jmp 0C4DA87Ch11_2_0C4D9EE3
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 4x nop then jmp 050FA87Ch28_2_050F9EE3
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 4x nop then jmp 04A7A87Ch32_2_04A79EE3

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49743 -> 102.90.42.110:20506
              Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49747 -> 102.90.42.110:20506
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: futurist2.ddns.net
              Uses dynamic DNS services
              Source: unknownDNS query: name: futurist2.ddns.net
              Yara detected Generic Downloader
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.4:49741 -> 102.90.42.110:20506
              Source: Joe Sandbox ViewASN Name: VCG-ASNG VCG-ASNG
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: futurist2.ddns.net
              Source: powershell.exe, 00000019.00000002.2022501378.0000000007115000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2023383216.0000000007198000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro$
              Source: powershell.exe, 0000000D.00000002.1832933847.0000000007E2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
              Source: powershell.exe, 0000000D.00000002.1810611459.000000000537C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1883850643.00000000051CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1958129515.000000000572B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000000D.00000002.1804203407.0000000004466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.00000000042B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, BhTdjGetAH.exe, 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1804203407.0000000004311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004521000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 0000001C.00000002.2211516335.0000000003071000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000020.00000002.2282271067.0000000002A29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000D.00000002.1804203407.0000000004466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.00000000042B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: powershell.exe, 00000015.00000002.1970141232.0000000008112000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coXd
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775432995.0000000005A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: powershell.exe, 0000000D.00000002.1804203407.0000000004311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000D.00000002.1802652172.0000000000448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.mic
              Source: powershell.exe, 00000013.00000002.1868794212.000000000494E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004ABD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004E80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 0000000D.00000002.1810611459.000000000537C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1883850643.00000000051CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1958129515.000000000572B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              .NET source code contains very large array initializations
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.5810000.6.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_0146D4FC1_2_0146D4FC
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_02FC70F01_2_02FC70F0
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_02FC00401_2_02FC0040
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_02FC001C1_2_02FC001C
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_05064F371_2_05064F37
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_05064F481_2_05064F48
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_050646D81_2_050646D8
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_050661D81_2_050661D8
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_050661E81_2_050661E8
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_0506C8781_2_0506C878
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_05064B101_2_05064B10
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_05066AB01_2_05066AB0
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_05066AC01_2_05066AC0
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_0565BD001_2_0565BD00
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_0565C7381_2_0565C738
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_056500401_2_05650040
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_0565935C1_2_0565935C
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_012649C810_2_012649C8
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_01264FC010_2_01264FC0
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_0126195810_2_01261958
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_01261FE810_2_01261FE8
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_05CE054810_2_05CE0548
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_05CE555010_2_05CE5550
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_05CE6F7310_2_05CE6F73
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_05CE4F2810_2_05CE4F28
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_00D8D4FC11_2_00D8D4FC
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_0C4D4E0711_2_0C4D4E07
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_0C4D4E1811_2_0C4D4E18
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_0C4D697F11_2_0C4D697F
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_0C4D49E011_2_0C4D49E0
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_0C4D699011_2_0C4D6990
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_0C4DBA5811_2_0C4DBA58
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_0C4D45A811_2_0C4D45A8
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_0C4D60A711_2_0C4D60A7
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 11_2_0C4D60B811_2_0C4D60B8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_042DB49013_2_042DB490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_08333EA813_2_08333EA8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_083357AF13_2_083357AF
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0833578013_2_08335780
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 17_2_0105195817_2_01051958
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeCode function: 17_2_01051FE817_2_01051FE8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_0414B4A019_2_0414B4A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_0414B49019_2_0414B490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_045FB49021_2_045FB490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_068EB4A025_2_068EB4A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_068EB49025_2_068EB490
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_02E7D4FC28_2_02E7D4FC
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_050F46D828_2_050F46D8
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_050F61D828_2_050F61D8
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_050F61E828_2_050F61E8
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_050F4F3728_2_050F4F37
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_050F4F4828_2_050F4F48
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_050F4B1028_2_050F4B10
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_050FBA5828_2_050FBA58
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_050F6AB028_2_050F6AB0
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_050F6AC028_2_050F6AC0
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_056FF70828_2_056FF708
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_056FD3D028_2_056FD3D0
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 31_2_0285195831_2_02851958
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_010BD4FC32_2_010BD4FC
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_04A746D832_2_04A746D8
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_04A74F3732_2_04A74F37
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_04A74F4832_2_04A74F48
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_04A761E832_2_04A761E8
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_04A761D832_2_04A761D8
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_04A76AB032_2_04A76AB0
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_04A76AC032_2_04A76AC0
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_04A7BA5832_2_04A7BA58
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 32_2_04A74B1032_2_04A74B10
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 35_2_011C195835_2_011C1958
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1765774652.00000000011EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClientZZ.exe4 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1780627399.0000000007CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1772786286.0000000005810000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1768583328.00000000040AA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4215493067.0000000005E39000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeBinary or memory string: OriginalFilenamepnKa.exe0 vs FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: BhTdjGetAH.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: XClient.exe.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csCryptographic APIs: 'TransformFinalBlock'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.csBase64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.csBase64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csBase64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.csBase64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.csBase64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csBase64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.csBase64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.csBase64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csBase64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.csBase64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.csBase64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csBase64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.csBase64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.csBase64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csBase64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.csBase64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.csBase64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csBase64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.csBase64 encoded string: 'm2k5gSTmIhzPm4znwsFffzrOwzrobfXSPmVd3GVK9rNyso5JZvnpmnhhdL11CtMo', 'N4lkYxT4LErJTkWGpGt0vCx1jBGOxNNewRfEgQRcqLSv1fYqfZzbChhV6hgQPvv4', 'IM25v3IxAKIUFCxT0p8XpiMrmCMGIo1yfVUWBubUjRN1RA7vLbZYOU0NU98OrMqB', 'tOZdjrHFkgp2ItHkswytwMo7ddHAv0SoytCZ4XngZzdcgYSQDWPwb6HI8fNPEDmy', 'nIqjbvAxXyQjXNJqWC1fx8Fyyhtxuh78kr9XG6JjqtCPKfL1WHhjtL3T5EMYW3uv', 'iwjkCLTqhhRVsXgr3TSvogxuJT2UTDmulBoVrKox4wwlpkpGCamQ1jU21zicx2BQ', 'v7PCnjmeJf1Je09wrxnxQfYlvakram1RJ8F2veORWSBJxi2NNdGyt9AmxPagvAkf', 'ZcEvnHx7gftoiSgfjNAIbkE4HcJjPQNyHEmJ2h7GYLnwKDo1zJN3ndBXySvsdMfb', 'IksIdvQ9tF6Z0TaMZCVLthFPpJotDItRbRwfMNnNH1t4MeuP6QLjprRA51RPE5OW', 'ZEFmBjHo7FPYuvClPctfIaJD7dRGvsp6JMPu5RYWD87q4A8wsDmrD5t5P2eDmOJM'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.csBase64 encoded string: 'goA6MFBdtLv2MnASz7Og6mNYiP7F2CpDSlvILGQA4NSipUxVOcLyUSwUwwhvzlbP', 'Gp1OKP57uVSp3wHpW3qMGefpA8IXbKdrLlTUGB8NkK3WKbxQzF1oV9VA2ZqUYofO'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csBase64 encoded string: 'lSXrhVajXFbEWoQVRTEqxDHpEXPMcLtYdlNxLHUVcnPh5HA8iQPpWfS55xqhkKbNlX1OkzpgMozx9krFhTw9iwGJIoE1IZ2y', 'Y1MOWbSIwsQFsk6Lb3f7KGug0tskQtL9qXizQeQ7RA3TZDsp3pUIxfiIitu75Z6gxuIN46raAZogiPaxZFe1csKsHbtLG4SO'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.csBase64 encoded string: 'hCpqCsXGdaTKHVckUTmhc9kJuWCZQRqHEz034dhCu4zmXFd16KsjcJYMKamy7Rft'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.csBase64 encoded string: 'woNHpHGmMwsIKEw8ntBHKVHMhgWt0IXHmDRuldTtE1IY29APaKSBj3tt3vhKc4P7', 'SZZKT3ZI0GkfL2iAzaAIY56PUEnPP34j3knTr6UXpDeJ8PE3Nrxc04Yr9rvkIbhU'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csBase64 encoded string: 'GbnSte7UnD1dvquteW4lli16wRYkhufDz0HFxZAO57ZxLbKwJwhteyRiVHkz5OPplyHSYBI1pMJ2bg1bQsDscAGOdU5BXhm2', 'IQmCUlmrVabVchmitrwHYEqhjhEBPupNZBABZHHamCWHZxjZL9DtFqy5EvRllDKA62Ca72h2wxnuVK26CQ8WEaLNzlWvlJoN', 'Qz8K2Ku7fNSV9ARr09HTwaYJRaB4k09kaeFSC4oyqn3Y5oJQxVxkLk4NKjjboSa6hcqCNhwAax1i6Kxabuc26jJW9GkTpk76', 'HsBMl0O4B3Po0QfGFQt7VMpCQc8eOh3DfMLJsXpDHr3Oq1HrBTOm5mvypsZwMsrjftcH46DbCbxmlTa1lSTGEfA1zIPHxWL0', 'lby38UhbIih3cyseFESJFZIKOZLT1pSgyQscTRatCbz9fmilgpzhSacInKhkHpGjit7KCWu4AuRPNQFfwkzrfrFZEbs9m5cp', 'mTrGfa7c1ILSIYHRdRT0oxUuP2LhOEbt2JmT01hXlSSpAScubVxNgz3WA2hZ82VPjWPe8uDzGKjbI497tZP51R5BO3k4ioux', 'Jr76SJ0aVIfGTUYUDh5k8xCOn3lX5d85aGNZ8QkGWWya3z5GLeYXmXYDQTV7iqiUXeFLhwUCo4ZI5LDoPSHfXusAxbEo8old', 'lGIIkWu5VZ4lZoN9VE5L3BpNYKrQJnGl7KUraq9hD6jtevDzFNBsNaSlWSvKvIgHLchV9tP9Dx6uWpQVg035lKVTlR1DA8au', 'yc4TDGZ1oVJhiembMwlhvuInenZcFJFty5N9Vu2t9ZekWoaC9ggEfBFCI7sgQBulRyrit0Y5k10a2ya8n4QvGpQhL27F4ghL', 'xAc6fMXprV2rbR7NoiGOyVwZgFq0f8J0MbFehJ7GjR5hm8poIK5zE1X0Kqg9Eg4BMo5rX5bgyzTd5dPirUSxOMQBnQTEeGbJ', 'IR6v0s2ohF08HKGITgv7NwNzJELJhn1fEB49703FC6Oijgr95ofEcYTmUEoQWFBAo51RhVCNA90JuQlphCBn8EO4wt0aBe56'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.csSecurity API names: _0020.SetAccessControl
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.csSecurity API names: _0020.AddAccessRule
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.csSecurity API names: _0020.SetAccessControl
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.csSecurity API names: _0020.AddAccessRule
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.csSecurity API names: _0020.SetAccessControl
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.csSecurity API names: _0020.AddAccessRule
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, EJxCOd0IK9HWBTygqT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, EJxCOd0IK9HWBTygqT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, EJxCOd0IK9HWBTygqT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winEXE@44/37@4/1
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
              Source: C:\Users\user\AppData\Local\XClient.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
              Source: C:\Users\user\AppData\Local\XClient.exeMutant created: \Sessions\1\BaseNamedObjects\bseBVoWpZznFSF
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMutant created: \Sessions\1\BaseNamedObjects\fl41tVl0YQYHBwgA
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2740:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: C:\Users\user\AppData\Local\Temp\tmp378C.tmpJump to behavior
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile read: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe C:\Users\user\AppData\Roaming\BhTdjGetAH.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: dwrite.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: windowscodecs.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: dwrite.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: windowscodecs.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: edputil.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: wintypes.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: appresolver.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: bcp47langs.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: slc.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sppc.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\XClient.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: XClient.lnk.10.drLNK file: ..\..\..\..\..\..\Local\XClient.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.sbktxjFwkFkhFsjrvspdYOD22he4M34sievnaWNyBCQnbd99km38od,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.VpqE6qu5NBFVe1zKtqqYKa4xj7pX4LpVFFJgvtRtolV8dajKFze95c,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.OT62GEi9AYDMy21VeJYWlGUcstKt4Y5QIAGq49kqQAYL0CT6se8Sar,Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.T3Idj3F2oDeFMsad6egEQRL3y9cedieeV5mm9bZlTTGdzNhQhbYPV9,UZUv4Eo6zQhbxPiCqZPo3OnZwa02.XqczzdES8LwwFq4wGxNFUpvyopni()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2],UZUv4Eo6zQhbxPiCqZPo3OnZwa02.mvlATZvtOhScDB0n3yloDYdLenXf(Convert.FromBase64String(rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { rlP0Eq7eKfKCRKmpbchw9xOwao86BCQNlLG1LHqiDo2mSrzf9Vrp0kATNNtjO4LmAUF8gZ3ZCquklaz7Wrq7xF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.5810000.6.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.5810000.6.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.cs.Net Code: OOhr3a1YQb System.Reflection.Assembly.Load(byte[])
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.cs.Net Code: OOhr3a1YQb System.Reflection.Assembly.Load(byte[])
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.cs.Net Code: OOhr3a1YQb System.Reflection.Assembly.Load(byte[])
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu System.AppDomain.Load(byte[])
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227 System.AppDomain.Load(byte[])
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.cs.Net Code: _4qZ9RqLLGP44xXNmp2yU0BCZiruHdYKJFgKMs4eoIxwSJOsJK55OLEpezf8IuMLvAl3RXcpFAacfInWz53O227
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 1_2_02FC87E8 pushad ; iretd 1_2_02FC87F5
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_05CE2CE8 pushfd ; iretd 10_2_05CE2CE9
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeCode function: 10_2_05CE2C90 push eax; iretd 10_2_05CE2C91
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_042D42CD push ebx; ret 13_2_042D42DA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_042D2CA5 push 04B80721h; retf 13_2_042D2CEE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_042D5DD0 push esp; ret 13_2_042D5DE3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_042D3ACD push ebx; retf 13_2_042D3ADA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_0414634D push eax; ret 19_2_04146361
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_045F629D push eax; ret 21_2_045F6351
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_045F2C5C push 04B80753h; retf 21_2_045F2CFE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_068E62CD push eax; ret 25_2_068E6381
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_056FC590 pushad ; ret 28_2_056FC591
              Source: C:\Users\user\AppData\Local\XClient.exeCode function: 28_2_056F7460 push eax; mov dword ptr [esp], ecx28_2_056F7464
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeStatic PE information: section name: .text entropy: 7.978661790486835
              Source: BhTdjGetAH.exe.1.drStatic PE information: section name: .text entropy: 7.978661790486835
              Source: XClient.exe.10.drStatic PE information: section name: .text entropy: 7.978661790486835
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, XuBBOyqZHedkChRurO.csHigh entropy of concatenated method names: 'duSZ0GBT1D', 'iJGZutdYTH', 'ptPZ2fx5xB', 'OhDZFgbBsy', 'dFfZoBbnkq', 'KmkZKFCRM7', 'OlNZwmNXfX', 'BH8Zf9IIul', 'BSgZElJexP', 'BymZIUuR4l'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, lLoOpbp98ceyYJEt7Q.csHigh entropy of concatenated method names: 'pxi3SRTcJ', 'xcMTrMTOZ', 'euJeBDWTj', 'Y6vOr9khC', 'XNhuUc6bP', 'GRWUZv07X', 'iixiONekonRbkIQxVT', 'ihPe84nADxxKEbGbXg', 'UARjNKU6L', 'mXF7Q1IVP'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, e3Vm7DUU0l9H9RyBUx.csHigh entropy of concatenated method names: 'oK2y1fDchN', 'iUNyOmcmnB', 'KcYlHMyR7P', 'uVglov0tav', 'gi6lKV6IlJ', 'oKPlMFSgMN', 'XM4lwp20dw', 'iwOlfuQ01L', 'sJ9ld0sZ3e', 'gpPlEkhZtt'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, kE2Srp2ld2AAdsRnJr.csHigh entropy of concatenated method names: 'OWCPN762bO', 'rfsPcVOtoL', 'DUZPybZDkG', 'RinPXRX6cn', 'BmyP4ZnOcj', 'GBtyClx496', 'KltyYkQ4I0', 'LTBytFXYTN', 'dDByhE5uQN', 'y3WyLnVSG9'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, hM4Gbid7ianNtZiD8K.csHigh entropy of concatenated method names: 'GWlX9jiZYI', 'x1uXsJZ3yp', 'S4UX30AIGf', 'CQpXTyxe8n', 'v3nX13WmcB', 'C7mXecGXau', 'RsdXOivEio', 'aw3X0WNi6C', 'tsqXuHR1QM', 'W3BXUNQre5'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, HxNAiq5aRigM2OIS7K0.csHigh entropy of concatenated method names: 'UAJQ9gZTL6', 'pioQsNanLE', 'ySeQ3i7UCj', 'abVQTZryRI', 'akMQ1SRZik', 'WmQQeVHrQw', 'HXXQO69q4b', 'reUQ03pLg6', 'e7bQu0NlIW', 'Oo0QUbn27e'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, KaR3uUBI0MjM3PHugT.csHigh entropy of concatenated method names: 'oCAQ5sPUBr', 'ayiQVcftou', 'kujQrS3tXd', 'xq0QSLdNwT', 'h6oQcXDOcu', 'gERQyIlHPv', 'uKyQPHodAF', 'xJHjtydHWm', 'Lf2jhp2moM', 'oZKjLmI9Lk'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, EJxCOd0IK9HWBTygqT.csHigh entropy of concatenated method names: 'YOxcboSUkO', 'SCvcxf2s3i', 'vM7cimoL8W', 'wIPcW4K0cN', 'EHrcCNbSt0', 'KqxcYB1R5j', 'mxOcttvlma', 'SZ5chGX3AD', 'CXhcLBDlIe', 'wT0cB2A0t4'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, hSfCAGu12LdJc86UdL.csHigh entropy of concatenated method names: 'RbalTHaF87', 'BebleRZGyl', 'I4hl06a9lo', 'vw0luP5ZtK', 'xkVlJOKvRh', 'FoElm8ZPvh', 'zZrlAcjos4', 'KhQljFdkPG', 'PCalQqeZQf', 'yeil7ID6qX'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UYrVFP5VpNDvklhDEYZ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Re77bBab9i', 'qj07x5QNvN', 'RGB7iWxWXn', 'Ixh7WggVY8', 'jew7CTFG3y', 'SVp7YoyEs5', 'txW7t7horV'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, NRj2udzPuinToaZAkR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvFQZovY2u', 'XYhQJ8hbbD', 'gNLQmXuctj', 'WOvQAjEgTa', 'sAQQj2U3sT', 'pjlQQlBdyX', 'KhGQ7Gb740'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, m1JhKuWAltth18afAA.csHigh entropy of concatenated method names: 'UhRAn6RCGf', 'u5JAvpuvAe', 'ToString', 'IhRASYpXwi', 'SLhAcuA29b', 'IifAlBmCbM', 'uJTAysBLEn', 'oxiAPE0BpS', 'IxEAXPnqC1', 'eOaA4pfacg'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, ErbZs0FKsqSRkoQOs9.csHigh entropy of concatenated method names: 'vEd70HmxuMqKWpebZi6', 'UfrJN8myxn22E0b4uwT', 'o3PUnkm6FfrAtReSwod', 'AB8Pjk2GPn', 'Ur4PQOHVWY', 'mWAP7E5Wmb', 'Rrg8GDm059NPq54hnoF', 'XVZy9PmjmWiiwNjSoXL'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, Jit5a6i5l2yO4HDS69.csHigh entropy of concatenated method names: 'ToString', 'iKZmI3tE7S', 'jLAmFicqCj', 'OeXmHbErlc', 'HhnmoLn7q3', 'bDkmKn6Uhl', 'iugmMkRxtE', 'tQ0mwedx4v', 'swBmf2pBn7', 'P57mdGEIFD'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, OUgrSjc9E7Xf2gdhkq.csHigh entropy of concatenated method names: 'Dispose', 'raM5L8Y5vV', 'SQ9pFXBOIM', 'muCmmrUARs', 'ego5BXfnv2', 'woI5z1vR9v', 'ProcessDialogKey', 'jEJpaHQHnP', 'nW5p5hfyC1', 'CKpppwaR3u'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, kLsM8MYfJ8Mq09ivr4.csHigh entropy of concatenated method names: 'ssaAhwijh3', 'cvtABMfYQG', 'oM5ja6USSK', 'c5pj5rouXP', 'tHSAIRUPlT', 'ErMAR9nmyZ', 'A34Aq2HZc4', 'LovAbPFIdy', 'kNDAxUxIBm', 'DbdAicJ4ob'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, oHQHnPLvW5hfyC1eKp.csHigh entropy of concatenated method names: 'SBSj2iym1b', 'Aa9jFE5Fp7', 'TmcjHuT6f7', 'G0Ajon8F75', 'DMxjbUhxuR', 'rg8jK8fouM', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, toXfnvh26oI1vR9vXE.csHigh entropy of concatenated method names: 'E1ejSXZ3cF', 'lTcjcBfF7Q', 'RhPjlLOcgZ', 'xSejyiGTyh', 'SvSjPWMKh6', 'AghjXmCJ1V', 'Wm5j47rPuG', 'HIAjkiSyoi', 'ThBjnpDkGK', 'VNDjvTmWas'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, UhRVWs4V2ZmxwggVZX.csHigh entropy of concatenated method names: 'igfVN8Y1LQ', 'NxBVSWcsyl', 'H1pVcbu3yZ', 'u4AVl4Xx1J', 'miiVyQn0Hr', 'BIdVP8BgwE', 'i7NVXKF4lf', 'RevV4MmKuj', 'Mo8VkkDvUw', 'Kg4VnbhPC9'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.7ca0000.8.raw.unpack, b6FpHuraoQLlIMotTo.csHigh entropy of concatenated method names: 'Vyu5XJxCOd', 'OK954HWBTy', 'w125nLdJc8', 'wUd5vLN3Vm', 'PyB5JUx4E2', 'frp5mld2AA', 'Xtekrbic51NgvwMxTI', 'lP60E7kFUtIOAdPDfa', 'X6O7h6JE6yC97g6pit', 'xaZ55yketZ'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.csHigh entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.csHigh entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.csHigh entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.csHigh entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.csHigh entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csHigh entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.csHigh entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.csHigh entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csHigh entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csHigh entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.csHigh entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.csHigh entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.csHigh entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.csHigh entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.csHigh entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csHigh entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.csHigh entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.csHigh entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csHigh entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csHigh entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, XuBBOyqZHedkChRurO.csHigh entropy of concatenated method names: 'duSZ0GBT1D', 'iJGZutdYTH', 'ptPZ2fx5xB', 'OhDZFgbBsy', 'dFfZoBbnkq', 'KmkZKFCRM7', 'OlNZwmNXfX', 'BH8Zf9IIul', 'BSgZElJexP', 'BymZIUuR4l'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, lLoOpbp98ceyYJEt7Q.csHigh entropy of concatenated method names: 'pxi3SRTcJ', 'xcMTrMTOZ', 'euJeBDWTj', 'Y6vOr9khC', 'XNhuUc6bP', 'GRWUZv07X', 'iixiONekonRbkIQxVT', 'ihPe84nADxxKEbGbXg', 'UARjNKU6L', 'mXF7Q1IVP'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, e3Vm7DUU0l9H9RyBUx.csHigh entropy of concatenated method names: 'oK2y1fDchN', 'iUNyOmcmnB', 'KcYlHMyR7P', 'uVglov0tav', 'gi6lKV6IlJ', 'oKPlMFSgMN', 'XM4lwp20dw', 'iwOlfuQ01L', 'sJ9ld0sZ3e', 'gpPlEkhZtt'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, kE2Srp2ld2AAdsRnJr.csHigh entropy of concatenated method names: 'OWCPN762bO', 'rfsPcVOtoL', 'DUZPybZDkG', 'RinPXRX6cn', 'BmyP4ZnOcj', 'GBtyClx496', 'KltyYkQ4I0', 'LTBytFXYTN', 'dDByhE5uQN', 'y3WyLnVSG9'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, hM4Gbid7ianNtZiD8K.csHigh entropy of concatenated method names: 'GWlX9jiZYI', 'x1uXsJZ3yp', 'S4UX30AIGf', 'CQpXTyxe8n', 'v3nX13WmcB', 'C7mXecGXau', 'RsdXOivEio', 'aw3X0WNi6C', 'tsqXuHR1QM', 'W3BXUNQre5'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, HxNAiq5aRigM2OIS7K0.csHigh entropy of concatenated method names: 'UAJQ9gZTL6', 'pioQsNanLE', 'ySeQ3i7UCj', 'abVQTZryRI', 'akMQ1SRZik', 'WmQQeVHrQw', 'HXXQO69q4b', 'reUQ03pLg6', 'e7bQu0NlIW', 'Oo0QUbn27e'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, KaR3uUBI0MjM3PHugT.csHigh entropy of concatenated method names: 'oCAQ5sPUBr', 'ayiQVcftou', 'kujQrS3tXd', 'xq0QSLdNwT', 'h6oQcXDOcu', 'gERQyIlHPv', 'uKyQPHodAF', 'xJHjtydHWm', 'Lf2jhp2moM', 'oZKjLmI9Lk'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, EJxCOd0IK9HWBTygqT.csHigh entropy of concatenated method names: 'YOxcboSUkO', 'SCvcxf2s3i', 'vM7cimoL8W', 'wIPcW4K0cN', 'EHrcCNbSt0', 'KqxcYB1R5j', 'mxOcttvlma', 'SZ5chGX3AD', 'CXhcLBDlIe', 'wT0cB2A0t4'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, hSfCAGu12LdJc86UdL.csHigh entropy of concatenated method names: 'RbalTHaF87', 'BebleRZGyl', 'I4hl06a9lo', 'vw0luP5ZtK', 'xkVlJOKvRh', 'FoElm8ZPvh', 'zZrlAcjos4', 'KhQljFdkPG', 'PCalQqeZQf', 'yeil7ID6qX'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UYrVFP5VpNDvklhDEYZ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Re77bBab9i', 'qj07x5QNvN', 'RGB7iWxWXn', 'Ixh7WggVY8', 'jew7CTFG3y', 'SVp7YoyEs5', 'txW7t7horV'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, NRj2udzPuinToaZAkR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvFQZovY2u', 'XYhQJ8hbbD', 'gNLQmXuctj', 'WOvQAjEgTa', 'sAQQj2U3sT', 'pjlQQlBdyX', 'KhGQ7Gb740'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, m1JhKuWAltth18afAA.csHigh entropy of concatenated method names: 'UhRAn6RCGf', 'u5JAvpuvAe', 'ToString', 'IhRASYpXwi', 'SLhAcuA29b', 'IifAlBmCbM', 'uJTAysBLEn', 'oxiAPE0BpS', 'IxEAXPnqC1', 'eOaA4pfacg'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, ErbZs0FKsqSRkoQOs9.csHigh entropy of concatenated method names: 'vEd70HmxuMqKWpebZi6', 'UfrJN8myxn22E0b4uwT', 'o3PUnkm6FfrAtReSwod', 'AB8Pjk2GPn', 'Ur4PQOHVWY', 'mWAP7E5Wmb', 'Rrg8GDm059NPq54hnoF', 'XVZy9PmjmWiiwNjSoXL'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, Jit5a6i5l2yO4HDS69.csHigh entropy of concatenated method names: 'ToString', 'iKZmI3tE7S', 'jLAmFicqCj', 'OeXmHbErlc', 'HhnmoLn7q3', 'bDkmKn6Uhl', 'iugmMkRxtE', 'tQ0mwedx4v', 'swBmf2pBn7', 'P57mdGEIFD'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, OUgrSjc9E7Xf2gdhkq.csHigh entropy of concatenated method names: 'Dispose', 'raM5L8Y5vV', 'SQ9pFXBOIM', 'muCmmrUARs', 'ego5BXfnv2', 'woI5z1vR9v', 'ProcessDialogKey', 'jEJpaHQHnP', 'nW5p5hfyC1', 'CKpppwaR3u'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, kLsM8MYfJ8Mq09ivr4.csHigh entropy of concatenated method names: 'ssaAhwijh3', 'cvtABMfYQG', 'oM5ja6USSK', 'c5pj5rouXP', 'tHSAIRUPlT', 'ErMAR9nmyZ', 'A34Aq2HZc4', 'LovAbPFIdy', 'kNDAxUxIBm', 'DbdAicJ4ob'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, oHQHnPLvW5hfyC1eKp.csHigh entropy of concatenated method names: 'SBSj2iym1b', 'Aa9jFE5Fp7', 'TmcjHuT6f7', 'G0Ajon8F75', 'DMxjbUhxuR', 'rg8jK8fouM', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, toXfnvh26oI1vR9vXE.csHigh entropy of concatenated method names: 'E1ejSXZ3cF', 'lTcjcBfF7Q', 'RhPjlLOcgZ', 'xSejyiGTyh', 'SvSjPWMKh6', 'AghjXmCJ1V', 'Wm5j47rPuG', 'HIAjkiSyoi', 'ThBjnpDkGK', 'VNDjvTmWas'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, UhRVWs4V2ZmxwggVZX.csHigh entropy of concatenated method names: 'igfVN8Y1LQ', 'NxBVSWcsyl', 'H1pVcbu3yZ', 'u4AVl4Xx1J', 'miiVyQn0Hr', 'BIdVP8BgwE', 'i7NVXKF4lf', 'RevV4MmKuj', 'Mo8VkkDvUw', 'Kg4VnbhPC9'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41539e0.3.raw.unpack, b6FpHuraoQLlIMotTo.csHigh entropy of concatenated method names: 'Vyu5XJxCOd', 'OK954HWBTy', 'w125nLdJc8', 'wUd5vLN3Vm', 'PyB5JUx4E2', 'frp5mld2AA', 'Xtekrbic51NgvwMxTI', 'lP60E7kFUtIOAdPDfa', 'X6O7h6JE6yC97g6pit', 'xaZ55yketZ'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, XuBBOyqZHedkChRurO.csHigh entropy of concatenated method names: 'duSZ0GBT1D', 'iJGZutdYTH', 'ptPZ2fx5xB', 'OhDZFgbBsy', 'dFfZoBbnkq', 'KmkZKFCRM7', 'OlNZwmNXfX', 'BH8Zf9IIul', 'BSgZElJexP', 'BymZIUuR4l'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, lLoOpbp98ceyYJEt7Q.csHigh entropy of concatenated method names: 'pxi3SRTcJ', 'xcMTrMTOZ', 'euJeBDWTj', 'Y6vOr9khC', 'XNhuUc6bP', 'GRWUZv07X', 'iixiONekonRbkIQxVT', 'ihPe84nADxxKEbGbXg', 'UARjNKU6L', 'mXF7Q1IVP'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, e3Vm7DUU0l9H9RyBUx.csHigh entropy of concatenated method names: 'oK2y1fDchN', 'iUNyOmcmnB', 'KcYlHMyR7P', 'uVglov0tav', 'gi6lKV6IlJ', 'oKPlMFSgMN', 'XM4lwp20dw', 'iwOlfuQ01L', 'sJ9ld0sZ3e', 'gpPlEkhZtt'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, kE2Srp2ld2AAdsRnJr.csHigh entropy of concatenated method names: 'OWCPN762bO', 'rfsPcVOtoL', 'DUZPybZDkG', 'RinPXRX6cn', 'BmyP4ZnOcj', 'GBtyClx496', 'KltyYkQ4I0', 'LTBytFXYTN', 'dDByhE5uQN', 'y3WyLnVSG9'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, hM4Gbid7ianNtZiD8K.csHigh entropy of concatenated method names: 'GWlX9jiZYI', 'x1uXsJZ3yp', 'S4UX30AIGf', 'CQpXTyxe8n', 'v3nX13WmcB', 'C7mXecGXau', 'RsdXOivEio', 'aw3X0WNi6C', 'tsqXuHR1QM', 'W3BXUNQre5'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, HxNAiq5aRigM2OIS7K0.csHigh entropy of concatenated method names: 'UAJQ9gZTL6', 'pioQsNanLE', 'ySeQ3i7UCj', 'abVQTZryRI', 'akMQ1SRZik', 'WmQQeVHrQw', 'HXXQO69q4b', 'reUQ03pLg6', 'e7bQu0NlIW', 'Oo0QUbn27e'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, KaR3uUBI0MjM3PHugT.csHigh entropy of concatenated method names: 'oCAQ5sPUBr', 'ayiQVcftou', 'kujQrS3tXd', 'xq0QSLdNwT', 'h6oQcXDOcu', 'gERQyIlHPv', 'uKyQPHodAF', 'xJHjtydHWm', 'Lf2jhp2moM', 'oZKjLmI9Lk'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, EJxCOd0IK9HWBTygqT.csHigh entropy of concatenated method names: 'YOxcboSUkO', 'SCvcxf2s3i', 'vM7cimoL8W', 'wIPcW4K0cN', 'EHrcCNbSt0', 'KqxcYB1R5j', 'mxOcttvlma', 'SZ5chGX3AD', 'CXhcLBDlIe', 'wT0cB2A0t4'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, hSfCAGu12LdJc86UdL.csHigh entropy of concatenated method names: 'RbalTHaF87', 'BebleRZGyl', 'I4hl06a9lo', 'vw0luP5ZtK', 'xkVlJOKvRh', 'FoElm8ZPvh', 'zZrlAcjos4', 'KhQljFdkPG', 'PCalQqeZQf', 'yeil7ID6qX'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UYrVFP5VpNDvklhDEYZ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Re77bBab9i', 'qj07x5QNvN', 'RGB7iWxWXn', 'Ixh7WggVY8', 'jew7CTFG3y', 'SVp7YoyEs5', 'txW7t7horV'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, NRj2udzPuinToaZAkR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HvFQZovY2u', 'XYhQJ8hbbD', 'gNLQmXuctj', 'WOvQAjEgTa', 'sAQQj2U3sT', 'pjlQQlBdyX', 'KhGQ7Gb740'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, m1JhKuWAltth18afAA.csHigh entropy of concatenated method names: 'UhRAn6RCGf', 'u5JAvpuvAe', 'ToString', 'IhRASYpXwi', 'SLhAcuA29b', 'IifAlBmCbM', 'uJTAysBLEn', 'oxiAPE0BpS', 'IxEAXPnqC1', 'eOaA4pfacg'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, ErbZs0FKsqSRkoQOs9.csHigh entropy of concatenated method names: 'vEd70HmxuMqKWpebZi6', 'UfrJN8myxn22E0b4uwT', 'o3PUnkm6FfrAtReSwod', 'AB8Pjk2GPn', 'Ur4PQOHVWY', 'mWAP7E5Wmb', 'Rrg8GDm059NPq54hnoF', 'XVZy9PmjmWiiwNjSoXL'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, Jit5a6i5l2yO4HDS69.csHigh entropy of concatenated method names: 'ToString', 'iKZmI3tE7S', 'jLAmFicqCj', 'OeXmHbErlc', 'HhnmoLn7q3', 'bDkmKn6Uhl', 'iugmMkRxtE', 'tQ0mwedx4v', 'swBmf2pBn7', 'P57mdGEIFD'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, OUgrSjc9E7Xf2gdhkq.csHigh entropy of concatenated method names: 'Dispose', 'raM5L8Y5vV', 'SQ9pFXBOIM', 'muCmmrUARs', 'ego5BXfnv2', 'woI5z1vR9v', 'ProcessDialogKey', 'jEJpaHQHnP', 'nW5p5hfyC1', 'CKpppwaR3u'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, kLsM8MYfJ8Mq09ivr4.csHigh entropy of concatenated method names: 'ssaAhwijh3', 'cvtABMfYQG', 'oM5ja6USSK', 'c5pj5rouXP', 'tHSAIRUPlT', 'ErMAR9nmyZ', 'A34Aq2HZc4', 'LovAbPFIdy', 'kNDAxUxIBm', 'DbdAicJ4ob'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, oHQHnPLvW5hfyC1eKp.csHigh entropy of concatenated method names: 'SBSj2iym1b', 'Aa9jFE5Fp7', 'TmcjHuT6f7', 'G0Ajon8F75', 'DMxjbUhxuR', 'rg8jK8fouM', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, toXfnvh26oI1vR9vXE.csHigh entropy of concatenated method names: 'E1ejSXZ3cF', 'lTcjcBfF7Q', 'RhPjlLOcgZ', 'xSejyiGTyh', 'SvSjPWMKh6', 'AghjXmCJ1V', 'Wm5j47rPuG', 'HIAjkiSyoi', 'ThBjnpDkGK', 'VNDjvTmWas'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, UhRVWs4V2ZmxwggVZX.csHigh entropy of concatenated method names: 'igfVN8Y1LQ', 'NxBVSWcsyl', 'H1pVcbu3yZ', 'u4AVl4Xx1J', 'miiVyQn0Hr', 'BIdVP8BgwE', 'i7NVXKF4lf', 'RevV4MmKuj', 'Mo8VkkDvUw', 'Kg4VnbhPC9'
              Source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.41a9e00.4.raw.unpack, b6FpHuraoQLlIMotTo.csHigh entropy of concatenated method names: 'Vyu5XJxCOd', 'OK954HWBTy', 'w125nLdJc8', 'wUd5vLN3Vm', 'PyB5JUx4E2', 'frp5mld2AA', 'Xtekrbic51NgvwMxTI', 'lP60E7kFUtIOAdPDfa', 'X6O7h6JE6yC97g6pit', 'xaZ55yketZ'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.csHigh entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.csHigh entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.csHigh entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.csHigh entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.csHigh entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csHigh entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.csHigh entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.csHigh entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csHigh entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
              Source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csHigh entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, Sox3Yx3dx4S3f1tLhIfqbcbVLGgKG4P8tgojSYo8MASOLmPaWwtaUv.csHigh entropy of concatenated method names: 'GgpMcZhIjR4120pY8u6uCAiRH4QL01oA8al3eaKERyo7Gz', 'ox5p61KJCv91fSFYDHVf3yI6mIZn5ghkne6RW0Q8ZPdDkx', 'TkIpa4am8tCYuP2dbxBDwmHKEDZIHnVId2GnDhDqTVhJPo', '_3e2Pfn3Q4rzLu9onfN67v8ko7Z5GrYRUc35ZD0QCHbo1YY'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, PHumo8U1BHf4b2B0BWI8ZjmYpkj0.csHigh entropy of concatenated method names: 'RFCRLGhpvr9NYR00cC1jYzzhNoGc', 'IqIjmnuxJ3fJRXpWx5i6p06BvknH', 'h0QcBPr1tUpbbttnFh9pKeMIsLO0', 'JSwQAKrE3hy1Xa8kCeMUMHl7tDFE7zJBBkYpqtl37oquI8kO6qW3jvG253n2hGlwshqFcUIXl44Oait8Y', 'fhf8l63mvf58nkljMdtns2rS0jJ2Ku25GBqPsf8n0AKTalQsLlJ1tFYxXYqj7TVM2LHXF5CxOxaHtM6jA', 'vQNlFV5MYsgGnmsnjddhs1LPn3prl9t7ngD4qJeNWZriEhRxGwEXYYAjMr6ahuqzuXFsZfVbLVzkS41Vy', '_8AGsKmcQHxtfYjXjvmBkfPnUSkoIgwMqT93GOJ9ShoozPTN2nEFJUp1bsZ9zGgtDGeiV63iY7TYgp9hVJ', 'tjTEJDI9pAPfnZ6wp0X14AFZ0NjjbgGWPfaONvZW9uBIRqGF58ytx59qIdox5dfKk6pi14jdQPhI5tn1s', 'OgjQKOuHxlVXiA61HD7fxqZ7wejN9zDbP17G8kaz8wQSe8FZyV8JQxKKzHnOgBQzAe9fJZzpQEsYpLtVb', '_0rspqqxb6onB15LoNuYaKLkSfLMALfE6Z1AIUy9jHx0zKOpBrulxBSe7HFGDte3YPXrP3wiRXGoncCsf4'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, whVbSFDbmJZTsAWLMmphob7SHg0R4bdRNw2BjvOoEgTOMDBCDU1CAVgGsNaFR02HhbWUm.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3pDfniDpif4ffCBHzv5bH1QqY4RRTgrkEK1pAzNpcDMSMZ', 'xKtnUdWSHKGxkHapMrBiNIn04Rff5XQTqCAhUYQp3i1Ggx', 'IWSntankFfmsXsov89pEhnqj0oTXRR78x8ELNzBMVcL2JJ', '_8L49Fnel5Kq4GFLrTxXWrAGEUYk8hdJyXj47Eme6zHmspu'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, RzV3NqSJmQfWQhjbhOPVza66IRVo.csHigh entropy of concatenated method names: '_6koM63edaR5ulqE8qZJ1WgfYyvzN', '_7JiPm57tnavbvPzY74rgM9y1iJtT', 'Aruijh1no96v0wVBvnLbY4snFt73', 'ctiNUX9oq9EA4zH4jODZblffSAJF', 'uPdhKbuy6nqCVVLRnJ6jlllGGP6d', 'TiPpfFy5VhN0zMwKD1gVMbOzfSgC', 'lXZRxavinAOWbg1hvsGcejk4lw4T', 'KtJjpUvLXGQDROyJaC0DNFqmSRq2', 'xUy9HRbOaV30MYPN9VXbdD8DmCAG', 'LkU1GalO3bNCgLqOcLGi821bM6ee'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, rP7eOmPaR96CBwBf9RIXmfuDoroi.csHigh entropy of concatenated method names: 'Fp8pNXY4fhbes0H5oqiR8jKEBZEH', '_661Zzgo0pdE0U75TsTzuzFsDxHOT', 'rQ2gSBrFnkVUvLbZzLv5ga4o1pjx', 'UCcjzA6PAlfE2LxhvhTzGIXPhpAn', 'baQZZMeWmiqPU9EJp6SLbI5WXnomZoJDRueuC4pQoapccESUO2SzgGF5UW5HlaX2', 'A4xs6CjXolI6X30mxALRiJYTF8jqDZBrf40ysFqc4pWKIxeGhOeiWbew8EvVGJHd', 'b3cjtVyVHy9zn50JJ5VOzoqy9EMuKOGdSQmDI3WGcp0IZVtEsyfaieiqbwg2ahfZ', 'jWzPAkZaZrbCLng1y4jaCC6NLxIzXJIygYb4p4AFgh3XWrw1T9oOD8DL6DWBbM9m', 'f3fHFHct6Px3fevqcMWLBTtjkvfS5HcXz10fUaugglZl9jCzhTqBRW6VQu3ewMiq', 'yZoTAMVjT8hplHJxEV3mjagEx9xvoZqVFtOwVLOVjYWXniPhmYJo75x715dDVsz8'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, s9dzM1HbtTjuXC0T1gSDLB6YlRyDPDyrsQnUAGJGlfWeIFsb33G7o3.csHigh entropy of concatenated method names: 'YcCjk3IRCObvHMNKMfV5o4JSwqVjJYT1ETNC6aRecigMKuqUdX5APZ', 'ixJfdrn6LmwxBbYqgAQnXHR6cgG4nBXj4IdKSYxZWLEje25t7Nm6yU', 'uI78gH23bYal3ybMgr5SDQ3jxmJauyJOfydInZdQ8YffU2zELInMup', 'rdH4HQDf1a9aNYxd1TahzVo8PVO43P6qqwvd0G37maRMv3Z2YsRPmc', 'PaWhnJq9AXy51DsxUYezajDEGfJmiJBKsgzrEbVTlzuFPl2rzTRpN1', '_4BQ3DYannZfE3inYu8TtN3LJ7bFFN00q4eDZhhXWOtxUha', 'LYP31KzmBPtTPIrJIXUvUmQyEbR61Hucx3zGN638UF8FER', '_4ylbuqAJcOlS2lIcVcLmG4d4ZDytwPkBvYEzBziO5CSMPj', 'u5au5R4NydQwiRRRzPLH5eU6pdIvTWiifOU5lTaTXU3dUV', 'Vy38Lr2Vq6EYkCa15HxNy0HDTCTj4xkkNIU9G2f6a3p64C'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, yiyhCCrWBmInfG0a4QCNZtpE2fZz.csHigh entropy of concatenated method names: 'Vf08JYGAkuTJj1mNDuDSCynOx0Aj', 'dH7UkHxKG6zZ76Y42GmShdJcWCsdbHvYbbyWkQQ7cK2zHuz3RxUM6rXRlDqFqjKIgPpcU8ZvUOylxb8ddA4Y19DpCFXx04uw', 'kliHKYqxak7Y74K8xlHEw9jt1cE0LM96QYNbTzXH4VXuyNOznmFWkMFlAcECwfovp7xJdAUUJl0snMeMOdCThGd90PFaBWeA', 'bbfKzODoV2L06uXUsb35VYp7jJKXS8TBJ1WNakloVaPAZs5WhPpM9tumpwLjeXQxrZBA6gTGRhmttjSVhO5A2C80oBSC1WVP', 'aHd9iypJYBPTbdtQCl7Ok99x1nZUZsZEsznscbKdjYqFQj2Eh0WqN3YUy5jfCvoF4Hkovb9mJM9yDlly3rIm0ji28Sndw6UJ'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, MlxLECNQtbM4TD0SojWWFbuDHHiNyqDVt465RvhnIx6GdJ6aaAAsRiQRV8vdL7OvMDJexxo5Ow54v8cX7zqQKT.csHigh entropy of concatenated method names: 'Ththm9CTOMvvm2GyNP8Qzr24jCjdhMSqMKmhGwieTi4yMTgC9uFPmmdsAe4xySIKQP361XwPWd1jaCxGPBsjil', 'jhixk0okiH6FnLIqMolEiqWfLniTXnNWbUgssa3zRYDFr2Rk0WDYWEaapMJOtmnWzdbj9a0VVhIXuwdqkskpcu', 'nAdoeyR1X8X4pimRSBLRLbXwGT6W9c31d2Z10qpK3IzMJnrNxioP5NQy25IioTNLsewZuuBGAaHrCzUj5jEOAh', 'dJQnzA612gtw8ujHxNeqyoOpAvcq8ssRQdsUZAPJ3IZR8rstxuV33yW272jijI13uLrtXrFKCCWd8euuaUY88b', 'u3NX2j7yUQ2p5r4rSnWttUtn1p6VOv7DiD5VILIwDty9G35z89Oov1SydYyzJhrxg4e7vxqrMtI5kzaavcpj4i', 'CPbcyxXDzJ13yCHordyvUP7bVO8xstIqlm68LEXaJo3q4Imu7yi53EXW0m26voMKdC1ab71UnUAqIVbSuUKUq4', 'fM95BZOdW1fmoxegIukzIdcbcty9Go2kvqFfc5EgSUVZfnVQmENPBKqb36sScN93vgiBPrDVnyajk7FoYGvHbC', 'fGAZW4e1W335OvTNw6qX9ZkZtnP6cnHp8wSZ3IDUIuPsNS75Rj1jVp7q2pfDknuUu0uag0KvV0cpgPsPR1a7VO', 'ej1ormzl2jKuOvMwjZ6nm4OM9aHYcjo27iz0oiFHIsNXUAA6XEkXASwwmlmE3nZrzYdlM8WD0aW1DucD6VIcio', 'K9kZlQvWNJvWU7lLA1FD5UujO7vk5bDIjo82PCKpprPgg4mufa91tBmYvFvdedKXqLJKPekHWnHrhD1pc3O63u'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, AwEg9KwvdcsSNSTrrziGMrveBN1p.csHigh entropy of concatenated method names: 'B23wVkYTRRlbvZPXNLXxIoOG2zrc', '_1nQfddviA6nptTfkr6TfyQY4rgxN40GBmufbL4TjTGyzc4njPykP4mxfk7CDp08r', 'ConDlLttcHyi0bvUIXIvd7ZhdNhwTtGLWyDDdezukc6tpfqHJUpxh0Y8lIuoBBJO', 'xffgxamw2yiuFaeTRpUFcPK0Fb3CaJgPpY9bMzjBfhHYcGZYQWY3vbWC8ITRQJOV', 'b3Ceji6v4OiedAr2PLCKgpF3X5xQkHVhOQ5aKhoQL5ukRlGZsSklPpLulBwOFUqc'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, lDNrZ0PpIhtkmNhtuLhViabWwcRagB8W7OumnW1em5VOXVAZufAe0j.csHigh entropy of concatenated method names: 'Y1ITG5MBR8142OiTMq6Zq60AoqWLOu7vDN9kZguwRz4rrKYDeseG8s', 'YRJFCxHjM7pPS4tNaT7iQrZf3P0nMtI4vOCFptxbgzKLYau24ZfSVv', 'nCJtZvaszp6oSFBL7GMdxt7QYF2vHScvtNGMXj2FMFL1HGIapNV4Nm', 'unpnLLLGMEjTQEUUBSj3mxvpQAbkt5HxZNTRjEyRODRSiZxTDm3ZG1', 'RAt0CxcgEb13BldbyvusZ6MAjrul1qh5NtQmMsF3SUmeKVwNx3CMeJ', 'duRVETZzWT64PiCNxiLb2ZTVL5cyIBFb0Tz44PVeMxvn6DYdrsjb0y', '_9hDXJ4K0XixM3bAx328T6bJ8kA4hPCruVIEYrs79DPLZYdXXXxG7C4', 'e4J5jbEn0rCBRh9jVC2QZTf9G24OA5JndJL1xso81EK2Rz4K5HXSVT', '_9jFrliaKxwwrVaHlKlmyHrIWBPEAljm6iyt2h7SJgRhygyHojB5BdN', '_9HnDvdBf3YlSqtdiZPhJ6vE7g42q2TY16T744fQeuQP8swsNcqvl7X'
              Source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, UZUv4Eo6zQhbxPiCqZPo3OnZwa02.csHigh entropy of concatenated method names: 'zqSbnYJ7TRzPGM4DTBz55wB90X1H', '_4oLwAniIUZb3pHfgNlXqONekWHg3', 'CDzVFa3gZC10reMa61ZgV5cAkx86', 'sRTHUEnQNBOe33KZfvWLwDJhWgNw', 'jVgxlhUWvyKuBGP8wBjwY8ZLosae', 'bpEpLSR4YKp0SwBpXSNr4FZBegZ3', 'JEcOqiKQuo1NMNAgJ57suc0Fv4mR', 'zXHcrIVLQWaWHBgyaBEeGMLqmc93', 'IMzLMpiHmTzbaQSc0F1wjAm9srhz', 'rHGQSVSfZ2Gp1JnWnS0x8LpowN1k'
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exeJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exeJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exeJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exeJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exeJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exeJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exeJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exeJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: \for jobref oc-seaexp yfc export-sea booking853ipn0006279.exeJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeJump to dropped file
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: C:\Users\user\AppData\Local\XClient.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClientJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe PID: 3300, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: BhTdjGetAH.exe PID: 7608, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 2132, type: MEMORYSTR
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 1460000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 2FE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 4FE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 7AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 8AA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 8C40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 9C40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 9F80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: AF80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 8C40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 9F80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: AF80000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 1260000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: 4D60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: D40000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: DA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: 6D60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: 7D60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: 7EF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: 8EF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: 9200000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: A200000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: B200000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: C4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: D4E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: DAF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: EAF0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: 1050000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: 29A0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory allocated: 49A0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 2E70000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 3070000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 5070000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 7720000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 8720000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 88B0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 98B0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 9BC0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: ABC0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 88B0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 9BC0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: ABC0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 2830000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 2A00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 4A00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 1090000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 29F0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 49F0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 70B0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 80B0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 8240000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 9240000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 9550000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: A550000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 8240000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 9550000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: A550000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 11C0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 2CA0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Local\XClient.exeMemory allocated: 4CA0000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5349Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5706Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 821Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWindow / User API: threadDelayed 6874Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWindow / User API: threadDelayed 2956Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8194
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 747
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7015
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2679
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7611
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2071
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5762
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4041
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe TID: 6756Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep count: 5349 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336Thread sleep count: 218 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7480Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe TID: 7496Thread sleep time: -10145709240540247s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe TID: 7704Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep count: 8194 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep count: 747 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe TID: 8032Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep count: 7015 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164Thread sleep count: 2679 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep count: 7611 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep count: 2071 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1076Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep count: 5762 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep count: 4041 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -5534023222112862s >= -30000s
              Source: C:\Users\user\AppData\Local\XClient.exe TID: 7784Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\XClient.exe TID: 2832Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\XClient.exe TID: 7652Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\XClient.exe TID: 8164Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\XClient.exeThread delayed: delay time: 922337203685477
              Source: XClient.exe, 00000020.00000002.2296750586.0000000006DC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\B
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4190479980.0000000000F71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeMemory written: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeMemory written: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Local\XClient.exeMemory written: C:\Users\user\AppData\Local\XClient.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Local\XClient.exeMemory written: C:\Users\user\AppData\Local\XClient.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'Jump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeProcess created: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
              Source: C:\Users\user\AppData\Local\XClient.exeProcess created: C:\Users\user\AppData\Local\XClient.exe "C:\Users\user\AppData\Local\XClient.exe"
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-^q
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q|e
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeQueries volume information: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeQueries volume information: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BhTdjGetAH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Users\user\AppData\Local\XClient.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\XClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4190479980.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4218271165.0000000006AE0000.00000004.00000020.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4218271165.0000000006B0A000.00000004.00000020.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4190479980.0000000000F06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe PID: 3300, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: BhTdjGetAH.exe PID: 7608, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: BhTdjGetAH.exe PID: 7996, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 2132, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 11.2.BhTdjGetAH.exe.288d464.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.BhTdjGetAH.exe.2878b80.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.BhTdjGetAH.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.3092a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.XClient.exe.31210c4.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.307e1ac.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.BhTdjGetAH.exe.288d464.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.XClient.exe.310c7e0.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.BhTdjGetAH.exe.2878b80.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.XClient.exe.31210c4.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 28.2.XClient.exe.310c7e0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.30162b0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe PID: 3300, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: BhTdjGetAH.exe PID: 7608, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: BhTdjGetAH.exe PID: 7996, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: XClient.exe PID: 2132, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		112
              Process Injection              		1
              Masquerading              		OS Credential Dumping221
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		21
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		11
              Disable or Modify Tools              		LSASS Memory2
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		1
              DLL Side-Loading              		21
              Registry Run Keys / Startup Folder              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		112
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture21
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466424 Sample: FOR JOBREF OC-SEAEXP YFC EX... Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 77 futurist2.ddns.net 2->77 81 Snort IDS alert for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 89 17 other signatures 2->89 9 FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe 7 2->9         started        13 BhTdjGetAH.exe 5 2->13         started        15 XClient.exe 2->15         started        17 XClient.exe 2->17         started        signatures3 87 Uses dynamic DNS services 77->87 process4 file5 69 C:\Users\user\AppData\...\BhTdjGetAH.exe, PE32 9->69 dropped 71 C:\Users\...\BhTdjGetAH.exe:Zone.Identifier, ASCII 9->71 dropped 73 C:\Users\user\AppData\Local\...\tmp378C.tmp, XML 9->73 dropped 75 FOR JOBREF OC-SEAE...3IPN0006279.exe.log, ASCII 9->75 dropped 99 Adds a directory exclusion to Windows Defender 9->99 101 Injects a PE file into a foreign processes 9->101 19 FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe 1 6 9->19         started        24 powershell.exe 23 9->24         started        26 powershell.exe 23 9->26         started        36 2 other processes 9->36 103 Multi AV Scanner detection for dropped file 13->103 105 Machine Learning detection for dropped file 13->105 28 schtasks.exe 13->28         started        30 BhTdjGetAH.exe 13->30         started        32 schtasks.exe 15->32         started        34 XClient.exe 15->34         started        38 2 other processes 17->38 signatures6 process7 dnsIp8 79 futurist2.ddns.net 102.90.42.110, 20506, 49741, 49743 VCG-ASNG Nigeria 19->79 67 C:\Users\user\AppData\Local\XClient.exe, PE32 19->67 dropped 91 Protects its processes via BreakOnTermination flag 19->91 93 Adds a directory exclusion to Windows Defender 19->93 40 powershell.exe 19->40         started        43 powershell.exe 19->43         started        57 2 other processes 19->57 95 Loading BitLocker PowerShell Module 24->95 45 conhost.exe 24->45         started        47 conhost.exe 26->47         started        49 conhost.exe 28->49         started        51 conhost.exe 32->51         started        53 conhost.exe 36->53         started        55 conhost.exe 38->55         started        file9 signatures10 process11 signatures12 97 Loading BitLocker PowerShell Module 40->97 59 conhost.exe 40->59         started        61 conhost.exe 43->61         started        63 conhost.exe 57->63         started        65 conhost.exe 57->65         started        process13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe58%ReversingLabsWin32.Backdoor.Xworm
              FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\XClient.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\BhTdjGetAH.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\XClient.exe58%ReversingLabsWin32.Trojan.Generic
              C:\Users\user\AppData\Roaming\BhTdjGetAH.exe58%ReversingLabsWin32.Trojan.Generic

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
              http://www.fontbureau.com0%URL Reputationsafe
              http://www.fontbureau.com/designersG0%URL Reputationsafe
              http://www.fontbureau.com/designers/?0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              http://www.fontbureau.com/designers?0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.fontbureau.com/designers0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.fontbureau.com/designers80%URL Reputationsafe
              http://www.fonts.com0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://go.mic0%Avira URL Cloudsafe
              futurist2.ddns.net0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://www.microsoft.coXd0%Avira URL Cloudsafe
              http://crl.microso0%Avira URL Cloudsafe
              http://crl.micro$0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              futurist2.ddns.net
              		102.90.42.110
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                futurist2.ddns.nettrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 0000000D.00000002.1810611459.000000000537C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1883850643.00000000051CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1958129515.000000000572B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersGFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/?FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/bTheFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://go.micpowershell.exe, 0000000D.00000002.1802652172.0000000000448000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000D.00000002.1804203407.0000000004466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.00000000042B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://go.micropowershell.exe, 00000013.00000002.1868794212.000000000494E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004ABD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004E80000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.microsoft.coXdpowershell.exe, 00000015.00000002.1970141232.0000000008112000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.tiro.comFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.goodfont.co.krFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comlFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netDFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cTheFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/frere-user.htmlFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.microsopowershell.exe, 0000000D.00000002.1832933847.0000000007E2A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 0000000D.00000002.1804203407.0000000004311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004521000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000D.00000002.1804203407.0000000004466000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.00000000042B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.0000000004817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004676000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 0000000D.00000002.1810611459.000000000537C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1883850643.00000000051CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1958129515.000000000572B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2013329226.000000000558A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.micro$powershell.exe, 00000019.00000002.2022501378.0000000007115000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2023383216.0000000007198000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPleaseFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers8FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.comFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sandoll.co.krFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.urwpp.deDPleaseFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.zhongyicts.com.cnFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 0000000A.00000002.4195467542.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, BhTdjGetAH.exe, 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1804203407.0000000004311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1868794212.0000000004161000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1927085686.00000000046C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1989730122.0000000004521000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 0000001C.00000002.2211516335.0000000003071000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000020.00000002.2282271067.0000000002A29000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sakkal.comFOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775930634.0000000007212000.00000004.00000800.00020000.00000000.sdmp, FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe, 00000001.00000002.1775432995.0000000005A60000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                102.90.42.110
                		futurist2.ddns.netNigeria
                		29465VCG-ASNGtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1466424
                Start date and time:2024-07-02 22:31:09 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 11m 34s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:37
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@44/37@4/1
                EGA Information:
                • Successful, ratio: 50%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 530
                • Number of non-executed functions: 59
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target BhTdjGetAH.exe, PID 7996 because it is empty
                • Execution Graph export aborted for target XClient.exe, PID 3140 because it is empty
                • Execution Graph export aborted for target XClient.exe, PID 8104 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 4840 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 7416 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 8084 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                16:32:05API Interceptor6893860x Sleep call for process: FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe modified
                16:32:06API Interceptor86x Sleep call for process: powershell.exe modified
                16:32:10API Interceptor1x Sleep call for process: BhTdjGetAH.exe modified
                16:32:48API Interceptor2x Sleep call for process: XClient.exe modified
                21:32:08Task SchedulerRun new task: BhTdjGetAH path: C:\Users\user\AppData\Roaming\BhTdjGetAH.exe
                21:32:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Local\XClient.exe
                21:32:47AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run XClient C:\Users\user\AppData\Local\XClient.exe
                21:32:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                futurist2.ddns.netfile.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                • 194.147.140.135
                AB8A3B1F7F616EF9E6F6F5AFF32AA27F746A4AFE9F734.exeGet hashmaliciousNanocoreBrowse
                • 194.5.98.23

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                VCG-ASNGCnqpVfDyUH.elfGet hashmaliciousMiraiBrowse
                • 102.91.140.121
                1IXIIseuHR.elfGet hashmaliciousMirai, GafgytBrowse
                • 197.210.172.226
                x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 197.210.170.4
                8MFpF2RpG1.elfGet hashmaliciousMiraiBrowse
                • 102.90.197.209
                YfM6hAPQaS.elfGet hashmaliciousMiraiBrowse
                • 197.210.99.190
                TGYj8HxqY9.elfGet hashmaliciousMiraiBrowse
                • 102.91.140.170
                I6e9WczGlf.elfGet hashmaliciousMiraiBrowse
                • 102.91.140.186
                wQsdlAeKOF.elfGet hashmaliciousMiraiBrowse
                • 102.90.150.255
                abkzsHZ00o.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                • 197.210.52.198

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BhTdjGetAH.exe.log

                Download File
                Process:C:\Users\user\AppData\Roaming\BhTdjGetAH.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1216
                Entropy (8bit):5.34331486778365
                Encrypted:false
                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe.log

                Download File
                Process:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1216
                Entropy (8bit):5.34331486778365
                Encrypted:false
                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                Malicious:true
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient.exe.log

                Download File
                Process:C:\Users\user\AppData\Local\XClient.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1216
                Entropy (8bit):5.34331486778365
                Encrypted:false
                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:modified
                Size (bytes):2232
                Entropy (8bit):5.378656660173192
                Encrypted:false
                SSDEEP:48:YWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8vUyus:YLHyIFKL3IZ2KRH9OugMs
                MD5:606D32F377AD35DA05BE0F6988F0F25A
                SHA1:B440DEB8F5AC74255820CB26C37469156565AA7E
                SHA-256:8177E4D50280ECD8330FA9AD9E41176574FD455AD476705689955D5D4488F6E4
                SHA-512:4F94299F87F0103198EE42A9E60CF692E6F98C8868C59DFF9BA2B0DCC208CF10BCE07A1089130D329ECF4589F85C823EEBA8CD5B41E6D171FED612BC96BF4EC8
                Malicious:false
                Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                C:\Users\user\AppData\Local\Temp\Log.tmp

                Download File
                Process:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):41
                Entropy (8bit):3.7195394315431693
                Encrypted:false
                SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                Malicious:false
                Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05rkeint.eww.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0k3h4b40.2ii.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42cakj3r.j5p.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvx0z5a0.vuc.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmpueysj.t3c.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2py01up.kow.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h04lvzop.whv.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdj1mpcu.qlj.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hekmxnry.tv5.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipezphyi.uvv.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzzxvptr.0s0.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2ehbdei.3dt.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1vw4y2q.ccb.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnncyxbn.blk.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpmwiqf5.g0e.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2uoltdj.4s4.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t10loqb1.1su.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkufpj2r.epl.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tuek0iwo.iba.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbktwajr.uyr.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wyi3t2nd.cqd.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5ag45ok.nft.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysrpx5lg.alv.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zaqmp0xi.rw5.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\tmp125.tmp

                Download File
                Process:C:\Users\user\AppData\Local\XClient.exe
                File Type:XML 1.0 document, ASCII text
                Category:dropped
                Size (bytes):1576
                Entropy (8bit):5.1105385080313575
                Encrypted:false
                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaki+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTBiyv
                MD5:C63D8C24EE20AA2AFE44B50D793FF6DC
                SHA1:B4BEC122A383BCCE3CE53988D028B773733FBD4A
                SHA-256:B6CAF272219BDCE40A2D88E9063819E35C8717BF94E5D005EFB8282A641D628F
                SHA-512:A8A754FA910DBC73A7F36C2BD3030A462FC40D95F9C0DFF861A28A0582497986F93ADA38C28618C06B200CE53AE17374324CF44C76A17976B718AA994005E26A
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                C:\Users\user\AppData\Local\Temp\tmp378C.tmp

                Download File
                Process:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                File Type:XML 1.0 document, ASCII text
                Category:dropped
                Size (bytes):1576
                Entropy (8bit):5.1105385080313575
                Encrypted:false
                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaki+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTBiyv
                MD5:C63D8C24EE20AA2AFE44B50D793FF6DC
                SHA1:B4BEC122A383BCCE3CE53988D028B773733FBD4A
                SHA-256:B6CAF272219BDCE40A2D88E9063819E35C8717BF94E5D005EFB8282A641D628F
                SHA-512:A8A754FA910DBC73A7F36C2BD3030A462FC40D95F9C0DFF861A28A0582497986F93ADA38C28618C06B200CE53AE17374324CF44C76A17976B718AA994005E26A
                Malicious:true
                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                C:\Users\user\AppData\Local\Temp\tmp5296.tmp

                Download File
                Process:C:\Users\user\AppData\Roaming\BhTdjGetAH.exe
                File Type:XML 1.0 document, ASCII text
                Category:dropped
                Size (bytes):1576
                Entropy (8bit):5.1105385080313575
                Encrypted:false
                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaki+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTBiyv
                MD5:C63D8C24EE20AA2AFE44B50D793FF6DC
                SHA1:B4BEC122A383BCCE3CE53988D028B773733FBD4A
                SHA-256:B6CAF272219BDCE40A2D88E9063819E35C8717BF94E5D005EFB8282A641D628F
                SHA-512:A8A754FA910DBC73A7F36C2BD3030A462FC40D95F9C0DFF861A28A0582497986F93ADA38C28618C06B200CE53AE17374324CF44C76A17976B718AA994005E26A
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp

                Download File
                Process:C:\Users\user\AppData\Local\XClient.exe
                File Type:XML 1.0 document, ASCII text
                Category:dropped
                Size (bytes):1576
                Entropy (8bit):5.1105385080313575
                Encrypted:false
                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaki+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTBiyv
                MD5:C63D8C24EE20AA2AFE44B50D793FF6DC
                SHA1:B4BEC122A383BCCE3CE53988D028B773733FBD4A
                SHA-256:B6CAF272219BDCE40A2D88E9063819E35C8717BF94E5D005EFB8282A641D628F
                SHA-512:A8A754FA910DBC73A7F36C2BD3030A462FC40D95F9C0DFF861A28A0582497986F93ADA38C28618C06B200CE53AE17374324CF44C76A17976B718AA994005E26A
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                C:\Users\user\AppData\Local\XClient.exe

                Download File
                Process:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):525312
                Entropy (8bit):7.965068852230073
                Encrypted:false
                SSDEEP:12288:W2itjSANT3ukfD2lnjxTf1E4NdYLVmdIRfNhuBoyQpNE:W2WjFT3uk7qntfX0LE6NoJ4
                MD5:18907F90316AA47034081363DC00F908
                SHA1:49B3C6C35C08C824FFB67F3DBCC1B215842A7014
                SHA-256:D384BA14FE02622E460CD9805EB86A45B6C4F9E787ECDC015BC6034E69410E3D
                SHA-512:03CABA2011EF244E5BA7B3DA16037E3B4651709DF25ECFA299C2D389FB1B4361E4D9CD997C2A3634F2F4ACD3DB43EAE93EF78BEF42C92667C98B9AE038B2BC5C
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 58%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g.f..............0.............j.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\BhTdjGetAH.exe

                Download File
                Process:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):525312
                Entropy (8bit):7.965068852230073
                Encrypted:false
                SSDEEP:12288:W2itjSANT3ukfD2lnjxTf1E4NdYLVmdIRfNhuBoyQpNE:W2WjFT3uk7qntfX0LE6NoJ4
                MD5:18907F90316AA47034081363DC00F908
                SHA1:49B3C6C35C08C824FFB67F3DBCC1B215842A7014
                SHA-256:D384BA14FE02622E460CD9805EB86A45B6C4F9E787ECDC015BC6034E69410E3D
                SHA-512:03CABA2011EF244E5BA7B3DA16037E3B4651709DF25ECFA299C2D389FB1B4361E4D9CD997C2A3634F2F4ACD3DB43EAE93EF78BEF42C92667C98B9AE038B2BC5C
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 58%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g.f..............0.............j.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...p.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\BhTdjGetAH.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                Download File
                Process:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jul 2 19:32:36 2024, mtime=Tue Jul 2 19:32:36 2024, atime=Tue Jul 2 19:32:36 2024, length=525312, window=hide
                Category:dropped
                Size (bytes):943
                Entropy (8bit):5.044207642563407
                Encrypted:false
                SSDEEP:12:8qkPC04KG0WCo8dailyMRQISUq6njAmfUme1GFawuL1HJpfJp444t2YZ/elFlSJX:8In/QoMRgUq6jAmfUmelVHfnqyFm
                MD5:050303E307C9BF9EA09818D35949FDDD
                SHA1:D2C4F7E5020612C759D99EAB6587E003F3A0CABE
                SHA-256:0D40D10DDDD9C45457567F4B7759354B229A8B2D0F26EB685BDEC8037C834262
                SHA-512:7B396E1B5CC03FA3B1FABEE11D17ED7A7ADBF1E145D90EEDECA12EC73A6E48FF60809612E9C6F3FDE19C1D835844534199A99E885FBBDC9B99337C6846A741F5
                Malicious:false
                Preview:L..................F.... ................................................p.:..DG..Yr?.D..U..k0.&...&......vk.v.....P.....ck..........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.P.1......X....Local.<......CW.^.X......b.........................L.o.c.a.l.....b.2......X.. .XClient.exe.H.......X...X...........................!...X.C.l.i.e.n.t...e.x.e.......W...............-.......V.............I......C:\Users\user\AppData\Local\XClient.exe..#.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.X.C.l.i.e.n.t...e.x.e.........|....I.J.H..K..:...`.......X.......927537...........hT..CrF.f4... .F.S0.8...,.......hT..CrF.f4... .F.S0.8...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.965068852230073
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                File size:525'312 bytes
                MD5:18907f90316aa47034081363dc00f908
                SHA1:49b3c6c35c08c824ffb67f3dbcc1b215842a7014
                SHA256:d384ba14fe02622e460cd9805eb86a45b6c4f9e787ecdc015bc6034e69410e3d
                SHA512:03caba2011ef244e5ba7b3da16037e3b4651709df25ecfa299c2d389fb1b4361e4d9cd997c2a3634f2f4acd3db43eae93ef78bef42c92667c98b9ae038b2bc5c
                SSDEEP:12288:W2itjSANT3ukfD2lnjxTf1E4NdYLVmdIRfNhuBoyQpNE:W2WjFT3uk7qntfX0LE6NoJ4
                TLSH:A2B423A175D8B237CEAE2B7FA81210E20231976375E6F31A84FC352D53B77209621797
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g.f..............0.............j.... ... ....@.. .......................`............@................................

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x48126a
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x6683672E [Tue Jul 2 02:34:22 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x812180x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x5b8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x7f2700x7f4001e80b0c91b0df48a93b30ceedabe19a5False0.9695845868123772data7.978661790486835IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x820000x5b80x8003ce15875cef95ee808a69021fa8c4c49False0.3154296875data3.3245489807154676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x840000xc0x4005d56b41b9d413f047d4541c2a2fb9bc3False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0x820900x328data0.4158415841584158
                RT_MANIFEST0x823c80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                07/02/24-22:34:38.935488TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound4974720506192.168.2.4102.90.42.110
                07/02/24-22:33:11.654513TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound4974320506192.168.2.4102.90.42.110

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 2, 2024 22:32:37.606930017 CEST4974120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:32:37.612024069 CEST2050649741102.90.42.110192.168.2.4
                Jul 2, 2024 22:32:37.612209082 CEST4974120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:32:37.690642118 CEST4974120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:32:37.695467949 CEST2050649741102.90.42.110192.168.2.4
                Jul 2, 2024 22:32:51.406008005 CEST4974120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:32:51.410824060 CEST2050649741102.90.42.110192.168.2.4
                Jul 2, 2024 22:32:58.982780933 CEST2050649741102.90.42.110192.168.2.4
                Jul 2, 2024 22:32:58.982844114 CEST4974120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:01.020962954 CEST4974120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:01.022192955 CEST4974320506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:01.025906086 CEST2050649741102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:01.027201891 CEST2050649743102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:01.027260065 CEST4974320506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:01.069222927 CEST4974320506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:01.074567080 CEST2050649743102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:11.654512882 CEST4974320506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:11.661308050 CEST2050649743102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:22.263387918 CEST4974320506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:22.268338919 CEST2050649743102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:22.399032116 CEST2050649743102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:22.399081945 CEST4974320506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:24.545178890 CEST4974320506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:24.548712015 CEST4974420506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:24.550375938 CEST2050649743102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:24.553637981 CEST2050649744102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:24.555248976 CEST4974420506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:25.238744974 CEST4974420506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:25.243618011 CEST2050649744102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:39.639075041 CEST4974420506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:39.643933058 CEST2050649744102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:45.949400902 CEST2050649744102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:45.949469090 CEST4974420506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:46.356864929 CEST4974420506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:46.361682892 CEST2050649744102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:46.587284088 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:46.592201948 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:46.592263937 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:47.792881966 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:47.799032927 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:48.248053074 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:48.252866983 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:48.310226917 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:48.315079927 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:48.450830936 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:48.455734968 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:50.029514074 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:50.034467936 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:54.997875929 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:55.002933979 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:55.028976917 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:55.033787012 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:55.060128927 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:55.065048933 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:55.075781107 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:55.080724001 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:55.107026100 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:55.111964941 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:33:57.560595036 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:33:57.565428972 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:07.962017059 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:07.962083101 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:10.347712994 CEST4974520506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:10.352768898 CEST2050649745102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:10.363332033 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:10.369431019 CEST2050649746102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:10.370302916 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:10.947376966 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:10.954108000 CEST2050649746102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:10.982188940 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:10.990073919 CEST2050649746102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:16.403980017 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:16.409087896 CEST2050649746102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:22.778987885 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:22.784040928 CEST2050649746102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:22.951194048 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:22.956157923 CEST2050649746102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:31.756108046 CEST2050649746102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:31.756186008 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:33.279707909 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:33.283335924 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:33.763159037 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:33.865953922 CEST2050649746102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:33.865989923 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:33.866020918 CEST2050649746102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:33.866096973 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:33.867331982 CEST4974620506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:33.907949924 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:33.912925959 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:33.919641018 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:33.924666882 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:38.935487986 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:39.129895926 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:39.129965067 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:39.138385057 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:40.560538054 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:40.565916061 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:40.638607025 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:40.643575907 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:40.700911045 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:40.705843925 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:41.232347012 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:41.243840933 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:46.153992891 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:46.159970045 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:50.982343912 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:50.987288952 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:51.044657946 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:51.049540043 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:55.230298042 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:55.230379105 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:56.247720003 CEST4974720506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:56.252696037 CEST2050649747102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:56.400094032 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:56.405023098 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:56.405131102 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:56.441654921 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:56.448009968 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:34:56.841715097 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:34:56.846684933 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:03.904083014 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:03.909369946 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:07.919672012 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:07.924695969 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:07.966514111 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:07.971503019 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:09.357290030 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:09.362673044 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:14.498114109 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:14.503262997 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:14.529053926 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:14.537338972 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:14.654146910 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:14.659085035 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:14.669946909 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:14.674900055 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:14.748322964 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:14.753320932 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:15.169734001 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:15.176326036 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:15.185374022 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:15.191731930 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:15.216614962 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:15.224526882 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:15.294714928 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:15.302320004 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:15.388421059 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:15.394398928 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:15.435468912 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:15.441411972 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:16.029097080 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:16.034760952 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:17.793216944 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:17.793302059 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:21.077147007 CEST4974820506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:21.082578897 CEST2050649748102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:21.084492922 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:21.089453936 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:21.093774080 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:21.151768923 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:21.156677961 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:21.529244900 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:21.534280062 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:21.622827053 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:21.628133059 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:24.732285023 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:24.809999943 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:29.435383081 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:29.501774073 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:31.919778109 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:31.924815893 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:39.497960091 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:39.503596067 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:42.463459969 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:42.463749886 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:47.186969042 CEST4974920506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:47.190517902 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:47.192050934 CEST2050649749102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:47.195841074 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:47.199547052 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:48.138497114 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:48.143356085 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:48.310398102 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:48.315363884 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:52.482445955 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:52.489896059 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:53.404248953 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:53.409637928 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:53.545598030 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:53.550918102 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:53.576673031 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:53.582133055 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:58.810435057 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:58.815370083 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:59.201163054 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:59.206708908 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:59.263886929 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:59.268924952 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:35:59.372977972 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:35:59.377970934 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:01.263794899 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:01.395942926 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:04.341677904 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:04.346910954 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:06.654304981 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:06.659554958 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:08.573834896 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:08.573935986 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:09.470707893 CEST4975020506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:09.475596905 CEST2050649750102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:09.714799881 CEST4975120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:09.719841003 CEST2050649751102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:09.719933987 CEST4975120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:09.808171988 CEST4975120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:09.813095093 CEST2050649751102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:09.841844082 CEST4975120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:09.846806049 CEST2050649751102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:11.263725042 CEST4975120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:11.268570900 CEST2050649751102.90.42.110192.168.2.4
                Jul 2, 2024 22:36:15.154181957 CEST4975120506192.168.2.4102.90.42.110
                Jul 2, 2024 22:36:15.159301043 CEST2050649751102.90.42.110192.168.2.4

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 2, 2024 22:32:37.459180117 CEST6386153192.168.2.41.1.1.1
                Jul 2, 2024 22:32:37.601557016 CEST53638611.1.1.1192.168.2.4
                Jul 2, 2024 22:33:46.359127998 CEST6213753192.168.2.41.1.1.1
                Jul 2, 2024 22:33:46.582443953 CEST53621371.1.1.1192.168.2.4
                Jul 2, 2024 22:34:56.249596119 CEST6360753192.168.2.41.1.1.1
                Jul 2, 2024 22:34:56.399288893 CEST53636071.1.1.1192.168.2.4
                Jul 2, 2024 22:36:09.505292892 CEST4961453192.168.2.41.1.1.1
                Jul 2, 2024 22:36:09.654292107 CEST53496141.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Jul 2, 2024 22:32:37.459180117 CEST192.168.2.41.1.1.10x26c4Standard query (0)futurist2.ddns.netA (IP address)IN (0x0001)false
                Jul 2, 2024 22:33:46.359127998 CEST192.168.2.41.1.1.10x7329Standard query (0)futurist2.ddns.netA (IP address)IN (0x0001)false
                Jul 2, 2024 22:34:56.249596119 CEST192.168.2.41.1.1.10x155fStandard query (0)futurist2.ddns.netA (IP address)IN (0x0001)false
                Jul 2, 2024 22:36:09.505292892 CEST192.168.2.41.1.1.10x2bf4Standard query (0)futurist2.ddns.netA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jul 2, 2024 22:32:37.601557016 CEST1.1.1.1192.168.2.40x26c4No error (0)futurist2.ddns.net102.90.42.110A (IP address)IN (0x0001)false
                Jul 2, 2024 22:33:46.582443953 CEST1.1.1.1192.168.2.40x7329No error (0)futurist2.ddns.net102.90.42.110A (IP address)IN (0x0001)false
                Jul 2, 2024 22:34:56.399288893 CEST1.1.1.1192.168.2.40x155fNo error (0)futurist2.ddns.net102.90.42.110A (IP address)IN (0x0001)false
                Jul 2, 2024 22:36:09.654292107 CEST1.1.1.1192.168.2.40x2bf4No error (0)futurist2.ddns.net102.90.42.110A (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:1
                Start time:16:32:02
                Start date:02/07/2024
                Path:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
                Imagebase:0xbc0000
                File size:525'312 bytes
                MD5 hash:18907F90316AA47034081363DC00F908
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1767946178.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                Reputation:low
                Has exited:true

                General

                Target ID:3
                Start time:16:32:05
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
                Imagebase:0x570000
                File size:433'152 bytes
                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:4
                Start time:16:32:05
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:16:32:06
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
                Imagebase:0x570000
                File size:433'152 bytes
                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:6
                Start time:16:32:06
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:7
                Start time:16:32:06
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp378C.tmp"
                Imagebase:0xcb0000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:8
                Start time:16:32:06
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:9
                Start time:16:32:06
                Start date:02/07/2024
                Path:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
                Imagebase:0x3c0000
                File size:525'312 bytes
                MD5 hash:18907F90316AA47034081363DC00F908
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:10
                Start time:16:32:06
                Start date:02/07/2024
                Path:C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe"
                Imagebase:0x9b0000
                File size:525'312 bytes
                MD5 hash:18907F90316AA47034081363DC00F908
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                General

                Target ID:11
                Start time:16:32:08
                Start date:02/07/2024
                Path:C:\Users\user\AppData\Roaming\BhTdjGetAH.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\AppData\Roaming\BhTdjGetAH.exe
                Imagebase:0x350000
                File size:525'312 bytes
                MD5 hash:18907F90316AA47034081363DC00F908
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.1839980652.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                Antivirus matches:
                • Detection: 100%, Joe Sandbox ML
                • Detection: 58%, ReversingLabs
                Reputation:low
                Has exited:true

                General

                Target ID:13
                Start time:16:32:09
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
                Imagebase:0x570000
                File size:433'152 bytes
                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:14
                Start time:16:32:09
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:15
                Start time:16:32:13
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp5296.tmp"
                Imagebase:0xcb0000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:16
                Start time:16:32:13
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:17
                Start time:16:32:13
                Start date:02/07/2024
                Path:C:\Users\user\AppData\Roaming\BhTdjGetAH.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Roaming\BhTdjGetAH.exe"
                Imagebase:0x680000
                File size:525'312 bytes
                MD5 hash:18907F90316AA47034081363DC00F908
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000011.00000002.1844167553.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                Reputation:low
                Has exited:true

                General

                Target ID:19
                Start time:16:32:16
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.exe'
                Imagebase:0x570000
                File size:433'152 bytes
                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:20
                Start time:16:32:16
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:21
                Start time:16:32:22
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\XClient.exe'
                Imagebase:0x570000
                File size:433'152 bytes
                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:22
                Start time:16:32:22
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:25
                Start time:16:32:29
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                Imagebase:0x570000
                File size:433'152 bytes
                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:26
                Start time:16:32:29
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:28
                Start time:16:32:47
                Start date:02/07/2024
                Path:C:\Users\user\AppData\Local\XClient.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\XClient.exe"
                Imagebase:0xcf0000
                File size:525'312 bytes
                MD5 hash:18907F90316AA47034081363DC00F908
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000002.2211516335.00000000030BE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                Antivirus matches:
                • Detection: 100%, Joe Sandbox ML
                • Detection: 58%, ReversingLabs
                Has exited:true

                General

                Target ID:29
                Start time:16:32:48
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmpDDBF.tmp"
                Imagebase:0xcb0000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:30
                Start time:16:32:48
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:31
                Start time:16:32:49
                Start date:02/07/2024
                Path:C:\Users\user\AppData\Local\XClient.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\XClient.exe"
                Imagebase:0x7d0000
                File size:525'312 bytes
                MD5 hash:18907F90316AA47034081363DC00F908
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:32
                Start time:16:32:56
                Start date:02/07/2024
                Path:C:\Users\user\AppData\Local\XClient.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\XClient.exe"
                Imagebase:0x690000
                File size:525'312 bytes
                MD5 hash:18907F90316AA47034081363DC00F908
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:33
                Start time:16:32:57
                Start date:02/07/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BhTdjGetAH" /XML "C:\Users\user\AppData\Local\Temp\tmp125.tmp"
                Imagebase:0xcb0000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:34
                Start time:16:32:57
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:35
                Start time:16:32:58
                Start date:02/07/2024
                Path:C:\Users\user\AppData\Local\XClient.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\AppData\Local\XClient.exe"
                Imagebase:0x910000
                File size:525'312 bytes
                MD5 hash:18907F90316AA47034081363DC00F908
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:12.5%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:1.8%
                  Total number of Nodes:272
                  Total number of Limit Nodes:18
                  execution_graph 46642 5651da0 46643 5651df3 46642->46643 46646 5651820 46643->46646 46645 5651e16 46647 565182b 46646->46647 46651 5655b11 46647->46651 46658 5655b20 46647->46658 46648 56521ca 46648->46645 46652 5655b44 46651->46652 46653 5655b4b 46651->46653 46652->46648 46657 5655b72 46653->46657 46665 565277c 46653->46665 46656 565277c GetCurrentThreadId 46656->46657 46657->46648 46659 5655b44 46658->46659 46660 5655b4b 46658->46660 46659->46648 46661 565277c GetCurrentThreadId 46660->46661 46664 5655b72 46660->46664 46662 5655b68 46661->46662 46663 565277c GetCurrentThreadId 46662->46663 46663->46664 46664->46648 46666 5652787 46665->46666 46667 5655e8f GetCurrentThreadId 46666->46667 46668 5655b68 46666->46668 46667->46668 46668->46656 46669 146cf80 46670 146cfc6 GetCurrentProcess 46669->46670 46672 146d011 46670->46672 46673 146d018 GetCurrentThread 46670->46673 46672->46673 46674 146d055 GetCurrentProcess 46673->46674 46675 146d04e 46673->46675 46676 146d08b 46674->46676 46675->46674 46677 146d0b3 GetCurrentThreadId 46676->46677 46678 146d0e4 46677->46678 46750 146d5d0 DuplicateHandle 46751 146d666 46750->46751 46752 50676a0 46754 50676c2 46752->46754 46753 5067825 46754->46753 46758 506a70e 46754->46758 46773 506a6a8 46754->46773 46787 506a698 46754->46787 46759 506a711 46758->46759 46760 506a69c 46758->46760 46759->46753 46761 506a6ca 46760->46761 46801 506b29c 46760->46801 46806 506ae3c 46760->46806 46811 506adb2 46760->46811 46819 506af56 46760->46819 46824 506afa8 46760->46824 46828 506adc5 46760->46828 46833 506ae47 46760->46833 46838 506ab98 46760->46838 46843 506b198 46760->46843 46848 506ab5b 46760->46848 46853 506aaba 46760->46853 46761->46753 46774 506a6c2 46773->46774 46775 506ae47 2 API calls 46774->46775 46776 506adc5 2 API calls 46774->46776 46777 506afa8 2 API calls 46774->46777 46778 506af56 2 API calls 46774->46778 46779 506adb2 4 API calls 46774->46779 46780 506a6ca 46774->46780 46781 506ae3c 2 API calls 46774->46781 46782 506b29c 2 API calls 46774->46782 46783 506aaba 2 API calls 46774->46783 46784 506ab5b 2 API calls 46774->46784 46785 506b198 2 API calls 46774->46785 46786 506ab98 2 API calls 46774->46786 46775->46780 46776->46780 46777->46780 46778->46780 46779->46780 46780->46753 46781->46780 46782->46780 46783->46780 46784->46780 46785->46780 46786->46780 46788 506a6a8 46787->46788 46789 506a6ca 46788->46789 46790 506ae47 2 API calls 46788->46790 46791 506adc5 2 API calls 46788->46791 46792 506afa8 2 API calls 46788->46792 46793 506af56 2 API calls 46788->46793 46794 506adb2 4 API calls 46788->46794 46795 506ae3c 2 API calls 46788->46795 46796 506b29c 2 API calls 46788->46796 46797 506aaba 2 API calls 46788->46797 46798 506ab5b 2 API calls 46788->46798 46799 506b198 2 API calls 46788->46799 46800 506ab98 2 API calls 46788->46800 46789->46753 46790->46789 46791->46789 46792->46789 46793->46789 46794->46789 46795->46789 46796->46789 46797->46789 46798->46789 46799->46789 46800->46789 46802 506b252 46801->46802 46803 506b0a4 46802->46803 46857 5066a10 46802->46857 46861 5066a09 46802->46861 46803->46761 46807 506b2e8 46806->46807 46865 5066fd0 46807->46865 46869 5066fca 46807->46869 46808 506b306 46812 506adbf 46811->46812 46813 506ae98 46811->46813 46873 5066ef3 46812->46873 46877 5066ef8 46812->46877 46814 506b0a4 46813->46814 46815 5066a10 ResumeThread 46813->46815 46816 5066a09 ResumeThread 46813->46816 46814->46761 46815->46813 46816->46813 46820 506af5a 46819->46820 46881 5067090 46820->46881 46885 5067088 46820->46885 46821 506af89 46826 5067090 WriteProcessMemory 46824->46826 46827 5067088 WriteProcessMemory 46824->46827 46825 506afcc 46826->46825 46827->46825 46829 506b31b 46828->46829 46830 506b078 46829->46830 46889 506717b 46829->46889 46893 5067180 46829->46893 46830->46761 46834 506ab15 46833->46834 46835 506ab27 46834->46835 46836 5067090 WriteProcessMemory 46834->46836 46837 5067088 WriteProcessMemory 46834->46837 46835->46761 46836->46834 46837->46834 46839 506abad 46838->46839 46841 5067090 WriteProcessMemory 46839->46841 46842 5067088 WriteProcessMemory 46839->46842 46840 506af89 46841->46840 46842->46840 46844 506b1b3 46843->46844 46845 506b0a4 46844->46845 46846 5066a10 ResumeThread 46844->46846 46847 5066a09 ResumeThread 46844->46847 46845->46761 46846->46844 46847->46844 46849 506ab61 46848->46849 46851 5066ef3 Wow64SetThreadContext 46849->46851 46852 5066ef8 Wow64SetThreadContext 46849->46852 46850 506abf5 46850->46761 46851->46850 46852->46850 46897 5067310 46853->46897 46901 5067318 46853->46901 46858 5066a50 ResumeThread 46857->46858 46860 5066a81 46858->46860 46860->46802 46862 5066a50 ResumeThread 46861->46862 46864 5066a81 46862->46864 46864->46802 46866 5067010 VirtualAllocEx 46865->46866 46868 506704d 46866->46868 46868->46808 46870 5067010 VirtualAllocEx 46869->46870 46872 506704d 46870->46872 46872->46808 46874 5066f3d Wow64SetThreadContext 46873->46874 46876 5066f85 46874->46876 46876->46813 46878 5066f3d Wow64SetThreadContext 46877->46878 46880 5066f85 46878->46880 46880->46813 46882 50670d8 WriteProcessMemory 46881->46882 46884 506712f 46882->46884 46884->46821 46886 50670d8 WriteProcessMemory 46885->46886 46888 506712f 46886->46888 46888->46821 46890 50671cb ReadProcessMemory 46889->46890 46892 506720f 46890->46892 46892->46829 46894 50671cb ReadProcessMemory 46893->46894 46896 506720f 46894->46896 46896->46829 46898 506731a CreateProcessA 46897->46898 46900 5067563 46898->46900 46900->46900 46902 50673a1 CreateProcessA 46901->46902 46904 5067563 46902->46904 46904->46904 46939 146abf0 46940 146abff 46939->46940 46943 146acd8 46939->46943 46951 146ace8 46939->46951 46944 146acf9 46943->46944 46945 146ad1c 46943->46945 46944->46945 46959 146af70 46944->46959 46963 146af80 46944->46963 46945->46940 46946 146af20 GetModuleHandleW 46948 146af4d 46946->46948 46947 146ad14 46947->46945 46947->46946 46948->46940 46952 146acf9 46951->46952 46953 146ad1c 46951->46953 46952->46953 46957 146af70 LoadLibraryExW 46952->46957 46958 146af80 LoadLibraryExW 46952->46958 46953->46940 46954 146ad14 46954->46953 46955 146af20 GetModuleHandleW 46954->46955 46956 146af4d 46955->46956 46956->46940 46957->46954 46958->46954 46960 146af94 46959->46960 46961 146afb9 46960->46961 46967 146a070 46960->46967 46961->46947 46964 146af94 46963->46964 46965 146afb9 46964->46965 46966 146a070 LoadLibraryExW 46964->46966 46965->46947 46966->46965 46968 146b160 LoadLibraryExW 46967->46968 46970 146b1d9 46968->46970 46970->46961 46679 2fc70f0 46681 2fc7108 46679->46681 46680 2fc7114 46681->46680 46686 2fc57b0 46681->46686 46684 2fc71a0 46685 2fc7544 46684->46685 46690 2fc6ed8 46684->46690 46687 2fc57bb 46686->46687 46688 2fc6ed8 CreateWindowExW 46687->46688 46689 2fc7b1e 46688->46689 46689->46684 46691 2fc6ee3 46690->46691 46695 1465c74 46691->46695 46699 1467151 46691->46699 46692 2fc8114 46692->46685 46696 1465c7f 46695->46696 46703 1465ca4 46696->46703 46698 1467205 46698->46692 46700 1467193 46699->46700 46701 1465ca4 CreateWindowExW 46700->46701 46702 1467205 46701->46702 46702->46692 46705 1465caf 46703->46705 46704 1468549 46704->46698 46705->46704 46707 146cca8 46705->46707 46708 146ccd9 46707->46708 46709 146ccfd 46708->46709 46712 146ce58 46708->46712 46716 146ce68 46708->46716 46709->46704 46714 146ce75 46712->46714 46713 146ceaf 46713->46709 46714->46713 46720 146ba20 46714->46720 46717 146ce75 46716->46717 46718 146ba20 CreateWindowExW 46717->46718 46719 146ceaf 46717->46719 46718->46719 46719->46709 46721 146ba2b 46720->46721 46723 146dbc8 46721->46723 46724 146d21c 46721->46724 46723->46723 46725 146d227 46724->46725 46726 1465ca4 CreateWindowExW 46725->46726 46727 146dc37 46726->46727 46730 146f9c8 46727->46730 46728 146dc71 46728->46723 46732 146faf9 46730->46732 46733 146f9f9 46730->46733 46731 146fa05 46731->46728 46732->46728 46733->46731 46736 2fc09af 46733->46736 46741 2fc09c0 46733->46741 46737 2fc0991 46736->46737 46738 2fc09ba 46736->46738 46737->46732 46739 2fc0a9a 46738->46739 46745 2fc17d0 46738->46745 46742 2fc09eb 46741->46742 46743 2fc0a9a 46742->46743 46744 2fc17d0 CreateWindowExW 46742->46744 46744->46743 46747 2fc17d3 46745->46747 46746 2fc189b 46746->46739 46747->46746 46748 2fc19b3 CreateWindowExW 46747->46748 46749 2fc1a14 46748->46749 46971 2fc4040 46972 2fc4082 46971->46972 46974 2fc4089 46971->46974 46973 2fc40da CallWindowProcW 46972->46973 46972->46974 46973->46974 46975 565d898 46977 1465ca4 CreateWindowExW 46975->46977 46979 1468248 46975->46979 46976 565d8ab 46977->46976 46981 1468283 46979->46981 46980 1468549 46980->46976 46981->46980 46982 146cca8 CreateWindowExW 46981->46982 46982->46980 46905 1464668 46906 1464672 46905->46906 46910 1464759 46905->46910 46915 1463e28 46906->46915 46908 146468d 46911 146477d 46910->46911 46919 1464858 46911->46919 46923 1464868 46911->46923 46916 1463e33 46915->46916 46917 1466f8d 46916->46917 46931 1465c24 46916->46931 46917->46908 46920 146488f 46919->46920 46921 146496c 46920->46921 46927 14644b0 46920->46927 46925 146488f 46923->46925 46924 146496c 46924->46924 46925->46924 46926 14644b0 CreateActCtxA 46925->46926 46926->46924 46928 14658f8 CreateActCtxA 46927->46928 46930 14659bb 46928->46930 46932 1465c2f 46931->46932 46935 1465c44 46932->46935 46934 146702d 46934->46917 46936 1465c4f 46935->46936 46937 1465c74 CreateWindowExW 46936->46937 46938 1467102 46937->46938 46938->46934 46983 506b8b8 46984 506ba43 46983->46984 46986 506b8de 46983->46986 46986->46984 46987 5068af8 46986->46987 46988 506bb38 PostMessageW 46987->46988 46989 506bba4 46988->46989 46989->46986

                  Executed Functions

                  Function 02FC70F0 Relevance: 9.5, Strings: 7, Instructions: 728COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 294 2fc70f0-2fc7112 296 2fc7114-2fc7136 294->296 297 2fc7137-2fc7235 call 2fc57b0 call 2fc57c0 call 2fc6d58 call 2fc6d68 294->297 322 2fc72ea-2fc7387 call 2fc6d78 call 2fc6d88 297->322 323 2fc723b-2fc726b 297->323 490 2fc7389 call 565df90 322->490 491 2fc7389 call 565df7f 322->491 329 2fc7271-2fc727f 323->329 330 2fc7af2-2fc7b17 323->330 329->330 332 2fc7285-2fc729c 329->332 336 2fc7b1e-2fc7b2f 330->336 337 2fc7b19 call 2fc6ed8 330->337 332->330 333 2fc72a2-2fc72d6 332->333 333->330 335 2fc72dc-2fc72e4 333->335 335->322 335->323 342 2fc7b68-2fc7ba1 call 2fc6ef8 call 2fc6f08 call 2fc6f18 336->342 343 2fc7b31-2fc7b4c call 2fc6ee8 336->343 337->336 360 2fc7bb1-2fc7bcf 342->360 361 2fc7ba3-2fc7bac call 2fc6ee8 342->361 343->342 354 2fc7b4e-2fc7b60 343->354 354->342 487 2fc7bd4 call 2fcb9ae 360->487 488 2fc7bd4 call 2fcb928 360->488 489 2fc7bd4 call 2fcb917 360->489 361->360 362 2fc738f-2fc7518 call 2fc6d98 call 2fc6da8 call 2fc6db8 call 2fc6dc8 call 2fc6dd8 call 2fc6de8 387 2fc751a-2fc7520 362->387 388 2fc7530-2fc753e 362->388 369 2fc7bd9-2fc7bdc 389 2fc7524-2fc7526 387->389 390 2fc7522 387->390 388->330 392 2fc7544-2fc755c call 2fc6df8 388->392 389->388 390->388 395 2fc7563-2fc7a2d call 2fc6e08 call 2fc6e18 call 2fc6d98 call 2fc6da8 call 2fc6dc8 call 2fc6e28 call 2fc6dd8 call 2fc6e38 call 2fc6e48 call 2fc6e58 call 2fc6d98 call 2fc6da8 call 2fc6dc8 call 2fc6dd8 call 2fc6d98 call 2fc6da8 call 2fc6dc8 call 2fc6dd8 call 2fc6e68 call 2fc6e78 call 2fc6e88 call 2fc6e98 * 4 392->395 469 2fc7a2f-2fc7a35 395->469 470 2fc7a45-2fc7af1 call 2fc6ea8 call 2fc6eb8 call 2fc6da8 call 2fc6ec8 * 2 395->470 471 2fc7a39-2fc7a3b 469->471 472 2fc7a37 469->472 471->470 472->470 487->369 488->369 489->369 490->362 491->362
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1767897171.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_2fc0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID: ($($)$.$]$]$c
                  • API String ID: 0-2044916132
                  • Opcode ID: acf3841dbcc1ed9bb6e6b26b7d83c464f55b1da74574411cb3eaac65b40ef4fb
                  • Instruction ID: 55225312cadf9e08918d733c53edcc2586b5c722fd671f1dfcca4750a1902ad0
                  • Opcode Fuzzy Hash: acf3841dbcc1ed9bb6e6b26b7d83c464f55b1da74574411cb3eaac65b40ef4fb
                  • Instruction Fuzzy Hash: 78625D30A10706CFC715EF74C954A9AB7B6BFC9300F218AADD159AB360DB71A986CF41
                  Function 0565BD00 Relevance: .5, Instructions: 501COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1772289360.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5650000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 343dc93f1c41ed8f15b22c2b4a4a36c39f18df360283c08e838a4896ef2de479
                  • Instruction ID: 976314d0b40706da8d2f37fb864ca5ae3a77ee0d978b6e9cbeeabe1f99a6ac0e
                  • Opcode Fuzzy Hash: 343dc93f1c41ed8f15b22c2b4a4a36c39f18df360283c08e838a4896ef2de479
                  • Instruction Fuzzy Hash: ED221A31A006198FDB24DF69C884B9DB7B2FF89314F1485A9D90AEB365DB30AD85CF50
                  Function 0506AC43 Relevance: .0, Instructions: 24COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 720481e9d01a80cf06686dba128208afef28b837e18afa4b1948b8e2f018d393
                  • Instruction ID: 4b823e17d7f7cf1757a660d2b5338d65a13f9bcc76ec064255581faf8a5d438c
                  • Opcode Fuzzy Hash: 720481e9d01a80cf06686dba128208afef28b837e18afa4b1948b8e2f018d393
                  • Instruction Fuzzy Hash: A9E0BF7494E154DAC740DF54F4445FCB77DEB8A251F003451980EE7211DA3059848A04
                  Function 0146CF71 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 492 146cf71-146cf78 493 146cf32-146cf6f 492->493 494 146cf7a-146d00f GetCurrentProcess 492->494 501 146d011-146d017 494->501 502 146d018-146d04c GetCurrentThread 494->502 501->502 503 146d055-146d089 GetCurrentProcess 502->503 504 146d04e-146d054 502->504 507 146d092-146d0ad call 146d558 503->507 508 146d08b-146d091 503->508 504->503 511 146d0b3-146d0e2 GetCurrentThreadId 507->511 508->507 513 146d0e4-146d0ea 511->513 514 146d0eb-146d14d 511->514 513->514
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 0146CFFE
                  • GetCurrentThread.KERNEL32 ref: 0146D03B
                  • GetCurrentProcess.KERNEL32 ref: 0146D078
                  • GetCurrentThreadId.KERNEL32 ref: 0146D0D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID: 4'^q
                  • API String ID: 2063062207-1614139903
                  • Opcode ID: 101ed26fd0b9d7a3aee1d46e6711c323c0db6136190b826369eff75ac486e3c0
                  • Instruction ID: a2161b6d1055dff02a50a3174b2ada736749b64d476881a6e012f1a4ad064f08
                  • Opcode Fuzzy Hash: 101ed26fd0b9d7a3aee1d46e6711c323c0db6136190b826369eff75ac486e3c0
                  • Instruction Fuzzy Hash: B86158B09012498FDB14DFA9D948BDEBBF5FB48308F20805AD459A7360D7319945CB65
                  Function 0146CF80 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 521 146cf80-146d00f GetCurrentProcess 525 146d011-146d017 521->525 526 146d018-146d04c GetCurrentThread 521->526 525->526 527 146d055-146d089 GetCurrentProcess 526->527 528 146d04e-146d054 526->528 530 146d092-146d0ad call 146d558 527->530 531 146d08b-146d091 527->531 528->527 533 146d0b3-146d0e2 GetCurrentThreadId 530->533 531->530 535 146d0e4-146d0ea 533->535 536 146d0eb-146d14d 533->536 535->536
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 0146CFFE
                  • GetCurrentThread.KERNEL32 ref: 0146D03B
                  • GetCurrentProcess.KERNEL32 ref: 0146D078
                  • GetCurrentThreadId.KERNEL32 ref: 0146D0D1
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: 853374bba35982d011b00999dfca6233315f1aef15350cb8a8339c1f2d925388
                  • Instruction ID: 4d4f0f62b943a08f5e7e0aacba05e41cab7cd87869309d4062aa6904e8204562
                  • Opcode Fuzzy Hash: 853374bba35982d011b00999dfca6233315f1aef15350cb8a8339c1f2d925388
                  • Instruction Fuzzy Hash: 245135B09013498FDB14DFA9D948BDEBBF5BB88308F20C45AD459A7360D7349984CF66
                  Function 05067310 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 813 5067310-50673ad 816 50673e6-5067406 813->816 817 50673af-50673b9 813->817 822 506743f-506746e 816->822 823 5067408-5067412 816->823 817->816 818 50673bb-50673bd 817->818 820 50673e0-50673e3 818->820 821 50673bf-50673c9 818->821 820->816 824 50673cd-50673dc 821->824 825 50673cb 821->825 833 50674a7-5067561 CreateProcessA 822->833 834 5067470-506747a 822->834 823->822 826 5067414-5067416 823->826 824->824 827 50673de 824->827 825->824 828 5067418-5067422 826->828 829 5067439-506743c 826->829 827->820 831 5067426-5067435 828->831 832 5067424 828->832 829->822 831->831 835 5067437 831->835 832->831 845 5067563-5067569 833->845 846 506756a-50675f0 833->846 834->833 836 506747c-506747e 834->836 835->829 838 5067480-506748a 836->838 839 50674a1-50674a4 836->839 840 506748e-506749d 838->840 841 506748c 838->841 839->833 840->840 842 506749f 840->842 841->840 842->839 845->846 856 50675f2-50675f6 846->856 857 5067600-5067604 846->857 856->857 860 50675f8 856->860 858 5067606-506760a 857->858 859 5067614-5067618 857->859 858->859 861 506760c 858->861 862 506761a-506761e 859->862 863 5067628-506762c 859->863 860->857 861->859 862->863 864 5067620 862->864 865 506763e-5067645 863->865 866 506762e-5067634 863->866 864->863 867 5067647-5067656 865->867 868 506765c 865->868 866->865 867->868 869 506765d 868->869 869->869
                  APIs
                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0506754E
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 3dfe3ae936bc2b71f62cae1c110ddb0d8a678feb16583bdc06e9beb6741c6b51
                  • Instruction ID: 95107d7084e6c7b6c21046d6ca4230039e048508f6ab657a039b946633f0447c
                  • Opcode Fuzzy Hash: 3dfe3ae936bc2b71f62cae1c110ddb0d8a678feb16583bdc06e9beb6741c6b51
                  • Instruction Fuzzy Hash: 11915971D00219DFDB20CFA8D845BADBBF2FF44318F1485AAE819A7250DB749985CF92
                  Function 05067318 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 871 5067318-50673ad 873 50673e6-5067406 871->873 874 50673af-50673b9 871->874 879 506743f-506746e 873->879 880 5067408-5067412 873->880 874->873 875 50673bb-50673bd 874->875 877 50673e0-50673e3 875->877 878 50673bf-50673c9 875->878 877->873 881 50673cd-50673dc 878->881 882 50673cb 878->882 890 50674a7-5067561 CreateProcessA 879->890 891 5067470-506747a 879->891 880->879 883 5067414-5067416 880->883 881->881 884 50673de 881->884 882->881 885 5067418-5067422 883->885 886 5067439-506743c 883->886 884->877 888 5067426-5067435 885->888 889 5067424 885->889 886->879 888->888 892 5067437 888->892 889->888 902 5067563-5067569 890->902 903 506756a-50675f0 890->903 891->890 893 506747c-506747e 891->893 892->886 895 5067480-506748a 893->895 896 50674a1-50674a4 893->896 897 506748e-506749d 895->897 898 506748c 895->898 896->890 897->897 899 506749f 897->899 898->897 899->896 902->903 913 50675f2-50675f6 903->913 914 5067600-5067604 903->914 913->914 917 50675f8 913->917 915 5067606-506760a 914->915 916 5067614-5067618 914->916 915->916 918 506760c 915->918 919 506761a-506761e 916->919 920 5067628-506762c 916->920 917->914 918->916 919->920 921 5067620 919->921 922 506763e-5067645 920->922 923 506762e-5067634 920->923 921->920 924 5067647-5067656 922->924 925 506765c 922->925 923->922 924->925 926 506765d 925->926 926->926
                  APIs
                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0506754E
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 0dc64a6c4f86493cdb82745b1884a61b260688174c2899eb8108e9c14ddc9f37
                  • Instruction ID: 64b3566ce1ada3e6b832e632cc45456e44cad64f62d3e4bc68e41aac5f6ee951
                  • Opcode Fuzzy Hash: 0dc64a6c4f86493cdb82745b1884a61b260688174c2899eb8108e9c14ddc9f37
                  • Instruction Fuzzy Hash: F4914971D002199FDB20CF68D845BADBBF2FF44318F1485AAE819A7250DB749985CF92
                  Function 02FC17D0 Relevance: 1.7, APIs: 1, Instructions: 215COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 928 2fc17d0-2fc17d1 929 2fc1836-2fc1839 928->929 930 2fc17d3-2fc17f8 928->930 932 2fc189e-2fc18bd 929->932 933 2fc183b-2fc1859 929->933 931 2fc17fd-2fc1818 930->931 931->931 936 2fc181a-2fc1835 931->936 934 2fc18be-2fc18c1 932->934 933->934 935 2fc185b-2fc1891 933->935 939 2fc18c7-2fc18c9 934->939 940 2fc18c3-2fc18c5 934->940 937 2fc18f6-2fc18fc 935->937 938 2fc1893-2fc1899 935->938 936->929 941 2fc18fe-2fc1956 937->941 938->941 942 2fc189b 938->942 943 2fc18cf-2fc18d6 939->943 944 2fc18cb-2fc18cd 939->944 940->939 945 2fc1958-2fc195e 941->945 946 2fc1961-2fc1968 941->946 942->932 944->943 945->946 948 2fc196a-2fc1970 946->948 949 2fc1973-2fc1a12 CreateWindowExW 946->949 948->949 951 2fc1a1b-2fc1a53 949->951 952 2fc1a14-2fc1a1a 949->952 956 2fc1a55-2fc1a58 951->956 957 2fc1a60 951->957 952->951 956->957 958 2fc1a61 957->958 958->958
                  Memory Dump Source
                  • Source File: 00000001.00000002.1767897171.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_2fc0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 858164c8f182aa51cdc158cd4c8c6be9eb519fb7e80626094fdc9ff9de609658
                  • Instruction ID: 0a248df64ecd4f2beee17970cdcde49fc54754713d9ec1f0fb9a93baab8f2b41
                  • Opcode Fuzzy Hash: 858164c8f182aa51cdc158cd4c8c6be9eb519fb7e80626094fdc9ff9de609658
                  • Instruction Fuzzy Hash: 75815671C093899FDB16CFA4C9909CEBFB1BF49310F1581AAE948AB262D3358855CF61
                  Function 0146ACE8 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 959 146ace8-146acf7 960 146ad23-146ad27 959->960 961 146acf9-146ad06 call 146a00c 959->961 963 146ad3b-146ad7c 960->963 964 146ad29-146ad33 960->964 967 146ad1c 961->967 968 146ad08 961->968 970 146ad7e-146ad86 963->970 971 146ad89-146ad97 963->971 964->963 967->960 1018 146ad0e call 146af70 968->1018 1019 146ad0e call 146af80 968->1019 970->971 972 146adbb-146adbd 971->972 973 146ad99-146ad9e 971->973 975 146adc0-146adc7 972->975 976 146ada0-146ada7 call 146a018 973->976 977 146ada9 973->977 974 146ad14-146ad16 974->967 978 146ae58-146aed4 974->978 981 146add4-146addb 975->981 982 146adc9-146add1 975->982 979 146adab-146adb9 976->979 977->979 1009 146aed6-146aefe 978->1009 1010 146af00-146af18 978->1010 979->975 985 146addd-146ade5 981->985 986 146ade8-146adf1 call 146a028 981->986 982->981 985->986 990 146adf3-146adfb 986->990 991 146adfe-146ae03 986->991 990->991 992 146ae05-146ae0c 991->992 993 146ae21-146ae25 991->993 992->993 995 146ae0e-146ae1e call 146a038 call 146a048 992->995 1016 146ae28 call 146b280 993->1016 1017 146ae28 call 146b251 993->1017 995->993 997 146ae2b-146ae2e 1000 146ae30-146ae4e 997->1000 1001 146ae51-146ae57 997->1001 1000->1001 1009->1010 1011 146af20-146af4b GetModuleHandleW 1010->1011 1012 146af1a-146af1d 1010->1012 1013 146af54-146af68 1011->1013 1014 146af4d-146af53 1011->1014 1012->1011 1014->1013 1016->997 1017->997 1018->974 1019->974
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000), ref: 0146AF3E
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: a8ec196fc67fd3cc2e39b73decbab833d8afad473da66dac888a6be0e9bcffa4
                  • Instruction ID: ad5c68d67a3de72efe9af16dd90ded1a1379fb7484ff222f84328a33bb88ce25
                  • Opcode Fuzzy Hash: a8ec196fc67fd3cc2e39b73decbab833d8afad473da66dac888a6be0e9bcffa4
                  • Instruction Fuzzy Hash: AC8158B0A00B058FD724DF69D44075ABBF5FF84308F108A2ED186ABB60D775E94ACB91
                  Function 02FC18E4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                  Download Yara Rule
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02FC1A02
                  Memory Dump Source
                  • Source File: 00000001.00000002.1767897171.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_2fc0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: d57641f23a7f74dc02eba19d7165764396147b25c505f616a078ab0a6ad11b95
                  • Instruction ID: 83b78eadccb66552bd43bfb7753456f15f5789357244444342f72cc18c515ba0
                  • Opcode Fuzzy Hash: d57641f23a7f74dc02eba19d7165764396147b25c505f616a078ab0a6ad11b95
                  • Instruction Fuzzy Hash: 0B51D2B1D00349DFDB14CFA9C984ADEBBB5FF88354F24812AE819AB211D7719945CF90
                  Function 02FC18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                  Download Yara Rule
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02FC1A02
                  Memory Dump Source
                  • Source File: 00000001.00000002.1767897171.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_2fc0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 42574ff53d03445ca73f9b94fc51ead22275709a4523b97b8f1bb70f557e1719
                  • Instruction ID: 1acbea22747cf08fb530646356ea83bd6865a5226d647f0d0720fb7c1e74be24
                  • Opcode Fuzzy Hash: 42574ff53d03445ca73f9b94fc51ead22275709a4523b97b8f1bb70f557e1719
                  • Instruction Fuzzy Hash: 2241C0B1D00349DFDB14CF99C984ADEBBB5FF48354F24822AE819AB211D7719985CF90
                  Function 014658ED Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                  Download Yara Rule
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 014659A9
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: 3273532e75883890c09ef95b31cbb590f8872aa6bbaaaa4f7454ea461ec8716f
                  • Instruction ID: 3d3470ab281a1ce699806c6b751a345e7fdac179c8ea21b44d23a081dfbafcfd
                  • Opcode Fuzzy Hash: 3273532e75883890c09ef95b31cbb590f8872aa6bbaaaa4f7454ea461ec8716f
                  • Instruction Fuzzy Hash: EF4105B0C10719CFDB24DFA9C8847CEBBB5BF49308F24815AD408AB265DB756945CF91
                  Function 014644B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                  Download Yara Rule
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 014659A9
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: 7324e59982659705799c453474546b76dd99f12125c7ef781e0eb40a1cf7c971
                  • Instruction ID: 24a23fb9b4eb745be051da32db98c809ac6fee07b74069aed239bbaea2a900f8
                  • Opcode Fuzzy Hash: 7324e59982659705799c453474546b76dd99f12125c7ef781e0eb40a1cf7c971
                  • Instruction Fuzzy Hash: 9541E3B0C0071DCBDB24DFA9C844B9EBBB5BF49304F24806AD408AB265DB756985CF91
                  Function 02FC4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                  Download Yara Rule
                  APIs
                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 02FC4101
                  Memory Dump Source
                  • Source File: 00000001.00000002.1767897171.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_2fc0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: CallProcWindow
                  • String ID:
                  • API String ID: 2714655100-0
                  • Opcode ID: 9f289d8dc1201707f1904cbba80aec8160f66d72f97d3f8ee9c52c97613bf2bc
                  • Instruction ID: 1f02bbbfca153c36f4a1f7f0c69c2a2d40c6119cd0cca4008e66809ad2ef99da
                  • Opcode Fuzzy Hash: 9f289d8dc1201707f1904cbba80aec8160f66d72f97d3f8ee9c52c97613bf2bc
                  • Instruction Fuzzy Hash: D14116B5A00309CFDB14CF99C988AAABBF5FB88314F24C45DD559AB321D774A841CFA0
                  Function 05067088 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                  Download Yara Rule
                  APIs
                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05067120
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 3d7abf95edd2703a0c904b7b6ebcd32d021d469f8341474d770a8a64723e1c9b
                  • Instruction ID: 9235f471e411226b47e99e6cc57323382baa8eed7e2e1285aa6624ab2569f4f7
                  • Opcode Fuzzy Hash: 3d7abf95edd2703a0c904b7b6ebcd32d021d469f8341474d770a8a64723e1c9b
                  • Instruction Fuzzy Hash: 752146B1900349CFCB10CFA9D985BDEBBF1FF48314F14882AE959A7250D7789944CBA4
                  Function 05067090 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                  Download Yara Rule
                  APIs
                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05067120
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 6a6f048e2211c63ab99d917c669330c202dbaa7c000581ef18814b686c926e19
                  • Instruction ID: e5952dc1cc63199cb8e0ebfd38f948ef8c1b6e72c5dd4234630d5c0d0c4d5362
                  • Opcode Fuzzy Hash: 6a6f048e2211c63ab99d917c669330c202dbaa7c000581ef18814b686c926e19
                  • Instruction Fuzzy Hash: 2E2166B1900349DFCB10CFA9C880BDEBBF5FF48324F10842AE959A7250C7789944CBA4
                  Function 05066EF3 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05066F76
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: 2001870af9483ef4f649d48362c792cf779a1f3e10f26ccaeeadc29384a209b6
                  • Instruction ID: 3fab3a4e3255d7abaa63a8ce00baee26d8c810455a5cf8761f729009a17ddb6f
                  • Opcode Fuzzy Hash: 2001870af9483ef4f649d48362c792cf779a1f3e10f26ccaeeadc29384a209b6
                  • Instruction Fuzzy Hash: 062177B2D002098FCB10DFAAC5857EEBBF0EF48324F10C42AD459A7240DB789985CFA4
                  Function 05066EF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05066F76
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: fe72eaa7a636331a4aeb54c68760fe727ab3a653b0bc2d61b584626e4b687957
                  • Instruction ID: 1d0cd3e92a33acf31bc415ed64a82c786b95bd531da579ca3b5bfd7e497c3f9e
                  • Opcode Fuzzy Hash: fe72eaa7a636331a4aeb54c68760fe727ab3a653b0bc2d61b584626e4b687957
                  • Instruction Fuzzy Hash: C22138B19042098FDB10DFAAC4857EEBBF4EF88364F10842AD459A7240DB789944CFA4
                  Function 0506717B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05067200
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: a49b7427bc88736971dba1a4adc6fd2fabf270ef1b3a07ca9501b7dcb9c483be
                  • Instruction ID: 421f7998890c768629ba96bc90261b09af31ac9a627b0e98fec3d767c9996729
                  • Opcode Fuzzy Hash: a49b7427bc88736971dba1a4adc6fd2fabf270ef1b3a07ca9501b7dcb9c483be
                  • Instruction Fuzzy Hash: 322125B1C00259DFCB10DFA9C981BEEBBF5FF48310F10882AE559A7250D7389545CBA4
                  Function 05067180 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05067200
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 8214744f6c411251ff0288e00657035d173a61ea8f64b4ece21dea97bb26cbab
                  • Instruction ID: 2edd0687625ac39c8e2fd8981f7660023878266e3bf3a0a20401536f978f24d0
                  • Opcode Fuzzy Hash: 8214744f6c411251ff0288e00657035d173a61ea8f64b4ece21dea97bb26cbab
                  • Instruction Fuzzy Hash: F22128B18002599FCB10DFAAC881ADEFBF5FF48310F10842AE559A7250D7749544CBA4
                  Function 0146D5C9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146D657
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: fdbb53bbdbdd8a5f1240901cf1d4a4f862781c995b7a2f80a6a5a963cc7284e8
                  • Instruction ID: cc6c0e881cfc1a1050254705549a7e3e3f0b54bca10024017140c66c36c9175d
                  • Opcode Fuzzy Hash: fdbb53bbdbdd8a5f1240901cf1d4a4f862781c995b7a2f80a6a5a963cc7284e8
                  • Instruction Fuzzy Hash: FD21E3B5900259DFDB10CFAAD984ADEBFF8EB48314F14841AE958A7360D374A940CFA5
                  Function 0146D5D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146D657
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 2bbbb0664c0fc0c6202b4ab234dd1db96f984c1c3ad101acabe9258f8d270c9b
                  • Instruction ID: cd6be30b45f4c4297ab3ebdb7902dc5048d50d9267897be67f3308131e2bc1dc
                  • Opcode Fuzzy Hash: 2bbbb0664c0fc0c6202b4ab234dd1db96f984c1c3ad101acabe9258f8d270c9b
                  • Instruction Fuzzy Hash: 1A21C4B5D00258DFDB10CF9AD984ADEBFF8EB48314F14841AE958A7350D374A944CFA5
                  Function 0146A070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0146AFB9,00000800,00000000,00000000), ref: 0146B1CA
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 4ab34493ed1d224c2aaaf2922b1e9fb129bfb3a5284027af67e2369a0351f7e2
                  • Instruction ID: 48b1774e6563ddb685667be8809572e1dffa23378c95c130f2b222e39813530a
                  • Opcode Fuzzy Hash: 4ab34493ed1d224c2aaaf2922b1e9fb129bfb3a5284027af67e2369a0351f7e2
                  • Instruction Fuzzy Hash: AD1129B6900349DFDB10CF9AD844ADEFBF8EB48354F10842AE515A7310C775A945CFA5
                  Function 0146B158 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0146AFB9,00000800,00000000,00000000), ref: 0146B1CA
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 0dc1c7fa76de476b247c0a82e8e3ec7f7aa13c50ad46e65c4856780320633639
                  • Instruction ID: 94417e0c68755f3d0ef17256a91781cbcd495fe286ea8ffc44ad93e59ea48787
                  • Opcode Fuzzy Hash: 0dc1c7fa76de476b247c0a82e8e3ec7f7aa13c50ad46e65c4856780320633639
                  • Instruction Fuzzy Hash: 361130B6900349DFDB10CFAAC884ADEBBF8EB88314F10842AE419A7310C775A545CFA5
                  Function 05066FCA Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0506703E
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 441e0e291a8ab1f6c7375b3de5a430d64e6cff5ee5c65a923c3371bd9dea74e5
                  • Instruction ID: b21b3906282358aac2f9037c915ab2daeebfbd96582f875ceb65f620e3ab6002
                  • Opcode Fuzzy Hash: 441e0e291a8ab1f6c7375b3de5a430d64e6cff5ee5c65a923c3371bd9dea74e5
                  • Instruction Fuzzy Hash: 0A1186B2800248CFDB10CFA9C9447DEFBF5EF88324F24881AE559A7260CB359540CFA0
                  Function 05066FD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0506703E
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 7198cd6b559674e400a72d97902cbcd8182d0f75818e20811c5b134cd92dc441
                  • Instruction ID: a25994e487d5730845829b42e37e6d134e6cfa94f33f1c9dd35ae9a84cdf6ac3
                  • Opcode Fuzzy Hash: 7198cd6b559674e400a72d97902cbcd8182d0f75818e20811c5b134cd92dc441
                  • Instruction Fuzzy Hash: A9116771800248DFDB10DFAAC844BDEBFF5EF88324F108419E519A7250C775A944CFA4
                  Function 05066A09 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: ad713f253d5ba4c60258dcaf7f9dfd3bde2700605c60ec5dc7c0326314b3da66
                  • Instruction ID: 2df77ccc469ea1c49e9af758ac0a778d81a02e1666bee24eb42ab6c3306000d7
                  • Opcode Fuzzy Hash: ad713f253d5ba4c60258dcaf7f9dfd3bde2700605c60ec5dc7c0326314b3da66
                  • Instruction Fuzzy Hash: D11155B5D002488BCB20DFA9D5457EEFBF5EF88324F24882AC059A7250CB35A544CF94
                  Function 05066A10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 91930b8540403859283c0aed4a2ff3206c5626f611d4d3015b7ce5638366e98a
                  • Instruction ID: d0f954890e87ac82208b66c7f4d5d1a1320723f3fed31762290d8a2920474cdb
                  • Opcode Fuzzy Hash: 91930b8540403859283c0aed4a2ff3206c5626f611d4d3015b7ce5638366e98a
                  • Instruction Fuzzy Hash: 3D1136B5D002488FCB20DFAAD4457DEFBF4EB88324F20842AD459A7250CB75A944CFA4
                  Function 05068AF8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0506BB95
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 7c1231b0ec384799051badcd405a18d5702268d0bfb1d25a9de2c2d0137d4dc2
                  • Instruction ID: d2ae446275cbd856d299b5980cbe0355153679828cdaf6a94f16973f9a5717d2
                  • Opcode Fuzzy Hash: 7c1231b0ec384799051badcd405a18d5702268d0bfb1d25a9de2c2d0137d4dc2
                  • Instruction Fuzzy Hash: 6A1103B5800348DFCB10DF9AD884BDEBBF8FB48320F10841AE558A7210C3B5A944CFA5
                  Function 0146AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000), ref: 0146AF3E
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 564bc9138cf896e1d9a4d65df348812402ed9b3aa25adc26275a27fe7be8abc8
                  • Instruction ID: bda1aea49c563bf237d9a5fba723f93fce242d6ff7ecb13af3f2b5885dede543
                  • Opcode Fuzzy Hash: 564bc9138cf896e1d9a4d65df348812402ed9b3aa25adc26275a27fe7be8abc8
                  • Instruction Fuzzy Hash: D21102B5C006498FDB14CF9AD444ADEFBF8EB88218F10841AD518B7250C379A545CFA6
                  Function 0506BB30 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0506BB95
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 14106c699210253bdcb71b2154ef31d21c197d9d71fa6ecf57f941aeed332a0a
                  • Instruction ID: 626757378bdeeea30bde2e053419492518f66d51bf8a201e2c6f47dd0d7d6d29
                  • Opcode Fuzzy Hash: 14106c699210253bdcb71b2154ef31d21c197d9d71fa6ecf57f941aeed332a0a
                  • Instruction Fuzzy Hash: EF11F2B6800248CFDB10CF99D985BDEBBF4EB48314F10881AD958A7210D374A544CFA5
                  Function 011CD4C4 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1765364171.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_11cd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 324954402bef7f0bbdb30536431f6ee520d9797f65ace6e17fbf047990863227
                  • Instruction ID: 1f0209e63792253443438d382b70c7616e75dce50efb89d528128744df8f13ed
                  • Opcode Fuzzy Hash: 324954402bef7f0bbdb30536431f6ee520d9797f65ace6e17fbf047990863227
                  • Instruction Fuzzy Hash: 7421E071500240DFDF09DF58E980B2ABF75EBA8B18F20C57DE9094A256C336D456CAA2
                  Function 011DD01C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1765710965.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 44d3b74d25af67b143e5ae05fc2286d2092672823a1fc44b3a41e2fc86edbef9
                  • Instruction ID: 510c6f41c823b747d751cd6efdfeb802747e7e8aece67a6e32da706beaa162cb
                  • Opcode Fuzzy Hash: 44d3b74d25af67b143e5ae05fc2286d2092672823a1fc44b3a41e2fc86edbef9
                  • Instruction Fuzzy Hash: 5E21F271604200DFDF19DF68E984B26BFA5EBC8354F24C56DD90A4B296C33AD447CA62
                  Function 011DD1D4 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1765710965.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c6588269f213125f678604e6ed7778fd48911c50f08ced3db7bf99bdcda2d6af
                  • Instruction ID: 8ee69a6c1db951c60695b6d52d64b6bd82de4e85e3a20701eeeaf92b1b14b30f
                  • Opcode Fuzzy Hash: c6588269f213125f678604e6ed7778fd48911c50f08ced3db7bf99bdcda2d6af
                  • Instruction Fuzzy Hash: DC212671544200EFDF09DF98E9C0B26BFA5FB84324F20C66DE9494B296C33AD446CA62
                  Function 011DD006 Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1765710965.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02306aaff00f19aaf41ae8173ca9f6b7134f6638a9e119fd24175126192988f8
                  • Instruction ID: 80b5f761e97ea0ec6a3cebdf81fb459307a66bb2a57ec9f9da7433380f9caf6d
                  • Opcode Fuzzy Hash: 02306aaff00f19aaf41ae8173ca9f6b7134f6638a9e119fd24175126192988f8
                  • Instruction Fuzzy Hash: C721A1755093808FDB17CF24D994B15BF71EB85214F28C5EAD8498B6A7C33AD40ACB62
                  Function 011CD4BF Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1765364171.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_11cd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction ID: 2a30250a0d92fffb059182535423c4e05cfd31ce581f7ecd438bf6276469f152
                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction Fuzzy Hash: 9F11CD76404280CFCF06CF54E9C4B16BF71FBA4618F24C6A9D8090B256C336D45ACBA2
                  Function 011DD1CF Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1765710965.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction ID: d100ab3987276308509e4101aff3a8780371c89541d9c8a8ea1b0d4fe463bd9f
                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction Fuzzy Hash: DD118B75504280DFDF16CF54D5C4B16BFB1FB84224F24C6AAD8494B696C33AD44ACB62
                  Function 011CD759 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1765364171.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_11cd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a038917096f58da7450d87c8066954e978b0f3469d448c1511d823775a83d9f2
                  • Instruction ID: 478f795762638b64c3ec43c8d7e6df0786bd2608693bd88ce0df737db3c9d99d
                  • Opcode Fuzzy Hash: a038917096f58da7450d87c8066954e978b0f3469d448c1511d823775a83d9f2
                  • Instruction Fuzzy Hash: 3701D07100878499EB195B59DD84767FFD8DF51728F18C53EED094A246C379D440C6F2
                  Function 011CD758 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1765364171.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_11cd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 321b955053f0a4295793b48daeab0279b428653834f4baafaf68e1b53f144aeb
                  • Instruction ID: b0fb7de1403f553a905341a4575cd820db8a7bb2abc5445bc2374986e8d8e896
                  • Opcode Fuzzy Hash: 321b955053f0a4295793b48daeab0279b428653834f4baafaf68e1b53f144aeb
                  • Instruction Fuzzy Hash: 96F06271408784AEEB158B1ADD84B62FFA8EF51628F18C55AED084A286C3799844CBB1

                  Non-executed Functions

                  Function 05650040 Relevance: 2.2, Strings: 1, Instructions: 912COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1772289360.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5650000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID: PH^q
                  • API String ID: 0-2549759414
                  • Opcode ID: 478e8d203eafadd665c5bf1aaa583cf34e7b6bb750fb417f650023c9dc9afd0f
                  • Instruction ID: 7f6c87de252992f0453400ba9ec895fdcc7012c7ce3c363207ce50469f2773e2
                  • Opcode Fuzzy Hash: 478e8d203eafadd665c5bf1aaa583cf34e7b6bb750fb417f650023c9dc9afd0f
                  • Instruction Fuzzy Hash: 55722934E40219CFCB20DFA9C988AADBBB2FF44320F1585A5D849AB355DB30E995CF51
                  Function 05064F48 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID: uc^^
                  • API String ID: 0-2682255074
                  • Opcode ID: 67b51d4c9fcaef29e9d735cbaa12ffc7bff1f31d374189392e3824af2225e07b
                  • Instruction ID: 1bfdfbd7d558a401d6db5803abb6353d124db2c680a2ddc83c08320261a91d50
                  • Opcode Fuzzy Hash: 67b51d4c9fcaef29e9d735cbaa12ffc7bff1f31d374189392e3824af2225e07b
                  • Instruction Fuzzy Hash: F2E11B74E042198FCB14DFA9D9809AEFBF2FF89304F249169E415AB356D730A941CFA0
                  Function 05064F37 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID: uc^^
                  • API String ID: 0-2682255074
                  • Opcode ID: a5564b0f91059642cd376ff018190464f8d2dc15441041406a95b87ccdfb3255
                  • Instruction ID: baa1d73199d11012696d20a5c53f444482a1a9636c3e5165cc8aa7b45ae8504b
                  • Opcode Fuzzy Hash: a5564b0f91059642cd376ff018190464f8d2dc15441041406a95b87ccdfb3255
                  • Instruction Fuzzy Hash: 1C510B70E042598FDB14DFA9D9805AEFBF2FF89304F24C169D418AB216D7319942CFA1
                  Function 0506C878 Relevance: .4, Instructions: 362COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 05ef6b1dd3ac1e08b11090fc747faf7d4a59e46ae4850bd4ad81d681216ab0f8
                  • Instruction ID: 3e9f1fceaeeb0c00dd0745a582aad238ca1e93f5a327156278ec8881860fb61a
                  • Opcode Fuzzy Hash: 05ef6b1dd3ac1e08b11090fc747faf7d4a59e46ae4850bd4ad81d681216ab0f8
                  • Instruction Fuzzy Hash: 37D1BC317056008FEB29EB76D454BAEB7EABF99200F14446ED18ADB2A0CF35EC41CB51
                  Function 02FC0040 Relevance: .3, Instructions: 315COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1767897171.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_2fc0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 92c47a8728b272d9d0e8197571b24b712119c0cc68f9557b924dc12e0600263b
                  • Instruction ID: 216268560862af78ac9ee00af3a3f225032eed50b837d090508f0e8bc7e18316
                  • Opcode Fuzzy Hash: 92c47a8728b272d9d0e8197571b24b712119c0cc68f9557b924dc12e0600263b
                  • Instruction Fuzzy Hash: 901280B44017468AE731CF69E94C28D7BB1BB85318B90830DDA616E2F9DBB8158BCF45
                  Function 050646D8 Relevance: .3, Instructions: 312COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 906b8d824a63de02fb8a9fa1f5ee547f14e7c06e4ed32a2598ba22a32fd55df5
                  • Instruction ID: 8a5b4eaf05e2519120b5412c45659f0ba3130ee920fbafea63c6621502d791ac
                  • Opcode Fuzzy Hash: 906b8d824a63de02fb8a9fa1f5ee547f14e7c06e4ed32a2598ba22a32fd55df5
                  • Instruction Fuzzy Hash: 0CE11974E042199FCB14DFA9D5809AEFBF2FF89304F249169E414AB35AD730A981CF61
                  Function 050661E8 Relevance: .3, Instructions: 312COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 553bac888cbdfb70d353111bfdbd7eb1c74153155741ebac395ab2f2eda96919
                  • Instruction ID: 5d9d43845014b53bfddfc0f654c6382ec8c11f2d7cb90e786dbab6cee541c7db
                  • Opcode Fuzzy Hash: 553bac888cbdfb70d353111bfdbd7eb1c74153155741ebac395ab2f2eda96919
                  • Instruction Fuzzy Hash: B3E10B74E041198FCB14DFA9D5809AEFBF2FF89304F249169E815AB35AD731A941CFA0
                  Function 05064B10 Relevance: .3, Instructions: 312COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e61a0b1eae16b1da92ba6ed9146426b9df358e556253c6171d87f1d12a9946d6
                  • Instruction ID: e86a66e46e168a2cedaca2d06899e18ba0eb6882a1aad6003ec03c74f0a3a4a4
                  • Opcode Fuzzy Hash: e61a0b1eae16b1da92ba6ed9146426b9df358e556253c6171d87f1d12a9946d6
                  • Instruction Fuzzy Hash: 92E11A74E002198FCB14DFA9D5909AEFBF2FF89304F249169E415AB35AD731A981CF60
                  Function 05066AC0 Relevance: .3, Instructions: 312COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b09d3618381f9ea923a49d6f20cae0aa90014f5e667aade464d1c6a575e6719a
                  • Instruction ID: af2a02736f130780b591ce0ae1afbedb80cdc953c8fc00f3c9dd77607a007849
                  • Opcode Fuzzy Hash: b09d3618381f9ea923a49d6f20cae0aa90014f5e667aade464d1c6a575e6719a
                  • Instruction Fuzzy Hash: 2CE11974E002198FCB14DFA9D5909AEFBF2FF89304F249169E414AB356DB31A981CF60
                  Function 0146D4FC Relevance: .3, Instructions: 264COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1766989934.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_1460000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 00e36dd411ac321356a2fd1a199433ee8408b3410c922e6734902939efb92b71
                  • Instruction ID: 0b66c9823e2cae798c624991b69038d7d276baa50ed18cae69f87490ea47694e
                  • Opcode Fuzzy Hash: 00e36dd411ac321356a2fd1a199433ee8408b3410c922e6734902939efb92b71
                  • Instruction Fuzzy Hash: 48A19D32E00216CFCF15DFB9D8504DEBBB6FF95304B15816AE905AB265DB31E94ACB40
                  Function 02FC001C Relevance: .2, Instructions: 232COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1767897171.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_2fc0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1dfafc672b5ddab973d12a82c74fafa216ccc53873a2b1ae768e19bb16e61f12
                  • Instruction ID: 0e93d05fa89434066470ab39e00aa97fd9737c08fc80978faac14bbd11c58162
                  • Opcode Fuzzy Hash: 1dfafc672b5ddab973d12a82c74fafa216ccc53873a2b1ae768e19bb16e61f12
                  • Instruction Fuzzy Hash: 85C1F3B48017468BE721CF69E84828D7BF1BB85328B55870DD9616F2F9DBB8148BCF44
                  Function 0565935C Relevance: .2, Instructions: 213COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1772289360.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5650000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e25c42a0bf6479db92d78b9358e6ee5a24d7fcf125649fbb4ba251b26be0612e
                  • Instruction ID: c3c364657b9918ba8755235a6daf138857ee9ee6d43ec54fcfc76f5113d5cabf
                  • Opcode Fuzzy Hash: e25c42a0bf6479db92d78b9358e6ee5a24d7fcf125649fbb4ba251b26be0612e
                  • Instruction Fuzzy Hash: 3C91FA71E102198FDB54CF69C98069DF7F1BF89310F2486AAE919EB311EB71A985CF40
                  Function 0565C738 Relevance: .2, Instructions: 212COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1772289360.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5650000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0c63a12cc89112255d0aa68d8ae06474afc8394891bc9eb3cf8a2a23fff84ce5
                  • Instruction ID: 9580257c6f71732f68490b3d6002217bce9d912a2596b346ef67d012c785e4bb
                  • Opcode Fuzzy Hash: 0c63a12cc89112255d0aa68d8ae06474afc8394891bc9eb3cf8a2a23fff84ce5
                  • Instruction Fuzzy Hash: 8491FA71E102198FDB54CF69C98069DF7F1BF89314F2482AAE919EB311EB71A985CF40
                  Function 050661D8 Relevance: .1, Instructions: 131COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a34c4f902ecdf8abec4b14b819f17c1dc7abd39a0e6d32baabd29538b58d925e
                  • Instruction ID: c79da7401d322276f21b47e66bd867aace1cc71864fd09d34da09f0e84bd1990
                  • Opcode Fuzzy Hash: a34c4f902ecdf8abec4b14b819f17c1dc7abd39a0e6d32baabd29538b58d925e
                  • Instruction Fuzzy Hash: DC510AB0E042198FDB14DFA9D5805AEFBF2FF89304F24C169D418AB216DB319A45CFA1
                  Function 05066AB0 Relevance: .1, Instructions: 130COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.1771583539.0000000005060000.00000040.00000800.00020000.00000000.sdmp, Offset: 05060000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_5060000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6bce67232dc8e850edf84d9a58ccf897eb29009ab436a5d37350d5e126b278df
                  • Instruction ID: f9ad8850f0500f9dc14fceab5c8f88d18a845595f6a0e2d074e44df4402f99ee
                  • Opcode Fuzzy Hash: 6bce67232dc8e850edf84d9a58ccf897eb29009ab436a5d37350d5e126b278df
                  • Instruction Fuzzy Hash: 73513B70E042198FCB14DFAAD5905AEFBF2FF89300F24D169D418AB216DB31AA41CF61

                  Execution Graph

                  Execution Coverage:13%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:38
                  Total number of Limit Nodes:4
                  execution_graph 21272 12665e0 21273 1266624 RtlSetProcessIsCritical 21272->21273 21274 1266681 21273->21274 21275 1266a10 21276 1266a54 SetWindowsHookExW 21275->21276 21278 1266a9a 21276->21278 21279 126bc90 21280 126bcd6 21279->21280 21283 126be70 21280->21283 21286 126b864 21283->21286 21287 126bed8 DuplicateHandle 21286->21287 21288 126bdc3 21287->21288 21289 5ce1c78 21290 5ce1c9c 21289->21290 21294 5ce1e68 21290->21294 21298 5ce1e78 21290->21298 21291 5ce1cfe 21302 5ce1ea0 21294->21302 21310 5ce1eb0 21294->21310 21295 5ce1e86 21295->21291 21299 5ce1e86 21298->21299 21300 5ce1ea0 2 API calls 21298->21300 21301 5ce1eb0 2 API calls 21298->21301 21299->21291 21300->21299 21301->21299 21303 5ce1ebd 21302->21303 21304 5ce1ee5 21302->21304 21303->21295 21318 5ce1434 21304->21318 21307 5ce1f06 21307->21295 21308 5ce1fce GlobalMemoryStatusEx 21309 5ce1ffe 21308->21309 21309->21295 21311 5ce1ebd 21310->21311 21312 5ce1ee5 21310->21312 21311->21295 21313 5ce1434 GlobalMemoryStatusEx 21312->21313 21314 5ce1f02 21313->21314 21315 5ce1f06 21314->21315 21316 5ce1fce GlobalMemoryStatusEx 21314->21316 21315->21295 21317 5ce1ffe 21316->21317 21317->21295 21319 5ce1f88 GlobalMemoryStatusEx 21318->21319 21321 5ce1f02 21319->21321 21321->21307 21321->21308

                  Executed Functions

                  Function 05CE1EB0 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4215245728.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_5ce0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 95081c8813ad2ae6a0445457b645df21eb15e696ac0e0b0d1bec852aec5d55eb
                  • Instruction ID: ac6b04556cf32399a9693aae139f2a47574e31069de90ec1ab463f7362be54d7
                  • Opcode Fuzzy Hash: 95081c8813ad2ae6a0445457b645df21eb15e696ac0e0b0d1bec852aec5d55eb
                  • Instruction Fuzzy Hash: C2412271E043998FCB14DFB9D8042AEBBF1FF89310F18896AD405A7251DB749885CBE0
                  Function 012665D8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • RtlSetProcessIsCritical.NTDLL(?,?), ref: 01266672
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194400366.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_1260000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: 44cabb46dd78c1c0d18681522e60e8ecbb3d776230a218d5aeddfddd708e79b9
                  • Instruction ID: 6ffa57b7ce965b1edb8fd5834689d634cc0e9f5324cda0c731ede9732350a50c
                  • Opcode Fuzzy Hash: 44cabb46dd78c1c0d18681522e60e8ecbb3d776230a218d5aeddfddd708e79b9
                  • Instruction Fuzzy Hash: A9218EB2801259CFDB10CF9AD484BEEBBF4EF49310F14802AE555A3250C338A944CF61
                  Function 0126BED0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0126BE9E,?,?,?,?,?), ref: 0126BF5F
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194400366.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_1260000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: ca84e7bb2b8cc2450a3b4e4284d32c4dab067e9f1ad3619bd56050a90f2e4424
                  • Instruction ID: f558eca7d86b8f93d0bff4fc3413e50523d346a18f7a850e66e6898155932a25
                  • Opcode Fuzzy Hash: ca84e7bb2b8cc2450a3b4e4284d32c4dab067e9f1ad3619bd56050a90f2e4424
                  • Instruction Fuzzy Hash: 3D21F4B5900219AFDB10CFAAD884ADEBFF8EB48310F14841AE914A3350D375A984CFA1
                  Function 012665E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  • RtlSetProcessIsCritical.NTDLL(?,?), ref: 01266672
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194400366.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_1260000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: 1d84f54a2c851d7b6db068103623094dea8eca58f7b920d6786e9d113562e999
                  • Instruction ID: fa484306a7523d6485d124284376b99cb2ce5d3aed9342414b2c9adbfad25bca
                  • Opcode Fuzzy Hash: 1d84f54a2c851d7b6db068103623094dea8eca58f7b920d6786e9d113562e999
                  • Instruction Fuzzy Hash: 62215CB1801259CFDB10CF9AD484BEEBBF4AF59310F14806AE555A3250C338AA44CF65
                  Function 0126B864 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0126BE9E,?,?,?,?,?), ref: 0126BF5F
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194400366.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_1260000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 7f55acc9e0d5db58d12cac5c039f2b588dda48d01f5690b0727dd548c11bb234
                  • Instruction ID: a623d49cd63c63afacdbb43bb7f6d5df7fabdaf841555f9b70b8a122b039de31
                  • Opcode Fuzzy Hash: 7f55acc9e0d5db58d12cac5c039f2b588dda48d01f5690b0727dd548c11bb234
                  • Instruction Fuzzy Hash: F921E6B5910258DFDB10CFAAD984ADEFFF8EB48310F14801AE954A7350D375A950CFA4
                  Function 01266A08 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01266A8B
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194400366.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_1260000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: HookWindows
                  • String ID:
                  • API String ID: 2559412058-0
                  • Opcode ID: 1c13493f55b9ae38a62ab14d5ce83a7cc3032b1937a86034a40d8435efd9534f
                  • Instruction ID: 1558d34546d7570ba2452f04e32d63d7ccace1d552a6330c6fca411e4fe697df
                  • Opcode Fuzzy Hash: 1c13493f55b9ae38a62ab14d5ce83a7cc3032b1937a86034a40d8435efd9534f
                  • Instruction Fuzzy Hash: 602168B19002099FCB14CF9AC844BEEFBF4AB88310F14842AD019A7350C775A941CFA0
                  Function 01266A10 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01266A8B
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194400366.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_1260000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: HookWindows
                  • String ID:
                  • API String ID: 2559412058-0
                  • Opcode ID: eb72688f8321da3eb65e17accb35ca0a894cf7710c2388ea3d02e17cdefcd9b9
                  • Instruction ID: 93f2f99f9675c25205165f612611e377fdd0a8b42f374734130604623630f824
                  • Opcode Fuzzy Hash: eb72688f8321da3eb65e17accb35ca0a894cf7710c2388ea3d02e17cdefcd9b9
                  • Instruction Fuzzy Hash: 492127B5D002099FDB14DF9AC944BEEFBF5EB88310F14842AD459A7350C774A944CFA5
                  Function 05CE1434 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05CE1F02), ref: 05CE1FEF
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4215245728.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_5ce0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: GlobalMemoryStatus
                  • String ID:
                  • API String ID: 1890195054-0
                  • Opcode ID: 1fd3b9e248c170a4202ddd0adf0f9620038c956326c9b1ab3b823038fe49b6fc
                  • Instruction ID: 0cc5b6d91dc7d834865fa0b0c39f40704c4a7276b217b73c7c6fe3d014b68465
                  • Opcode Fuzzy Hash: 1fd3b9e248c170a4202ddd0adf0f9620038c956326c9b1ab3b823038fe49b6fc
                  • Instruction Fuzzy Hash: E81100B5C046599BCB20DF9AC448B9EFBF4EB48320F15856AE818A7241D378A950CFE5
                  Function 05CE1F80 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05CE1F02), ref: 05CE1FEF
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4215245728.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_5ce0000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID: GlobalMemoryStatus
                  • String ID:
                  • API String ID: 1890195054-0
                  • Opcode ID: 714b10c7ddeb7db20fe447d59217e6b44cb3050732b4c299ee301c34d29d7bc5
                  • Instruction ID: 403d6bacab9b5e57abe893b2d45a96361c037d7e34f780a40f0d5d2c63b964ac
                  • Opcode Fuzzy Hash: 714b10c7ddeb7db20fe447d59217e6b44cb3050732b4c299ee301c34d29d7bc5
                  • Instruction Fuzzy Hash: 801112B5C002599FDB10DF9AC548BDEFBF4BB48320F15856AE818A7250D378A941CFA5
                  Function 011CD528 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4193822948.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_11cd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab23428dabaef49d1938eca8cac1bf479d020e04a66027e6d00a23dd5765e987
                  • Instruction ID: 3b5d704c233e44d0e7a1cd78c30dfd7491d44e1c1840215725ca328259736e5f
                  • Opcode Fuzzy Hash: ab23428dabaef49d1938eca8cac1bf479d020e04a66027e6d00a23dd5765e987
                  • Instruction Fuzzy Hash: 1E21F171500240DFDF09DF58EAC0B26BF75FBA8B18F20857DE9094A256C336D456CAA2
                  Function 011DD0EC Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194016729.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e3807af7b99f30c9049e55ed016e0356535eaf067d15e920ece37e36e002dc58
                  • Instruction ID: 461c0e2405c497ab5e0e6ef8878902801bf3fe65f073f0ba78573117512cfcd5
                  • Opcode Fuzzy Hash: e3807af7b99f30c9049e55ed016e0356535eaf067d15e920ece37e36e002dc58
                  • Instruction Fuzzy Hash: 8F210471644200EFDF09DF68E9C0B26BBA5FB84314F20C66DD8094B296C33AD446CAA2
                  Function 011DD2B4 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194016729.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5f90709c0d29f093b8f0158003b9085b7fd70cc412d597336283a820d17fed33
                  • Instruction ID: 8e9cfdca9935768e5ff9c43470bf7fe954746275e53e10c508d5eff015c50266
                  • Opcode Fuzzy Hash: 5f90709c0d29f093b8f0158003b9085b7fd70cc412d597336283a820d17fed33
                  • Instruction Fuzzy Hash: FF2129B5508204EFDF09DF98E5C0B26BB65FB84314F24C56DD8494B392C73AD446CA62
                  Function 011DD1D4 Relevance: .1, Instructions: 71COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194016729.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1daab4ee14bf30c65123f3131fbeb6b9530123a2eb8c2c045b32045dd87b8b90
                  • Instruction ID: 9f03af93abca9ed166b0fc0feaec1e2ee738cd78d75a0bb4cac99293a245c8a1
                  • Opcode Fuzzy Hash: 1daab4ee14bf30c65123f3131fbeb6b9530123a2eb8c2c045b32045dd87b8b90
                  • Instruction Fuzzy Hash: 2121F971544200DFDF19DFA8EAC4F16BF65FB88324F20C56DE90A4B296C336D446C662
                  Function 011CD523 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4193822948.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_11cd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction ID: 7b76ad47b32122cc1659311df1201ca228ecc928075ee41aa67a44749b829e1c
                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction Fuzzy Hash: 5411CD76504280CFCF06CF44D5C4B16BF71FBA4614F24C6ADD8090A656C33AD45ACBA2
                  Function 011DD2AF Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194016729.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction ID: 4e7ba99f890bfbb42a5310d68cfeb47c5f5240484f7521d864730ee183a362a9
                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction Fuzzy Hash: D61190B5508640DFDB06CF54D5C4B15BF61FB44314F24C6A9D8494B696C33AD44ACB51
                  Function 011DD0E7 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194016729.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction ID: 4eb4c2b2a59d236bf897581935751b7b9a51c0ab869620568804411813f224bf
                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction Fuzzy Hash: 4B119075504240DFDB16CF64D9C4B15FFB1FB44314F24C6A9D8494B696C33AD44ACB91
                  Function 011DD1CF Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000A.00000002.4194016729.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_10_2_11dd000_FOR JOBREF OC-SEAEXP YFC EXPORT-SEA BOOKING853IPN0006279.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
                  • Instruction ID: b730a484126d4b83fc8282c03fc8e3136d7c6ae63554f7286c63be2f9cf0d488
                  • Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
                  • Instruction Fuzzy Hash: 0E11BF75504280DFDF16CF54D5C4B16BFA1FB88328F24C6ADD8494B696C33AD44ACB52

                  Execution Graph

                  Execution Coverage:11.9%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:173
                  Total number of Limit Nodes:6
                  execution_graph 22549 c4d768d 22551 c4d7604 22549->22551 22550 c4d76f5 22551->22550 22555 c4d9948 22551->22555 22570 c4d9998 22551->22570 22585 c4d9938 22551->22585 22556 c4d9962 22555->22556 22557 c4d996a 22556->22557 22600 c4da065 22556->22600 22605 c4d9d45 22556->22605 22609 c4da248 22556->22609 22613 c4da052 22556->22613 22620 c4da330 22556->22620 22624 c4da1f6 22556->22624 22629 c4d9dfb 22556->22629 22634 c4d9e38 22556->22634 22639 c4da0dc 22556->22639 22644 c4da53c 22556->22644 22648 c4da43d 22556->22648 22652 c4da0e7 22556->22652 22557->22550 22571 c4d993c 22570->22571 22572 c4d996a 22571->22572 22573 c4da248 2 API calls 22571->22573 22574 c4d9d45 2 API calls 22571->22574 22575 c4da065 2 API calls 22571->22575 22576 c4da0e7 2 API calls 22571->22576 22577 c4da43d 2 API calls 22571->22577 22578 c4da53c 2 API calls 22571->22578 22579 c4da0dc 2 API calls 22571->22579 22580 c4d9e38 2 API calls 22571->22580 22581 c4d9dfb 2 API calls 22571->22581 22582 c4da1f6 2 API calls 22571->22582 22583 c4da330 2 API calls 22571->22583 22584 c4da052 4 API calls 22571->22584 22572->22550 22573->22572 22574->22572 22575->22572 22576->22572 22577->22572 22578->22572 22579->22572 22580->22572 22581->22572 22582->22572 22583->22572 22584->22572 22586 c4d993d 22585->22586 22587 c4da248 2 API calls 22586->22587 22588 c4d9d45 2 API calls 22586->22588 22589 c4da065 2 API calls 22586->22589 22590 c4da0e7 2 API calls 22586->22590 22591 c4d996a 22586->22591 22592 c4da43d 2 API calls 22586->22592 22593 c4da53c 2 API calls 22586->22593 22594 c4da0dc 2 API calls 22586->22594 22595 c4d9e38 2 API calls 22586->22595 22596 c4d9dfb 2 API calls 22586->22596 22597 c4da1f6 2 API calls 22586->22597 22598 c4da330 2 API calls 22586->22598 22599 c4da052 4 API calls 22586->22599 22587->22591 22588->22591 22589->22591 22590->22591 22591->22550 22592->22591 22593->22591 22594->22591 22595->22591 22596->22591 22597->22591 22598->22591 22599->22591 22601 c4da5bb 22600->22601 22602 c4da318 22601->22602 22657 c4d7048 22601->22657 22661 c4d7050 22601->22661 22602->22557 22665 c4d71e8 22605->22665 22669 c4d71dc 22605->22669 22673 c4d6f58 22609->22673 22677 c4d6f60 22609->22677 22610 c4da26c 22614 c4da05f 22613->22614 22615 c4da138 22613->22615 22681 c4d6dc8 22614->22681 22685 c4d6dc0 22614->22685 22689 c4d68d8 22615->22689 22693 c4d68e0 22615->22693 22621 c4da344 22620->22621 22622 c4d68d8 ResumeThread 22621->22622 22623 c4d68e0 ResumeThread 22621->22623 22622->22621 22623->22621 22625 c4da1fa 22624->22625 22627 c4d6f58 WriteProcessMemory 22625->22627 22628 c4d6f60 WriteProcessMemory 22625->22628 22626 c4da229 22627->22626 22628->22626 22630 c4d9e01 22629->22630 22632 c4d6dc8 Wow64SetThreadContext 22630->22632 22633 c4d6dc0 Wow64SetThreadContext 22630->22633 22631 c4d9e95 22631->22557 22632->22631 22633->22631 22635 c4d9e4d 22634->22635 22637 c4d6f58 WriteProcessMemory 22635->22637 22638 c4d6f60 WriteProcessMemory 22635->22638 22636 c4da229 22637->22636 22638->22636 22640 c4da588 22639->22640 22697 c4d6e98 22640->22697 22701 c4d6ea0 22640->22701 22641 c4da5a6 22645 c4da344 22644->22645 22646 c4d68d8 ResumeThread 22645->22646 22647 c4d68e0 ResumeThread 22645->22647 22646->22645 22647->22645 22649 c4da344 22648->22649 22650 c4d68d8 ResumeThread 22649->22650 22651 c4d68e0 ResumeThread 22649->22651 22650->22649 22651->22649 22653 c4d9db5 22652->22653 22654 c4d9dc7 22653->22654 22655 c4d6f58 WriteProcessMemory 22653->22655 22656 c4d6f60 WriteProcessMemory 22653->22656 22654->22557 22655->22653 22656->22653 22658 c4d709b ReadProcessMemory 22657->22658 22660 c4d70df 22658->22660 22660->22601 22662 c4d709b ReadProcessMemory 22661->22662 22664 c4d70df 22662->22664 22664->22601 22666 c4d7271 CreateProcessA 22665->22666 22668 c4d7433 22666->22668 22670 c4d7271 CreateProcessA 22669->22670 22672 c4d7433 22670->22672 22674 c4d6f60 WriteProcessMemory 22673->22674 22676 c4d6fff 22674->22676 22676->22610 22678 c4d6fa8 WriteProcessMemory 22677->22678 22680 c4d6fff 22678->22680 22680->22610 22682 c4d6e0d Wow64SetThreadContext 22681->22682 22684 c4d6e55 22682->22684 22684->22615 22686 c4d6dc8 Wow64SetThreadContext 22685->22686 22688 c4d6e55 22686->22688 22688->22615 22690 c4d68e0 ResumeThread 22689->22690 22692 c4d6951 22690->22692 22692->22615 22694 c4d6920 ResumeThread 22693->22694 22696 c4d6951 22694->22696 22696->22615 22698 c4d6ea0 VirtualAllocEx 22697->22698 22700 c4d6f1d 22698->22700 22700->22641 22702 c4d6ee0 VirtualAllocEx 22701->22702 22704 c4d6f1d 22702->22704 22704->22641 22756 d84668 22757 d84672 22756->22757 22759 d84759 22756->22759 22760 d8475c 22759->22760 22764 d84858 22760->22764 22768 d84868 22760->22768 22766 d8485c 22764->22766 22765 d8496c 22765->22765 22766->22765 22772 d844b0 22766->22772 22769 d8486a 22768->22769 22770 d8496c 22769->22770 22771 d844b0 CreateActCtxA 22769->22771 22770->22770 22771->22770 22773 d858f8 CreateActCtxA 22772->22773 22775 d859bb 22773->22775 22707 c4daa98 22709 c4daa9a 22707->22709 22708 c4dac23 22709->22708 22711 c4d8f14 22709->22711 22712 c4dad18 PostMessageW 22711->22712 22713 c4dad84 22712->22713 22713->22709 22705 d8d5d0 DuplicateHandle 22706 d8d666 22705->22706 22714 d8cf80 22715 d8cfc6 GetCurrentProcess 22714->22715 22717 d8d018 GetCurrentThread 22715->22717 22718 d8d011 22715->22718 22719 d8d04e 22717->22719 22720 d8d055 GetCurrentProcess 22717->22720 22718->22717 22719->22720 22721 d8d08b 22720->22721 22722 d8d0b3 GetCurrentThreadId 22721->22722 22723 d8d0e4 22722->22723 22724 d8abf0 22728 d8acd8 22724->22728 22736 d8ace8 22724->22736 22725 d8abff 22729 d8acdc 22728->22729 22730 d8ad1c 22729->22730 22744 d8af80 22729->22744 22748 d8af70 22729->22748 22730->22725 22731 d8ad14 22731->22730 22732 d8af20 GetModuleHandleW 22731->22732 22733 d8af4d 22732->22733 22733->22725 22737 d8acea 22736->22737 22738 d8ad1c 22737->22738 22742 d8af80 LoadLibraryExW 22737->22742 22743 d8af70 LoadLibraryExW 22737->22743 22738->22725 22739 d8ad14 22739->22738 22740 d8af20 GetModuleHandleW 22739->22740 22741 d8af4d 22740->22741 22741->22725 22742->22739 22743->22739 22745 d8af94 22744->22745 22746 d8afb9 22745->22746 22752 d8a070 22745->22752 22746->22731 22749 d8af74 22748->22749 22750 d8a070 LoadLibraryExW 22749->22750 22751 d8afb9 22749->22751 22750->22751 22751->22731 22753 d8b160 LoadLibraryExW 22752->22753 22755 d8b1d9 22753->22755 22755->22746

                  Executed Functions

                  Function 00D8CF71 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 153threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 296 d8cf71-d8cf78 297 d8cf7a 296->297 298 d8cf32-d8cf6f 296->298 299 d8cf7c-d8cf7d 297->299 300 d8cf7e-d8d00f GetCurrentProcess 297->300 299->300 309 d8d018-d8d04c GetCurrentThread 300->309 310 d8d011-d8d017 300->310 311 d8d04e-d8d054 309->311 312 d8d055-d8d089 GetCurrentProcess 309->312 310->309 311->312 314 d8d08b-d8d091 312->314 315 d8d092-d8d0ad call d8d558 312->315 314->315 319 d8d0b3-d8d0e2 GetCurrentThreadId 315->319 320 d8d0eb-d8d14d 319->320 321 d8d0e4-d8d0ea 319->321 321->320
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 00D8CFFE
                  • GetCurrentThread.KERNEL32 ref: 00D8D03B
                  • GetCurrentProcess.KERNEL32 ref: 00D8D078
                  • GetCurrentThreadId.KERNEL32 ref: 00D8D0D1
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID: 4'^q
                  • API String ID: 2063062207-1614139903
                  • Opcode ID: 9ded6799148e46b4b51e08e44d738be66c4a248c9d4970b0d8d115da734336ff
                  • Instruction ID: 5091c1242f9e2ca5492d75a10ded8ac079947929ed874d0896cf53c07c65b6de
                  • Opcode Fuzzy Hash: 9ded6799148e46b4b51e08e44d738be66c4a248c9d4970b0d8d115da734336ff
                  • Instruction Fuzzy Hash: 12616AB0901209DFDB14DFA9D548BAEBBF1EF89304F20C469E449A73A0DB349985CF65
                  Function 00D8CF80 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 328 d8cf80-d8d00f GetCurrentProcess 332 d8d018-d8d04c GetCurrentThread 328->332 333 d8d011-d8d017 328->333 334 d8d04e-d8d054 332->334 335 d8d055-d8d089 GetCurrentProcess 332->335 333->332 334->335 336 d8d08b-d8d091 335->336 337 d8d092-d8d0ad call d8d558 335->337 336->337 341 d8d0b3-d8d0e2 GetCurrentThreadId 337->341 342 d8d0eb-d8d14d 341->342 343 d8d0e4-d8d0ea 341->343 343->342
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 00D8CFFE
                  • GetCurrentThread.KERNEL32 ref: 00D8D03B
                  • GetCurrentProcess.KERNEL32 ref: 00D8D078
                  • GetCurrentThreadId.KERNEL32 ref: 00D8D0D1
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: b9ac5ed1823a46cf28e461582ed6f5cd4079e1b5dae6c775256317b810f9860f
                  • Instruction ID: 4d8abd890a5ed9f50447f0c6aa2c572cdb18ff6d63a2d2db1c05bd0742a4c3ac
                  • Opcode Fuzzy Hash: b9ac5ed1823a46cf28e461582ed6f5cd4079e1b5dae6c775256317b810f9860f
                  • Instruction Fuzzy Hash: 725154B0901209CFDB14DFAAD548B9EBBF1EF89304F24C469E419A73A0DB749984CF65
                  Function 0C4D71DC Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 463 c4d71dc-c4d727d 465 c4d727f-c4d7289 463->465 466 c4d72b6-c4d72d6 463->466 465->466 467 c4d728b-c4d728d 465->467 473 c4d730f-c4d733e 466->473 474 c4d72d8-c4d72e2 466->474 468 c4d728f-c4d7299 467->468 469 c4d72b0-c4d72b3 467->469 471 c4d729d-c4d72ac 468->471 472 c4d729b 468->472 469->466 471->471 475 c4d72ae 471->475 472->471 480 c4d7377-c4d7431 CreateProcessA 473->480 481 c4d7340-c4d734a 473->481 474->473 476 c4d72e4-c4d72e6 474->476 475->469 478 c4d7309-c4d730c 476->478 479 c4d72e8-c4d72f2 476->479 478->473 482 c4d72f4 479->482 483 c4d72f6-c4d7305 479->483 494 c4d743a-c4d74c0 480->494 495 c4d7433-c4d7439 480->495 481->480 484 c4d734c-c4d734e 481->484 482->483 483->483 485 c4d7307 483->485 486 c4d7371-c4d7374 484->486 487 c4d7350-c4d735a 484->487 485->478 486->480 489 c4d735c 487->489 490 c4d735e-c4d736d 487->490 489->490 490->490 491 c4d736f 490->491 491->486 505 c4d74d0-c4d74d4 494->505 506 c4d74c2-c4d74c6 494->506 495->494 508 c4d74e4-c4d74e8 505->508 509 c4d74d6-c4d74da 505->509 506->505 507 c4d74c8 506->507 507->505 511 c4d74f8-c4d74fc 508->511 512 c4d74ea-c4d74ee 508->512 509->508 510 c4d74dc 509->510 510->508 514 c4d750e-c4d7515 511->514 515 c4d74fe-c4d7504 511->515 512->511 513 c4d74f0 512->513 513->511 516 c4d752c 514->516 517 c4d7517-c4d7526 514->517 515->514 519 c4d752d 516->519 517->516 519->519
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0C4D741E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: b2632722cbe1caefa5da197a6c36fa9dabd7e47640884388b949bd9c2d7c279f
                  • Instruction ID: 2451cbe2a68d779926cba40b450a1f6f56b1bfcb03f4049f5c8c1e21106feab2
                  • Opcode Fuzzy Hash: b2632722cbe1caefa5da197a6c36fa9dabd7e47640884388b949bd9c2d7c279f
                  • Instruction Fuzzy Hash: DB91AC71E00219CFDB10DF68C951BDEBBB2FF48315F1581AAE808A7244DB749985CF91
                  Function 0C4D71E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 520 c4d71e8-c4d727d 522 c4d727f-c4d7289 520->522 523 c4d72b6-c4d72d6 520->523 522->523 524 c4d728b-c4d728d 522->524 530 c4d730f-c4d733e 523->530 531 c4d72d8-c4d72e2 523->531 525 c4d728f-c4d7299 524->525 526 c4d72b0-c4d72b3 524->526 528 c4d729d-c4d72ac 525->528 529 c4d729b 525->529 526->523 528->528 532 c4d72ae 528->532 529->528 537 c4d7377-c4d7431 CreateProcessA 530->537 538 c4d7340-c4d734a 530->538 531->530 533 c4d72e4-c4d72e6 531->533 532->526 535 c4d7309-c4d730c 533->535 536 c4d72e8-c4d72f2 533->536 535->530 539 c4d72f4 536->539 540 c4d72f6-c4d7305 536->540 551 c4d743a-c4d74c0 537->551 552 c4d7433-c4d7439 537->552 538->537 541 c4d734c-c4d734e 538->541 539->540 540->540 542 c4d7307 540->542 543 c4d7371-c4d7374 541->543 544 c4d7350-c4d735a 541->544 542->535 543->537 546 c4d735c 544->546 547 c4d735e-c4d736d 544->547 546->547 547->547 548 c4d736f 547->548 548->543 562 c4d74d0-c4d74d4 551->562 563 c4d74c2-c4d74c6 551->563 552->551 565 c4d74e4-c4d74e8 562->565 566 c4d74d6-c4d74da 562->566 563->562 564 c4d74c8 563->564 564->562 568 c4d74f8-c4d74fc 565->568 569 c4d74ea-c4d74ee 565->569 566->565 567 c4d74dc 566->567 567->565 571 c4d750e-c4d7515 568->571 572 c4d74fe-c4d7504 568->572 569->568 570 c4d74f0 569->570 570->568 573 c4d752c 571->573 574 c4d7517-c4d7526 571->574 572->571 576 c4d752d 573->576 574->573 576->576
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0C4D741E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 7c81f18a0956c1f4fed0338208c20a2c7c9c23c57a4b5e1a0d94723205537c58
                  • Instruction ID: 19dc4b93d9d74fab22be1845c40008fb1d339572b35354dd673a661781aa7308
                  • Opcode Fuzzy Hash: 7c81f18a0956c1f4fed0338208c20a2c7c9c23c57a4b5e1a0d94723205537c58
                  • Instruction Fuzzy Hash: E9919C70E00219CFDB20DFA8C951BDEBBB2FF48315F1581AAE809A7244DB749985CF91
                  Function 00D8ACE8 Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 577 d8ace8-d8acf7 579 d8acf9-d8ad06 call d8a00c 577->579 580 d8ad23-d8ad27 577->580 586 d8ad08 579->586 587 d8ad1c 579->587 582 d8ad29-d8ad33 580->582 583 d8ad3b-d8ad7c 580->583 582->583 589 d8ad89-d8ad97 583->589 590 d8ad7e-d8ad86 583->590 638 d8ad0e call d8af80 586->638 639 d8ad0e call d8af70 586->639 587->580 591 d8ad99-d8ad9e 589->591 592 d8adbb-d8adbd 589->592 590->589 594 d8ada9 591->594 595 d8ada0-d8ada7 call d8a018 591->595 596 d8adc0-d8adc7 592->596 593 d8ad14-d8ad16 593->587 597 d8ae58-d8aed2 593->597 598 d8adab-d8adb9 594->598 595->598 600 d8adc9-d8add1 596->600 601 d8add4-d8addb 596->601 628 d8aed4 597->628 629 d8aed6 597->629 598->596 600->601 604 d8ade8-d8adf1 call d8a028 601->604 605 d8addd-d8ade5 601->605 609 d8adfe-d8ae03 604->609 610 d8adf3-d8adfb 604->610 605->604 611 d8ae21-d8ae25 609->611 612 d8ae05-d8ae0c 609->612 610->609 640 d8ae28 call d8b280 611->640 641 d8ae28 call d8b251 611->641 612->611 614 d8ae0e-d8ae1e call d8a038 call d8a048 612->614 614->611 616 d8ae2b-d8ae2e 619 d8ae30-d8ae4e 616->619 620 d8ae51-d8ae57 616->620 619->620 628->629 630 d8af00-d8af18 628->630 631 d8aed8-d8aed9 629->631 632 d8aeda-d8aefe 629->632 633 d8af1a-d8af1d 630->633 634 d8af20-d8af4b GetModuleHandleW 630->634 631->632 632->630 633->634 635 d8af4d-d8af53 634->635 636 d8af54-d8af68 634->636 635->636 638->593 639->593 640->616 641->616
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00D8AF3E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: a08fa14e02f862369a32d51b1982105808242575a70485b056f5769b11cc778c
                  • Instruction ID: b0bde115dad50d7f2ca2975a7096af69bcb87e8a02cbef682dd09a96e4909f9b
                  • Opcode Fuzzy Hash: a08fa14e02f862369a32d51b1982105808242575a70485b056f5769b11cc778c
                  • Instruction Fuzzy Hash: 1C814970A00B058FE724EF29D44575ABBF1FF88304F04892EE486D7A50E775E94ACBA1
                  Function 00D858ED Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 642 d858ed-d858ee 643 d858f0-d858f1 642->643 644 d858f2 642->644 643->644 645 d858f4 644->645 646 d858f6-d8596c 644->646 645->646 648 d8596f-d859b9 CreateActCtxA 646->648 650 d859bb-d859c1 648->650 651 d859c2-d85a1c 648->651 650->651 658 d85a2b-d85a2f 651->658 659 d85a1e-d85a21 651->659 660 d85a40 658->660 661 d85a31-d85a3d 658->661 659->658 662 d85a41 660->662 661->660 662->662
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 00D859A9
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: e0cfb6022eed6d7244f1f77d762f6d20070bdab14ba95a2a0a426184c55e8aa2
                  • Instruction ID: 23632c290612c3613bca2eb6aa1dddc4a6e41827c298d80af490dd4930497b42
                  • Opcode Fuzzy Hash: e0cfb6022eed6d7244f1f77d762f6d20070bdab14ba95a2a0a426184c55e8aa2
                  • Instruction Fuzzy Hash: 1F4125B0C00719CFDB24DFAAC884BDDBBB5BF49304F24816AD409AB255DB756945CFA0
                  Function 00D85A64 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 664 d85a64-d85af4
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6ec418f73063b9ba5b7d18695cc4bf913ac9f5afb095f808d57ea830169f02ab
                  • Instruction ID: 40b85f42f4d4f51c50b76a9d568d5021c68b25580e8e6ee014b6a37463817292
                  • Opcode Fuzzy Hash: 6ec418f73063b9ba5b7d18695cc4bf913ac9f5afb095f808d57ea830169f02ab
                  • Instruction Fuzzy Hash: BB31EE71805A49CFCF15EBA8E48479EBBF0AF42314F28818AD045AB259C775A946CF61
                  Function 00D844B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 667 d844b0-d859b9 CreateActCtxA 671 d859bb-d859c1 667->671 672 d859c2-d85a1c 667->672 671->672 679 d85a2b-d85a2f 672->679 680 d85a1e-d85a21 672->680 681 d85a40 679->681 682 d85a31-d85a3d 679->682 680->679 683 d85a41 681->683 682->681 683->683
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 00D859A9
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: 08c3a30f24dc11a13bc3faba9672087fdbeed5f8f879f224a283fe1354831ba7
                  • Instruction ID: 0a566d4c19993536a046f4be0941d25ff00b671b8539c3c83c1fb76ed971a975
                  • Opcode Fuzzy Hash: 08c3a30f24dc11a13bc3faba9672087fdbeed5f8f879f224a283fe1354831ba7
                  • Instruction Fuzzy Hash: DE41E3B0C00719CFDB24DFAAC884BDEBBB5BF49304F24816AD409AB255DB756945CFA0
                  Function 0C4D6F58 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 685 c4d6f58-c4d6fae 688 c4d6fbe-c4d6ffd WriteProcessMemory 685->688 689 c4d6fb0-c4d6fbc 685->689 691 c4d6fff-c4d7005 688->691 692 c4d7006-c4d7036 688->692 689->688 691->692
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0C4D6FF0
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: e5627a920414a33ae80b7a8e3264a596aaf938fff0c319129e31072171afceb0
                  • Instruction ID: 86ed00710d99a807f193b8bc9bb88bf1aa7f34c92478ecd76d6da54f4d41101e
                  • Opcode Fuzzy Hash: e5627a920414a33ae80b7a8e3264a596aaf938fff0c319129e31072171afceb0
                  • Instruction Fuzzy Hash: DE217AB19003199FCB10DFA9C881BDEBBF5FF48314F10842AE958A7350C7789944CBA1
                  Function 0C4D6F60 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 696 c4d6f60-c4d6fae 698 c4d6fbe-c4d6ffd WriteProcessMemory 696->698 699 c4d6fb0-c4d6fbc 696->699 701 c4d6fff-c4d7005 698->701 702 c4d7006-c4d7036 698->702 699->698 701->702
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0C4D6FF0
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 4e6e7c6a3fe0e2edb6abde070c878c6c7cdda18ea4c879b932eb6905a655caeb
                  • Instruction ID: 0f6711e80d1cfb4d6b58bf6c6bed3d802f691584f695943c7c712cb53320e851
                  • Opcode Fuzzy Hash: 4e6e7c6a3fe0e2edb6abde070c878c6c7cdda18ea4c879b932eb6905a655caeb
                  • Instruction Fuzzy Hash: 2E2139B19003599FCB10DFAAC885BDEBBF5FF48310F10842AE959A7350C7789954CBA5
                  Function 0C4D6DC0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 706 c4d6dc0-c4d6e13 709 c4d6e15-c4d6e21 706->709 710 c4d6e23-c4d6e53 Wow64SetThreadContext 706->710 709->710 712 c4d6e5c-c4d6e8c 710->712 713 c4d6e55-c4d6e5b 710->713 713->712
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0C4D6E46
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: e58bb5b6908864118f3fc7e583a39e8237c0a38274afecceed839fa814ca9571
                  • Instruction ID: 71b65c3db6072855f7960248e124f8d40a144f9a68c5487a756b65df848ab19b
                  • Opcode Fuzzy Hash: e58bb5b6908864118f3fc7e583a39e8237c0a38274afecceed839fa814ca9571
                  • Instruction Fuzzy Hash: 3F2139719003099FDB10DFAAC485BEFBFF4EB48314F54842AD559A7241CB78A945CFA4
                  Function 0C4D7048 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0C4D70D0
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 6ec6afee4a484c41b66dbe02e6c66f38dd50e74e9e003005cfb84204b4d261e4
                  • Instruction ID: adfa17927433eb3f560b6d9ec72d4ad83f94b9e6c3f0582b4ba0097591015bef
                  • Opcode Fuzzy Hash: 6ec6afee4a484c41b66dbe02e6c66f38dd50e74e9e003005cfb84204b4d261e4
                  • Instruction Fuzzy Hash: 312148B1C002499FCB10DFAAC881ADEFBF1FF48310F10842AE959A7250C7389945CBA0
                  Function 00D8D5C9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D8D657
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 80e46dd7bd8da1a515e744123e7c5aca7855eb24a0d5131a8abc78ef65e1b5d2
                  • Instruction ID: 1c592b389fa04095db2520900f8309b2e74f6104b6559a5f6019080b566b80ce
                  • Opcode Fuzzy Hash: 80e46dd7bd8da1a515e744123e7c5aca7855eb24a0d5131a8abc78ef65e1b5d2
                  • Instruction Fuzzy Hash: 0821E4B5900258DFDB10DF9AD985AEEBFF5EB48314F14842AE918A3350D378A940CFA4
                  Function 0C4D7050 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0C4D70D0
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 100cba1d78331ac744e431c0e9410af855b1a09a0786e1140228dd5f89d61c98
                  • Instruction ID: 4fd5ff595dc7824f90de19fa92fff0018731fc7757cb004af8dc5f206954e451
                  • Opcode Fuzzy Hash: 100cba1d78331ac744e431c0e9410af855b1a09a0786e1140228dd5f89d61c98
                  • Instruction Fuzzy Hash: 3D2139B1D003599FCB10DFAAC841ADEFBF5FF48310F50842AE558A7250C7789544CBA4
                  Function 0C4D6DC8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0C4D6E46
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: 548c2f1cf5eeb60d2b69129c6b9975042f1cf1f20c3c3d3b04e4ead824ce41b0
                  • Instruction ID: 24ef46d5a06ad85dc369ba0824cbbbf3374c5787385cfa71dd1c4cf0912e6de8
                  • Opcode Fuzzy Hash: 548c2f1cf5eeb60d2b69129c6b9975042f1cf1f20c3c3d3b04e4ead824ce41b0
                  • Instruction Fuzzy Hash: 89213A719003098FDB10DFAAC445BEEBBF4EF48314F14842AD559A7241C778A544CFA4
                  Function 00D8D5D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D8D657
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 4631bc8b26c9399f0a75056b88c8cca35980e425d611b63d77a692d211f4daba
                  • Instruction ID: 73bd14d948cecb5c1247b8b7cd776cdf7981912ba8d90c386be9ad57a5b4015d
                  • Opcode Fuzzy Hash: 4631bc8b26c9399f0a75056b88c8cca35980e425d611b63d77a692d211f4daba
                  • Instruction Fuzzy Hash: 7421E4B5900208DFDB10CF9AD584ADEBFF5EB48310F14841AE918A3350D374A940CFA4
                  Function 00D8B158 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D8AFB9,00000800,00000000,00000000), ref: 00D8B1CA
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 6a84e9d3da286edb98c82ca41fd53ac949b87fcd9b37f9d40383a56b68bb155f
                  • Instruction ID: 442cd1820e20847bb0b01ead5ffe77bb482c2d2a8323cf91e41778bc8b63af73
                  • Opcode Fuzzy Hash: 6a84e9d3da286edb98c82ca41fd53ac949b87fcd9b37f9d40383a56b68bb155f
                  • Instruction Fuzzy Hash: 6B2159B6D003098FDB10DF9AC848AEEFBF5EB49320F14842AD419AB310C375A945CFA4
                  Function 0C4D6E98 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0C4D6F0E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 444609164062d9d998ef98508de8e3b0acd61c5cfbd1c5be7eeb03b9f8c41c42
                  • Instruction ID: ec523e61d483ad59fd06148da5f8d10ea2d60435d94a7698302e121216c0df9f
                  • Opcode Fuzzy Hash: 444609164062d9d998ef98508de8e3b0acd61c5cfbd1c5be7eeb03b9f8c41c42
                  • Instruction Fuzzy Hash: B11159729002489FDB10DFAAC845BDEFFF5EB48324F148819E515A7250CB75A944CFA1
                  Function 00D8A070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D8AFB9,00000800,00000000,00000000), ref: 00D8B1CA
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 79fbcdbd50e19248274ac24176e19a83dc7ea5b0c12cda500f7e85c44bf0097c
                  • Instruction ID: 3e2eed590632619d6233edf5643a4b3902f1840a6408e8890b9001da64039dd7
                  • Opcode Fuzzy Hash: 79fbcdbd50e19248274ac24176e19a83dc7ea5b0c12cda500f7e85c44bf0097c
                  • Instruction Fuzzy Hash: 2A11F6B69003099FDB10DF9AD448ADEFBF4EB49320F14842AE559AB210C375A945CFA5
                  Function 0C4D6EA0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0C4D6F0E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: a1aa4731bc46c59542201d8c168c6947938f9c79e9c91c3d2cf7f2968ca20efb
                  • Instruction ID: fc5bb19b7682b783334789e3018c8d4f5a21d4d2314a54c5e2c1d8d41bf0a1b3
                  • Opcode Fuzzy Hash: a1aa4731bc46c59542201d8c168c6947938f9c79e9c91c3d2cf7f2968ca20efb
                  • Instruction Fuzzy Hash: A01156719002488FCB10DFAAC844BDEBFF5EB88324F20881AE519A7250CB75A540CFA1
                  Function 0C4D68D8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 6dfccb259656338ab59fede2994cd8f54b6592c7a11fa7ae299d599697b4d230
                  • Instruction ID: bdaea0d209e7dc93bbcf465fb0b884b8bcddd9dc2555ed2d4d16ab825b992487
                  • Opcode Fuzzy Hash: 6dfccb259656338ab59fede2994cd8f54b6592c7a11fa7ae299d599697b4d230
                  • Instruction Fuzzy Hash: B8115BB59002498BDB10DFAAC4457DEFFF4EB88324F248829D459A7250CB34A545CFA4
                  Function 0C4D68E0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: bf61d109752829083d7341ea08492939f979925e69760940309c77748be31fa3
                  • Instruction ID: 5a98ce27b8db988c3cf2a55d5c43385533fb82980c17779d6016ace7483eb940
                  • Opcode Fuzzy Hash: bf61d109752829083d7341ea08492939f979925e69760940309c77748be31fa3
                  • Instruction Fuzzy Hash: 8C113AB19002498FDB20DFAAC4457DEFFF5EB88324F24882AD559A7250CB75A544CFA4
                  Function 0C4D8F14 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0C4DAD75
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: b825ac6e1c310d4a5a935f0860a282511a3effe12f5e5d2a10a9b642869fd93a
                  • Instruction ID: 71dbb001e9c2083f66f022b6a5a82928f277852c87b1124397989c6338860a65
                  • Opcode Fuzzy Hash: b825ac6e1c310d4a5a935f0860a282511a3effe12f5e5d2a10a9b642869fd93a
                  • Instruction Fuzzy Hash: B211F5B59003499FDB10DF9AC445BDEBBF8FB48310F20841AE558A7211C375A944CFA1
                  Function 00D8AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00D8AF3E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1838455786.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_d80000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 74eeb8610cad1767a99221c4e4af1670ee365d6ca35304557cf6b821bb8c6495
                  • Instruction ID: d4f86943eac09801cb2d404c8651e349d420a84281005d4e5bacd0f16620f3f5
                  • Opcode Fuzzy Hash: 74eeb8610cad1767a99221c4e4af1670ee365d6ca35304557cf6b821bb8c6495
                  • Instruction Fuzzy Hash: C91122B6C003498FDB10DF9AC444ADEFBF4EF88324F14842AE518A7210C379A545CFA1
                  Function 0C4DAD11 Relevance: 1.5, APIs: 1, Instructions: 41windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0C4DAD75
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1873367899.000000000C4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C4D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_c4d0000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 6749b1f6ac0736c9f0bbabc4d82494127639936ba19c4868a4c84ad2c6da7214
                  • Instruction ID: 79a02da64462fb8530fbb5ef5628c05f93db415e940f39ee3f7c677390f1aaa9
                  • Opcode Fuzzy Hash: 6749b1f6ac0736c9f0bbabc4d82494127639936ba19c4868a4c84ad2c6da7214
                  • Instruction Fuzzy Hash: 3F1100B5800349CFDB10DF99C545BDEBBF4BB48324F24881AD958A7250C378A984CFA5
                  Function 009AD3D8 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1833593124.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_9ad000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 73fa8483ea76f392a13161b2f6d34c7f3af79be77967d4c435e0906ae34f064f
                  • Instruction ID: 37275e432e491f5ecad42a2433d43761f238d7adf77e29e523b0b4d8ff13c2ef
                  • Opcode Fuzzy Hash: 73fa8483ea76f392a13161b2f6d34c7f3af79be77967d4c435e0906ae34f064f
                  • Instruction Fuzzy Hash: 23212871500204DFDB05DF14D9C4B26BFA9FB99314F20C569D90A4B6A6C33AE856C6E1
                  Function 009BD01C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1833687913.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_9bd000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 95246c67a7b5da18d3bac0699d33015ad3c8393a12dac4f9d965aa2ccf24aad2
                  • Instruction ID: 5eff6271012947e322346a8c2fc41a748b55f44844b8e04e1cd5c654d0d9a7a9
                  • Opcode Fuzzy Hash: 95246c67a7b5da18d3bac0699d33015ad3c8393a12dac4f9d965aa2ccf24aad2
                  • Instruction Fuzzy Hash: 0F213471604200DFCB14EF14DAC4B66BFA5FB88324F20C96DD80A4B296D33AD847CA61
                  Function 009BD1D4 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1833687913.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_9bd000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 14e28546ad21586912ab873dae38404080a5c8355eb4eb30b0f04df71d9dc531
                  • Instruction ID: ea93431f941d49b82e0356b533e074c2fcd4ef6085636931c32b94a33f08b7a1
                  • Opcode Fuzzy Hash: 14e28546ad21586912ab873dae38404080a5c8355eb4eb30b0f04df71d9dc531
                  • Instruction Fuzzy Hash: FB212671504284EFDB05DF14DAC0B66BBA5FB84324F20CA6DE8194B296D33AD846CB61
                  Function 009AD3D3 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1833593124.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_9ad000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction ID: b99f834f181d4fdc14fc318b870899bb44c9e8d6191c00ae17c855b7a2f403b5
                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction Fuzzy Hash: 3D110676404240CFDB01CF00D5C4B16BFB1FB98314F24C2A9D80A0B666C33AD456CBD1
                  Function 009BD1CF Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1833687913.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_9bd000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction ID: da28b4c941d4d99fa20e95bf7a2a83fcb26e087ebb62c906ca85ddda078d49fc
                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction Fuzzy Hash: 1D11BB75504284DFDB02CF10C6C4B55BFA1FB84324F24C6AAD8494B296C33AD80ACB61
                  Function 009BD017 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1833687913.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_9bd000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction ID: 6e729ddd3ef9c79037584ceac1ef4ade1cce5fb506a906f5b9ac18e27fb8d419
                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction Fuzzy Hash: 0C11DD75504280CFCB11DF14D6C4B56FFA2FB84324F28C6AAD8094B656C33AD80ACBA2
                  Function 009AD759 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1833593124.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_9ad000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 70f0af28ee800420779c9393f55b9751701bf42f9e3328da88b3c3e46d84faa3
                  • Instruction ID: e9676184167ed8696896c859c10d08dbb2a99bebbc709debb704f579db1e9fbe
                  • Opcode Fuzzy Hash: 70f0af28ee800420779c9393f55b9751701bf42f9e3328da88b3c3e46d84faa3
                  • Instruction Fuzzy Hash: 6F01DBB100A3409AE7145B26CD84767FFECEF52324F18C92AED0A4A696C779D880C6F1
                  Function 009AD758 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.1833593124.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_9ad000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48dd575c5d6c5fe5d312ad6e6034a890bd61d7cb3591706fd85154e0d4515e3c
                  • Instruction ID: f5d513603ccfe0f995d0127bf048d57f0b1150bd8c47b51bdbf5ae17a98061e9
                  • Opcode Fuzzy Hash: 48dd575c5d6c5fe5d312ad6e6034a890bd61d7cb3591706fd85154e0d4515e3c
                  • Instruction Fuzzy Hash: 1CF0C2710053409EE7248A16CC88B62FFACEF52724F18C45AED090A286C2799844CAB0

                  Execution Graph

                  Execution Coverage:8.1%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:0%
                  Total number of Nodes:3
                  Total number of Limit Nodes:0
                  execution_graph 20147 8337860 20148 83378a3 SetThreadToken 20147->20148 20149 83378d1 20148->20149

                  Executed Functions

                  Function 042DB490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 324 42db490-42db4a9 325 42db4ae-42db7f5 call 42dacbc 324->325 326 42db4ab 324->326 326->325
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: {Y~n^$Y~n^
                  • API String ID: 0-3969927281
                  • Opcode ID: 343c36ef58502042f2ab4db762f416b8e65822776d40247c6160fdd13aaae039
                  • Instruction ID: 7ae4abb1e35f259c5fad40485c1dbb8cf1aac069c806c7f32630c9d6b8028840
                  • Opcode Fuzzy Hash: 343c36ef58502042f2ab4db762f416b8e65822776d40247c6160fdd13aaae039
                  • Instruction Fuzzy Hash: 38911EB1F006555BDB19EFB4C4146AEB6B3EFC4704B00892DD11AAB344DF74A90A8BD6
                  Function 07142308 Relevance: 13.2, Strings: 10, Instructions: 654COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$J*l$J*l$J*l$J*l$J*l$J*l$r)l$r)l
                  • API String ID: 0-2695109752
                  • Opcode ID: 2a030448cb81ddf4a49ee22e3de54c39ca8862ac64e6b1720007a823514586ea
                  • Instruction ID: 4194bd0c5fe788f01616911220dba4f44335778d215c282de8f91af2a482e9f4
                  • Opcode Fuzzy Hash: 2a030448cb81ddf4a49ee22e3de54c39ca8862ac64e6b1720007a823514586ea
                  • Instruction Fuzzy Hash: BF2208B1B0030A9FCB159F6988517AABBE6BF89310F14807AF905DB291DB35DC85C7A1
                  Function 08337858 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 388 8337858-833789b 389 83378a3-83378cf SetThreadToken 388->389 390 83378d1-83378d7 389->390 391 83378d8-83378f5 389->391 390->391
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1833962002.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_8330000_powershell.jbxd
                  Similarity
                  • API ID: ThreadToken
                  • String ID:
                  • API String ID: 3254676861-0
                  • Opcode ID: 631739abaadc67cb0c48576aec114905b7c4556d88821b8b3a86ee41151a43a1
                  • Instruction ID: 09c2f63d3752ef48994f51254eb219abd80be39be983fbfba36866a42f4306a0
                  • Opcode Fuzzy Hash: 631739abaadc67cb0c48576aec114905b7c4556d88821b8b3a86ee41151a43a1
                  • Instruction Fuzzy Hash: DD1143B59003498FCB10CFAAC584ADEFFF4EF88320F24846AD459A7220C774A944CFA1
                  Function 08337860 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 394 8337860-83378cf SetThreadToken 396 83378d1-83378d7 394->396 397 83378d8-83378f5 394->397 396->397
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1833962002.0000000008330000.00000040.00000800.00020000.00000000.sdmp, Offset: 08330000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_8330000_powershell.jbxd
                  Similarity
                  • API ID: ThreadToken
                  • String ID:
                  • API String ID: 3254676861-0
                  • Opcode ID: 04e7c503eee69491728e2bdc45066fca7a1e1ca6370e0dfd31cca827f42d4afb
                  • Instruction ID: 3661a8e4c23d8b3aed4a30a089d99af777d5cc1c57a5c34377aae020c7fa75bc
                  • Opcode Fuzzy Hash: 04e7c503eee69491728e2bdc45066fca7a1e1ca6370e0dfd31cca827f42d4afb
                  • Instruction Fuzzy Hash: 641125B59003598FCB10DF9AC544B9EFBF8EB88320F148429D559A7210C774A944CFA1
                  Function 042DE5B9 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 400 42de5b9-42de5c0 401 42de622-42de630 400->401 402 42de5c2-42de602 400->402 403 42de693-42de6b6 401->403 404 42de632-42de689 401->404 415 42de6bc-42de6d3 403->415 416 42de73a-42de753 403->416 404->403 430 42de6d5 call 42de7a8 415->430 431 42de6d5 call 42de7b8 415->431 418 42de75e 416->418 419 42de755 416->419 422 42de75f 418->422 419->418 421 42de6db-42de738 421->415 421->416 422->422 430->421 431->421
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: J*l
                  • API String ID: 0-2101209147
                  • Opcode ID: 8ced43c539dfba3b78df97282e75e5234211f398ddf64d1068b694fb024cd555
                  • Instruction ID: 0f28c2477b78fa89934b07c3227e56847ea1fecdbfe5e52a3078e9c53e066e5e
                  • Opcode Fuzzy Hash: 8ced43c539dfba3b78df97282e75e5234211f398ddf64d1068b694fb024cd555
                  • Instruction Fuzzy Hash: 774188B0E006099FCB15DFB9D954A9DBBF2EF99300F1081A9D416AB390DB35AD49CF90
                  Function 042D6FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 432 42d6fe0-42d6fff 433 42d7105-42d7143 432->433 434 42d7005-42d7008 432->434 461 42d700a call 42d767c 434->461 462 42d700a call 42d7697 434->462 436 42d7010-42d7022 437 42d702e-42d7043 436->437 438 42d7024 436->438 444 42d70ce-42d70e7 437->444 445 42d7049-42d7059 437->445 438->437 450 42d70e9 444->450 451 42d70f2 444->451 446 42d705b 445->446 447 42d7065-42d7073 call 42dbf10 445->447 446->447 453 42d7079-42d707d 447->453 450->451 451->433 454 42d70bd-42d70c8 453->454 455 42d707f-42d708f 453->455 454->444 454->445 456 42d70ab-42d70b5 455->456 457 42d7091-42d70a9 455->457 456->454 457->454 461->436 462->436
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (bq
                  • API String ID: 0-149360118
                  • Opcode ID: a5ebf24a0ae68e80fd7f2b9cae4db61c166b0cd40fbc49c4beeb2e92b8999e99
                  • Instruction ID: d5d9855bc837418452d269b8c7b2280990e773024f74bcba4cb17a2dc9a890e8
                  • Opcode Fuzzy Hash: a5ebf24a0ae68e80fd7f2b9cae4db61c166b0cd40fbc49c4beeb2e92b8999e99
                  • Instruction Fuzzy Hash: A5412B34B142158FCB14DFA9C464AAABBF2EF8D311F1440A9E402AB391DA39EC41CB64
                  Function 042DE610 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 463 42de610-42de630 465 42de693-42de6b6 463->465 466 42de632-42de689 463->466 473 42de6bc-42de6d3 465->473 474 42de73a-42de753 465->474 466->465 488 42de6d5 call 42de7a8 473->488 489 42de6d5 call 42de7b8 473->489 476 42de75e 474->476 477 42de755 474->477 480 42de75f 476->480 477->476 479 42de6db-42de738 479->473 479->474 480->480 488->479 489->479
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: J*l
                  • API String ID: 0-2101209147
                  • Opcode ID: b6d42878ddb73acc14d2f363ad2bd8bf09e149b29f72e5c77db98a6c9571de42
                  • Instruction ID: ad49d861cf1b7f0f40afc045d11fe657feb233eb40515e39a5f334ec7a5c4610
                  • Opcode Fuzzy Hash: b6d42878ddb73acc14d2f363ad2bd8bf09e149b29f72e5c77db98a6c9571de42
                  • Instruction Fuzzy Hash: 4341ABB0A006068FCB11DF79D954A9EBBF2FF59300F1481A9D406AB391DB75AC45CB90
                  Function 042DE640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 490 42de640-42de6b6 497 42de6bc-42de6d3 490->497 498 42de73a-42de753 490->498 512 42de6d5 call 42de7a8 497->512 513 42de6d5 call 42de7b8 497->513 500 42de75e 498->500 501 42de755 498->501 504 42de75f 500->504 501->500 503 42de6db-42de738 503->497 503->498 504->504 512->503 513->503
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: J*l
                  • API String ID: 0-2101209147
                  • Opcode ID: 6c932ba78c0391b55209e8f415c9b6a256651c860218e3d4072f9cad6485b693
                  • Instruction ID: 9653edb68fb3048765274bbc219cabb5a9688f855816551060d1a246bc810e57
                  • Opcode Fuzzy Hash: 6c932ba78c0391b55209e8f415c9b6a256651c860218e3d4072f9cad6485b693
                  • Instruction Fuzzy Hash: 89313474A00605DFCB15DF6AD994A9EBBF2FF88300F108568E416AB394DB35AD45CB90
                  Function 042DAF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 514 42daf98-42dafa1 call 42da984 516 42dafa6-42dafaa 514->516 517 42dafac-42dafb9 516->517 518 42dafba-42db055 516->518 525 42db05e-42db07b 518->525 526 42db057-42db05d 518->526 526->525
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (&^q
                  • API String ID: 0-2067289071
                  • Opcode ID: f029e8391cb086f437e7342584a69e0144864a086af6a6f0d24ccc7a3238e9db
                  • Instruction ID: d23727a44ca8be6d2518a8e294741ec6b44a638e23cd6f7cb1c778fee8a6f242
                  • Opcode Fuzzy Hash: f029e8391cb086f437e7342584a69e0144864a086af6a6f0d24ccc7a3238e9db
                  • Instruction Fuzzy Hash: 3421BD71A002588FCB14DFAED414B9EBFF5EF89320F14846AD519E7340CA75A805CFA5
                  Function 042DDC88 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 529 42ddc88-42ddc94 530 42ddd0d-42dde36 529->530 531 42ddc96-42ddcad 529->531 536 42ddcaf 531->536 537 42ddcb6-42ddcc8 531->537 536->537 540 42ddcca call 42ddcd9 537->540 541 42ddcca call 42ddc88 537->541 542 42ddcca call 42ddce8 537->542 539 42ddcd0-42ddcd3 540->539 541->539 542->539
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: +/~n^
                  • API String ID: 0-674826683
                  • Opcode ID: 2fe00ab6b6ee5356cd9fcd201148ef2883b4f2d768499aa6a6b2d5ff1d633447
                  • Instruction ID: 64b0651637fe3cc5071ab8ab6065c0a18f3168bc6d851e8e85e3515bf7dfb472
                  • Opcode Fuzzy Hash: 2fe00ab6b6ee5356cd9fcd201148ef2883b4f2d768499aa6a6b2d5ff1d633447
                  • Instruction Fuzzy Hash: 17F027727B5A145F87069A6DE8108EE7BAADEC627130100BBE159C7240EAA1E90483E1
                  Function 042DDC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 543 42ddc98-42ddcad 545 42ddcaf 543->545 546 42ddcb6 543->546 545->546 547 42ddcbe-42ddcc8 546->547 549 42ddcca call 42ddcd9 547->549 550 42ddcca call 42ddc88 547->550 551 42ddcca call 42ddce8 547->551 548 42ddcd0-42ddcd3 549->548 550->548 551->548
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: +/~n^
                  • API String ID: 0-674826683
                  • Opcode ID: 3a67ac32d06c29c09d8072e678b396b7d8244cc18c3b23cf8375bf5a91c21c17
                  • Instruction ID: aa90aaa9ff9fed536a001f8660d3d7afac98fbb126d577ecf671bf11e17558e0
                  • Opcode Fuzzy Hash: 3a67ac32d06c29c09d8072e678b396b7d8244cc18c3b23cf8375bf5a91c21c17
                  • Instruction Fuzzy Hash: 87E0C231790A140B8312AA2EA81089FB7EBDFC4671350446EE129C7340DFA4EC0547D5
                  Function 042DE7B8 Relevance: .3, Instructions: 254COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 811 42de7b8-42de7d8 812 42de7da-42de7dc 811->812 813 42de7e1-42de7ee 811->813 814 42deb41-42deb48 812->814 816 42de7f0-42de801 813->816 818 42de803-42de825 call 42d014c 816->818 823 42de988-42de99f 818->823 824 42de82b 818->824 830 42dea7b-42dea87 823->830 831 42de9a5 823->831 825 42de82d-42de83e 824->825 828 42de840-42de842 825->828 832 42de85c-42de8e5 828->832 833 42de844-42de84a 828->833 839 42dea8d-42deaa4 830->839 840 42deb39 830->840 836 42de9a7-42de9b8 831->836 861 42de8ec-42de921 832->861 862 42de8e7 832->862 834 42de84c 833->834 835 42de84e-42de85a 833->835 834->832 835->832 843 42de9ba-42de9bc 836->843 839->840 853 42deaaa 839->853 840->814 846 42de9be-42de9c4 843->846 847 42de9d6-42dea0e 843->847 848 42de9c8-42de9d4 846->848 849 42de9c6 846->849 863 42dea15-42dea4a 847->863 864 42dea10 847->864 848->847 849->847 856 42deaac-42deabd 853->856 865 42deabf-42deac1 856->865 878 42de92b 861->878 879 42de923 861->879 862->861 881 42dea4c 863->881 882 42dea54 863->882 864->863 867 42deadb-42deb09 865->867 868 42deac3-42deac9 865->868 885 42deb0b-42deb16 867->885 886 42deb35-42deb37 867->886 870 42deacd-42dead9 868->870 871 42deacb 868->871 870->867 871->867 878->823 879->878 881->882 882->830 891 42deb19 call 42de92e 885->891 892 42deb19 call 42de7a8 885->892 893 42deb19 call 42de7b8 885->893 894 42deb19 call 42dea57 885->894 886->814 888 42deb1f-42deb33 888->885 888->886 891->888 892->888 893->888 894->888
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4b8cd1cdc5fe12b7f1212a43ed66eccc2dc9e3a6d1e99938a99c872fce4f3d8
                  • Instruction ID: a172514656d15a111a1b9dc04d8e8effe7fcb5a0ef1a1a9531c2b63d5a95e818
                  • Opcode Fuzzy Hash: c4b8cd1cdc5fe12b7f1212a43ed66eccc2dc9e3a6d1e99938a99c872fce4f3d8
                  • Instruction Fuzzy Hash: D5916C34B2061A8FCB14DF79C55456EBBE6BF88710F15406AE806EB364EE71EC42CB91
                  Function 042D29F0 Relevance: .2, Instructions: 210COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a0641267003a740706ef22263910b3f66becc8eb902e5f3babe9a5a13c77d730
                  • Instruction ID: 3dad51f02a5bf8aa300f67abe8a55d1ae25908a839c39f1c9035372fb0bc01f4
                  • Opcode Fuzzy Hash: a0641267003a740706ef22263910b3f66becc8eb902e5f3babe9a5a13c77d730
                  • Instruction Fuzzy Hash: 50916974A00245CFCB15CF58C494AAAFBB1FF88310B258699E815AB3A5C735FC51CBA0
                  Function 07143CE8 Relevance: .2, Instructions: 193COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1b04823d6480edd37ff19fc8798c3e1d97a0d82aa5ca1de0db0228eb35726b76
                  • Instruction ID: 5044198a7da89dac7f33b37d7878ac35a90513a8d39164d47cfbd55f23fb397f
                  • Opcode Fuzzy Hash: 1b04823d6480edd37ff19fc8798c3e1d97a0d82aa5ca1de0db0228eb35726b76
                  • Instruction Fuzzy Hash: 6C511DB1B00215CFCF169B79C91156BBBA2AF82214F1484A6D925FF3D2DB31DC45C7A2
                  Function 042D7740 Relevance: .2, Instructions: 156COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a4ccece3119d295c835eb7a123a78659829fd89ed0a785a735660dfb22b6edae
                  • Instruction ID: 2f436a42f2c2fae3fa0403340fb4bafe71abb3fada757b2ea78720daa1e353cb
                  • Opcode Fuzzy Hash: a4ccece3119d295c835eb7a123a78659829fd89ed0a785a735660dfb22b6edae
                  • Instruction Fuzzy Hash: 0A51B1357142059FD704DB79D844A2ABBEAEFC9314F1585BAE409CB351EB39EC01CBA0
                  Function 042DBAC0 Relevance: .2, Instructions: 155COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e337bc1e3ecd5a9fd9d84369db00b88830bc597df0e1d2230c61e7bebf21d79b
                  • Instruction ID: 0544d9c784f744b96e445bd2473688290849633709a3bc049d9bc0a4fd569f61
                  • Opcode Fuzzy Hash: e337bc1e3ecd5a9fd9d84369db00b88830bc597df0e1d2230c61e7bebf21d79b
                  • Instruction Fuzzy Hash: 1A611571E002499FCB14CFA9C594B9DFBF1FF88310F198169E819AB354EB74A881CB50
                  Function 042DBAB0 Relevance: .2, Instructions: 153COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98e00024662a0932f2d21bf10b6d801dbaa8c685ce08ae7e7c59383adb4cde98
                  • Instruction ID: 3728c10c29af11b8025b343598afd1b80b89735b740e818dadb00d3cb1d2ab4c
                  • Opcode Fuzzy Hash: 98e00024662a0932f2d21bf10b6d801dbaa8c685ce08ae7e7c59383adb4cde98
                  • Instruction Fuzzy Hash: 175105B1E002489FCB14CFA9D594A9DFFF5FF88310F198069E819AB364EB74A845CB51
                  Function 042DE419 Relevance: .1, Instructions: 139COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e1aa1f579c110adb3992c1ebb032c51d48acef5fd1dd5731a9cf7c4924647b87
                  • Instruction ID: 13bcc63eff7cfb19b23d6229588fb6d7a7f03110dec5f79270ca9dac86065d58
                  • Opcode Fuzzy Hash: e1aa1f579c110adb3992c1ebb032c51d48acef5fd1dd5731a9cf7c4924647b87
                  • Instruction Fuzzy Hash: 9351B3B4B106068FCB10DF6CC59496EBBE6EF88354B158469F459CF365EB74EC018B80
                  Function 042DE428 Relevance: .1, Instructions: 130COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a7a4fdcc814354406e57aebcc31d8c805714dca67da07da9f6b1d932313ad0e0
                  • Instruction ID: 4e78173f3a964aed574b8b784b8aeb65ddf898a019950e6bb2098c616eba00d1
                  • Opcode Fuzzy Hash: a7a4fdcc814354406e57aebcc31d8c805714dca67da07da9f6b1d932313ad0e0
                  • Instruction Fuzzy Hash: 664150B4B106068FCB10DF6CC69496EBBE6EF88354B158469F549DF325EB74EC018B90
                  Function 07143CCC Relevance: .1, Instructions: 125COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 27ed0d1de7c4774c1da8e48533afc1c71425388ebd329a63ac55848060fd2026
                  • Instruction ID: 3714cda7f9240b5f816de5ad374e665eddccf20a6063fabab5b7e0f7679cdc25
                  • Opcode Fuzzy Hash: 27ed0d1de7c4774c1da8e48533afc1c71425388ebd329a63ac55848060fd2026
                  • Instruction Fuzzy Hash: 234139F0A01206DFCF2ADB25C501A6BBBB2AF81254F5540A5D924BF3E2D731DC45C7A5
                  Function 042D2B00 Relevance: .1, Instructions: 112COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 83283bc04c73dc5b4d9117ff346da8f26675a8faac4d26e853ce5dc151ece653
                  • Instruction ID: c7cb23b7645910704b9a4fa0d26f3adf2018f4a278cf27049c67419dcd6df708
                  • Opcode Fuzzy Hash: 83283bc04c73dc5b4d9117ff346da8f26675a8faac4d26e853ce5dc151ece653
                  • Instruction Fuzzy Hash: 5B4138B4A10505DFCB05CF58C198AAAFBB5FF48310B218699D815AB364C736FD51CFA0
                  Function 042DC388 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6155061cf198f3dc2eb546b7fee34afe096eb36c9ddeabd1b58dbde4ee45adf9
                  • Instruction ID: b1324db4429fc330be175d8f3295d069fd54365840149bfce25a569f6673426b
                  • Opcode Fuzzy Hash: 6155061cf198f3dc2eb546b7fee34afe096eb36c9ddeabd1b58dbde4ee45adf9
                  • Instruction Fuzzy Hash: EC3189353006019FC705EB79E844BAAF7A6EFC5320F008639E50ACB3A4DB74E849CB91
                  Function 042D6FD1 Relevance: .1, Instructions: 96COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 17ca9ada14ef240c163fddf98ee34cafc41b094532c36338bc9ff01cc65f6939
                  • Instruction ID: 2d76d2ce1b55ce0945e31f82ab1cc07bef1fbde2467494449b79830d787c4e26
                  • Opcode Fuzzy Hash: 17ca9ada14ef240c163fddf98ee34cafc41b094532c36338bc9ff01cc65f6939
                  • Instruction Fuzzy Hash: 8C313E34B142558FCB14CFA9D5589AEBBF1AF8D315F1480A9E402AB391DB35EC41CB60
                  Function 042DAE60 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 34246e1f4847510c409cfbfbe258ac64f62610c4a9bc257969b3cad115fe68bd
                  • Instruction ID: d595fdd0c5cb185fb17fa361db51d5cdaa797f5cf9fe8963952d762bda3eb86b
                  • Opcode Fuzzy Hash: 34246e1f4847510c409cfbfbe258ac64f62610c4a9bc257969b3cad115fe68bd
                  • Instruction Fuzzy Hash: 62318FB0B106099FDB08DFA9D494BAEBBF6EF88310F048069E405E7354EB759C418B91
                  Function 042DAD28 Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 306d4666f5c050e34649f980745356d60c41237e00a1a5af2048eef2c7d5d8e2
                  • Instruction ID: a3d40b0503670c8d7aed5a431cd6ec581f58fac502818a11842982fc2c399653
                  • Opcode Fuzzy Hash: 306d4666f5c050e34649f980745356d60c41237e00a1a5af2048eef2c7d5d8e2
                  • Instruction Fuzzy Hash: 26319CB4E002099FDB04EFA4D855AEFBBB6EFC4300F1184B9D104AB395DA399D418FA5
                  Function 042DDFC0 Relevance: .1, Instructions: 85COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6cbbb16f88385d960dbf561a8aa332749bab942c645eb896d3c65e258d5febfe
                  • Instruction ID: fa9bb2e8f7a56095a9f0885587e5afdcaf00ed98cc82721a3db20be6e4b9a54f
                  • Opcode Fuzzy Hash: 6cbbb16f88385d960dbf561a8aa332749bab942c645eb896d3c65e258d5febfe
                  • Instruction Fuzzy Hash: 3D316674B006058FCB14DF69D458A9EBBF6EF88320F248569D406EB3A0CB75AC81CB94
                  Function 042DAE70 Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f98fa5606fc3c8f2047bf053eca2f938d70ae9c9da0c67fb79aa8b9cb91576db
                  • Instruction ID: e6504ef7b83bc55e16b7be278129951db43d03ebe9ecc5b56f08e70959d2c24c
                  • Opcode Fuzzy Hash: f98fa5606fc3c8f2047bf053eca2f938d70ae9c9da0c67fb79aa8b9cb91576db
                  • Instruction Fuzzy Hash: EA318C70B102099FDB08DFADC594BAEBBF6AF88310F148069E405EB354EB759C41CBA1
                  Function 042D93F0 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 66fdeff292166c1d10574c7a396a179d40a85bd09855d0852d8759d1d1b64c94
                  • Instruction ID: 39894a24e4559600ce727702eaeb2d4a896f0557f235806975108996490b4b6f
                  • Opcode Fuzzy Hash: 66fdeff292166c1d10574c7a396a179d40a85bd09855d0852d8759d1d1b64c94
                  • Instruction Fuzzy Hash: 1A318DB5A117449FDB60CF6AD0883CAFFF2EF88320F28C42AE44D97215D6746481CB65
                  Function 042DAD38 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ac046de38b8747ce350051430298bd70ca0428ae5ea9cf78ad079f4d14570ea3
                  • Instruction ID: b0e8999abb150b42b63431c99bde56d3a0645834330397ce6e937a93597968cd
                  • Opcode Fuzzy Hash: ac046de38b8747ce350051430298bd70ca0428ae5ea9cf78ad079f4d14570ea3
                  • Instruction Fuzzy Hash: D6315CB4F002099FDB04EFA4D855AAEB7B3EFC4300F1184B8D115AB394DA39AD418F95
                  Function 042DDFD0 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 92024137a29a3639b04d32d84e5047f25d166b68d20762b8ad967a89b16e21a5
                  • Instruction ID: 869849bcd16b36463be1cefb00502ff5aa6ba0e5d0692d2e14d0ee3bacf96361
                  • Opcode Fuzzy Hash: 92024137a29a3639b04d32d84e5047f25d166b68d20762b8ad967a89b16e21a5
                  • Instruction Fuzzy Hash: F6312374B006058FCB14DF69D458AAEBBF6EF8C320F148569D406EB3A0DB75AC81CB94
                  Function 0297F3D8 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1803471616.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_297d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 887a3c4e6807f84cbfbf6693faccc3041bb06f327833136b1c2767dbca586a9d
                  • Instruction ID: ed90dc9bfd7a41b9a3a658a20d132ca5634bdf862de262c25cd3796a2239f34b
                  • Opcode Fuzzy Hash: 887a3c4e6807f84cbfbf6693faccc3041bb06f327833136b1c2767dbca586a9d
                  • Instruction Fuzzy Hash: AC21F172604200EFDF05DF14D9C8B26BFA5FB88314F24C9B9E90D5A656C33AD456CBA1
                  Function 0297F02C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1803471616.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_297d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 884301eb4b2aa591985a2bf31b24ebf86b215c3f7d3a786d8d082596a98b643b
                  • Instruction ID: 82a8c7f8e315e4e89143fc28ea6225cf808056ccc62d16cfd0738fa5cca4a887
                  • Opcode Fuzzy Hash: 884301eb4b2aa591985a2bf31b24ebf86b215c3f7d3a786d8d082596a98b643b
                  • Instruction Fuzzy Hash: 4D216875504200DFDB10DF24C9C0B26BFA5FB94324F20C9ADD80A5B756C33AD446CB61
                  Function 042D9400 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bd754f76578f013e234544509cafe45d3fd594cf97ab8b38ea05b79744d10890
                  • Instruction ID: 57e920ef9ea8233cb880088dbee07ac53424bbb375616ff4b6b4a8245a18b345
                  • Opcode Fuzzy Hash: bd754f76578f013e234544509cafe45d3fd594cf97ab8b38ea05b79744d10890
                  • Instruction Fuzzy Hash: E5216BB0A117448EDB60CF6AC08878AFBF6EF88320F28C429E45D97245D6746481CB61
                  Function 042D767C Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b57994ffe1b82c37f3981b0acf7de723a70c512525e3c6b01247c0fc75c6d763
                  • Instruction ID: e130ca152ac2a9e59f11cb1304165fd50c38cbcae1d536f43daa6075e1d6144e
                  • Opcode Fuzzy Hash: b57994ffe1b82c37f3981b0acf7de723a70c512525e3c6b01247c0fc75c6d763
                  • Instruction Fuzzy Hash: FB112B35B001198FCB04DBACE94499DBBF6EBC8315B0440A5E509EB325DA39EC11CB90
                  Function 042DE290 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 342404e698871338b30a755325779aed0220397969a54b1c873e1fb53d454af4
                  • Instruction ID: ed1161dc412dfe741244b1de934c845aa4d3b7b68d356e737b07e3144c71baaf
                  • Opcode Fuzzy Hash: 342404e698871338b30a755325779aed0220397969a54b1c873e1fb53d454af4
                  • Instruction Fuzzy Hash: C5118CB19017898EDB11CF9AC9047EEFFF4AB49324F18805ED448AB241D339A584CBA5
                  Function 042DDCD9 Relevance: .1, Instructions: 58COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 76aab0d5fd26c047253f689a47bf0f544d1b255f2429caa3e780c9459eab0a9c
                  • Instruction ID: 9ba419f16e962cd127b13e7c566749a3a1c3a99b19029d7971b16304c1c4a524
                  • Opcode Fuzzy Hash: 76aab0d5fd26c047253f689a47bf0f544d1b255f2429caa3e780c9459eab0a9c
                  • Instruction Fuzzy Hash: AD114876B305449BCB059A78E8144FCBBA6DFD8231F04847AD486C7351DAB1A801C7A1
                  Function 0297F3D3 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1803471616.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_297d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                  • Instruction ID: 1e18d2c364a5b57a858de3921de2e98c5cb4d94ea06bc474d9dbffc6f2d891cc
                  • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                  • Instruction Fuzzy Hash: 31219D76504240DFCF06CF14D9C4B16BF72FB88314F24C5A9D9494A656C33AD46ACB91
                  Function 0297F027 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1803471616.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_297d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                  • Instruction ID: 54c30b3a6f9e74781fe4be30fe8bec7b75d0651041d133b4bdd0e0acd73eb5a3
                  • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                  • Instruction Fuzzy Hash: C611DD76504280CFCB11CF14D5C4B15BFA1FB84328F28C6AAD8094BB56C33AD44ACB61
                  Function 042DE2A0 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3267e0a0304c02137a2a6863e10a747045e4ce470fc00b008c1f113a12d28d97
                  • Instruction ID: 3610495169b6e667ad1454655b766a7327c4089ab25463f819044c6373c88963
                  • Opcode Fuzzy Hash: 3267e0a0304c02137a2a6863e10a747045e4ce470fc00b008c1f113a12d28d97
                  • Instruction Fuzzy Hash: CB1136B1A1074A8FDB50CF9AC504BAEFBF4EB48324F28806DD548AB241D779E544CBA5
                  Function 042DBCE0 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d22772e8afcb106115bfb256cbc311ea719b591b293bfad0bbbadc0476c5b50c
                  • Instruction ID: a98a41a8503fc1d58432e44f4cba258bf402a39a6b6dd614d175900a2f66ea28
                  • Opcode Fuzzy Hash: d22772e8afcb106115bfb256cbc311ea719b591b293bfad0bbbadc0476c5b50c
                  • Instruction Fuzzy Hash: AF01D2316083448FD718CF75D4A8A5A7FF1AF45210B1484EED08AC76A2CA31FC41C700
                  Function 042DDE98 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ec64af15103d707e38a4d37323ce751f14648ccbe603d76530d36897f4c0ff9
                  • Instruction ID: eea737d782db700604360bc44b89054ac4f4b5a03e664009c819c2a7c1dca903
                  • Opcode Fuzzy Hash: 8ec64af15103d707e38a4d37323ce751f14648ccbe603d76530d36897f4c0ff9
                  • Instruction Fuzzy Hash: 6601B53AB00614DFCB129F74E8096AEBBF5FB89325F00446DE51AD3341DB35A911CB90
                  Function 042DBF10 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0596acdac6bd751ad91460392901e54f797010e08f3732dd70083e1fa0f2e6e8
                  • Instruction ID: a41144b4753b17284f9caf48d7072749c265138b438f64832e8538e345b56d61
                  • Opcode Fuzzy Hash: 0596acdac6bd751ad91460392901e54f797010e08f3732dd70083e1fa0f2e6e8
                  • Instruction Fuzzy Hash: AAF028B13093961FD3014AB99C509A7BFECDF9662070540BBF840C7352CAB5CD008760
                  Function 0297D01D Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1803471616.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_297d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d0365e4231a581c91e043190eca8abad2e63ae369b00d823c8ad7b87814e58f2
                  • Instruction ID: ce5338a95d6bba1da522dc7359c37cda9c8ac0b119f6eddbfab038580fddfc73
                  • Opcode Fuzzy Hash: d0365e4231a581c91e043190eca8abad2e63ae369b00d823c8ad7b87814e58f2
                  • Instruction Fuzzy Hash: 1D01D671509340DAE7108A29CD84B67BF9CEF81334F1CC92AED494B246C779D941C6B1
                  Function 0297D006 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1803471616.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_297d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cc852ff51188236b8b0618738beb7969b2042149d252d325799a44b3832d7956
                  • Instruction ID: 88790c7972ab4ed4e62eadd09e2d69eebf382a43cae0120028707c5e4d628725
                  • Opcode Fuzzy Hash: cc852ff51188236b8b0618738beb7969b2042149d252d325799a44b3832d7956
                  • Instruction Fuzzy Hash: 08014C6210E3C09ED7128B258894B56BFB8EF53224F1D80CBD9888F1A7C3699849C772
                  Function 042DF3C1 Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ad15e44c09dfe48574b6c9f4d47ca6c11b97e547f41da436b764601d499a514d
                  • Instruction ID: d361175e2150f259d56f72ca53dbaada1dbb13cf74b94e690a2f2fb653fb71a2
                  • Opcode Fuzzy Hash: ad15e44c09dfe48574b6c9f4d47ca6c11b97e547f41da436b764601d499a514d
                  • Instruction Fuzzy Hash: 200116B1D1074ADBCB44CFE4C9546EDBBB1FFA9310F10472AE106B6604EBB02686CB80
                  Function 042D90D0 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8efad86c7117b6c805186b28d0c088e0cbbe45acfa03365242dc3a1465941db1
                  • Instruction ID: 30b6402d62595a66acf3acf1a9111db92a0804729e0a48de41c558334116c829
                  • Opcode Fuzzy Hash: 8efad86c7117b6c805186b28d0c088e0cbbe45acfa03365242dc3a1465941db1
                  • Instruction Fuzzy Hash: BCF07DB56082446FD305A77494197E77BB5CFC1318F0480BBC40957781CD392906C7E2
                  Function 042D7958 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 31d5027dc90b41c241959100fa92c2a1fa07e9c677d3104de93238dc82e382b2
                  • Instruction ID: 2bdfee68597400aac86e4547bae46920804746dfb88a776f7a0a22db08cd71a6
                  • Opcode Fuzzy Hash: 31d5027dc90b41c241959100fa92c2a1fa07e9c677d3104de93238dc82e382b2
                  • Instruction Fuzzy Hash: 63F0F6313067505FC7118B689844AEFBBE5EF8A221704459EE04AD7251CF34AD49C7A1
                  Function 042DE3A0 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f79c0e502720af7700ffb2217297f80883bb90970447f816b06ae5030c09215
                  • Instruction ID: 9fc4d6a84ad8677db68c5dc249049304315d595c2b8b637418c671a9ccb154df
                  • Opcode Fuzzy Hash: 4f79c0e502720af7700ffb2217297f80883bb90970447f816b06ae5030c09215
                  • Instruction Fuzzy Hash: 15011630204B908FC738CF35C09086ABBF6AF8530576489ADD48A8B790CB35F946CF50
                  Function 0297D8D3 Relevance: .0, Instructions: 37COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1803471616.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_297d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a43f533f54f46e630a975181b35b0ab63ea7353e05c458184c8b940934bfb661
                  • Instruction ID: fe136cf4137694251d0d5ea72f5f813d7c6aebfa8f1d5fbc609bb40a9aa92c21
                  • Opcode Fuzzy Hash: a43f533f54f46e630a975181b35b0ab63ea7353e05c458184c8b940934bfb661
                  • Instruction Fuzzy Hash: FAF0FF76200600AF97108F0AD984C23FBADEFD4770715C55AE84A4B615C771EC42CEB0
                  Function 042D9158 Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3c72831860c5cac72edaad51693238e010ec51f985297ed1a8ebc31c42a49a29
                  • Instruction ID: 2c88cf84717a5fa794343e134bd943bb501df2a9abfbadeb93ad3809f565b1fe
                  • Opcode Fuzzy Hash: 3c72831860c5cac72edaad51693238e010ec51f985297ed1a8ebc31c42a49a29
                  • Instruction Fuzzy Hash: EAF0BEB59053008FC7618FB8D8A93DABBE5EB01320F00846AE18DC7281CB3968858BA1
                  Function 042DDE38 Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 95eac27d4e0c1783e45988eddb6edeaa27307e237e1a339a69d04a05bf0a747e
                  • Instruction ID: b30d789d2669e2428f5c444439ff3cd405bdece66d32403a7d598b682ff6608f
                  • Opcode Fuzzy Hash: 95eac27d4e0c1783e45988eddb6edeaa27307e237e1a339a69d04a05bf0a747e
                  • Instruction Fuzzy Hash: E1F082353546414FC7019F1DD454C66BBFA9FCA615319009AE585DB732DA61DC01CB90
                  Function 042DF3D0 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b7ad25f65c1b88f0f89649b816970c0d2361cc885f5e1a140b4ba43cea161069
                  • Instruction ID: d2d0730ce77abd07d167081a465de9e555bc2302fdad2db75f57e701cf1f2245
                  • Opcode Fuzzy Hash: b7ad25f65c1b88f0f89649b816970c0d2361cc885f5e1a140b4ba43cea161069
                  • Instruction Fuzzy Hash: 5201E4B1D1075ADBCB04DFE4C9446EDBBB1FF99300F10472AE106B6604EBB06686CB80
                  Function 042D8969 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f465fb91ecdbf14a24a0c7f17f7bcef2a82514d9b7bfe121147c662374f55ec8
                  • Instruction ID: 544af67f6daade6476d34650be336612c06b514a47e713eee419cdf477704ac5
                  • Opcode Fuzzy Hash: f465fb91ecdbf14a24a0c7f17f7bcef2a82514d9b7bfe121147c662374f55ec8
                  • Instruction Fuzzy Hash: BFF0A73A7083905BCB0B2775A8592ED3F65ABC5334F050167E60587381CE6D590983F6
                  Function 042D7968 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: af225127ad9ef3ad8ee60d7ded59a610b374aff979e782537b61aef530b24414
                  • Instruction ID: dfed75f3bbdcf18ad52053966b63ed8ffbb48056da4e0a0a23b9d6b07c3acefa
                  • Opcode Fuzzy Hash: af225127ad9ef3ad8ee60d7ded59a610b374aff979e782537b61aef530b24414
                  • Instruction Fuzzy Hash: EDF0A7317007149FC7149A59D844AAFB7EAEFC9261B00452DE10AD3340DF70AD4187B4
                  Function 0297D8C4 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1803471616.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_297d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 905bb9b47d6b2efa97d8b6a449a51d8b0f3fb20b75f461c7d692f2a240ce2fb5
                  • Instruction ID: ed6c4722c1f73fc510d24b5e7773731fa738192249c928e469b2e9fb4c9732f2
                  • Opcode Fuzzy Hash: 905bb9b47d6b2efa97d8b6a449a51d8b0f3fb20b75f461c7d692f2a240ce2fb5
                  • Instruction Fuzzy Hash: 54F0F9B5100680AFD725CF06C984D23BBB9EF85624B198499E84A5B716C731FC42CF60
                  Function 042D7697 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 57dd12e23d1f12c7f0527d78663cb549cb5b11420e69a65bd1b3f21bc85c8e11
                  • Instruction ID: c0353a5f8c667168fbce25c4646495b186fb6ef7b4581fdc9e0f0a358db5eea1
                  • Opcode Fuzzy Hash: 57dd12e23d1f12c7f0527d78663cb549cb5b11420e69a65bd1b3f21bc85c8e11
                  • Instruction Fuzzy Hash: 2DF0A0397101098FCB00DB6CDC00A9A7BA2EFC87517054195E409CB325EE38DC028BD1
                  Function 042DE7A8 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 90005ac0d7ac881765ae8bbab5c85c3fe8b7017f830f53ac0962f52d22643545
                  • Instruction ID: 528a2b25cb8a22dcef2d5bdcc98141439ab6404ed9d3f9322ec1b6e566e367a7
                  • Opcode Fuzzy Hash: 90005ac0d7ac881765ae8bbab5c85c3fe8b7017f830f53ac0962f52d22643545
                  • Instruction Fuzzy Hash: F9E026F1F10719A66F5458A9DC919DABBE8DBA8678F40013AEA01B3240E6A265064290
                  Function 042D90E8 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0231211b06a5d1f3b777232e7d98fddd1bc69ede86d9bfc94b3295c9d32e452d
                  • Instruction ID: 2e1cb4157e9bed6a97397aa746a4d7011e1a5af35e58ae38349b67092a06894d
                  • Opcode Fuzzy Hash: 0231211b06a5d1f3b777232e7d98fddd1bc69ede86d9bfc94b3295c9d32e452d
                  • Instruction Fuzzy Hash: B9F027B5700508ABE704AB65C0183ABB7E6DFC0328F10817AD90E57384CE3A2802CBD5
                  Function 042DDE48 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: df9a481e44da89252b566420340221b771084bf0feea2c376c72b034b18277d1
                  • Instruction ID: a438091f162fc590131690bfad14cf03e0144f34ebbf030ee6a5a0e6f579595a
                  • Opcode Fuzzy Hash: df9a481e44da89252b566420340221b771084bf0feea2c376c72b034b18277d1
                  • Instruction Fuzzy Hash: DCE065353605118F87009B1DD488C66BBFAEFCE76532A00AAE549CB330CA61EC01CB80
                  Function 042DE92E Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0101b6fa4f36fa143d5b10740c651a2e53898117f643f4a9b7ac057df3714e67
                  • Instruction ID: 2ece3675b987741d85de8cb6376b3a793f63daf198936a43170eaf15481085b4
                  • Opcode Fuzzy Hash: 0101b6fa4f36fa143d5b10740c651a2e53898117f643f4a9b7ac057df3714e67
                  • Instruction Fuzzy Hash: FBF05B39A111149FCB01CFA8E585999BBB2FF48325B158555F909AB355CB31ED01CB40
                  Function 042DAF88 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0c68cdbde5be5716b40993a5910250077fe7e3674bea7b6d48e77bc4eef4b6fb
                  • Instruction ID: 2e096e41f9f952dd84fa4eb872f5d5ac7187fdf6bf075dda53c23077435e6f97
                  • Opcode Fuzzy Hash: 0c68cdbde5be5716b40993a5910250077fe7e3674bea7b6d48e77bc4eef4b6fb
                  • Instruction Fuzzy Hash: 70E020E271D7D10B471A806D5820455AFB74AD313030941FBE040CB346DC43580543D4
                  Function 042D9549 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b418a4be17639a6abc46716fa18568c3f60b0d3bf71fa43675e854e7bcc64802
                  • Instruction ID: 9cb51cba831ba4532b2639b8b97a203f06bec10d91b94db6536b25ca3628ce72
                  • Opcode Fuzzy Hash: b418a4be17639a6abc46716fa18568c3f60b0d3bf71fa43675e854e7bcc64802
                  • Instruction Fuzzy Hash: 64D05E92B6212637166875FA1C00ABB99DF8EC44F9F050236EA2AD3741ED52EC0643E1
                  Function 042D9168 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8678981e6cbd242e59d5f927b0375a9283090042763b9e84e9b226a949b9cb95
                  • Instruction ID: 764ba996f55566b732a722af01f62b4f6eb6e109bde70525f293b4d7a361635f
                  • Opcode Fuzzy Hash: 8678981e6cbd242e59d5f927b0375a9283090042763b9e84e9b226a949b9cb95
                  • Instruction Fuzzy Hash: 54F06D70A003048BD3649F78D89C39ABBE5FB44320F004469E14ED3340DB39A8818B90
                  Function 042D8978 Relevance: .0, Instructions: 24COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e51794c442e4c4511cce6a0c5b0a22855655fd72a84de170837605d0e3304e1
                  • Instruction ID: f1c1b03fe9602259f78225938a33e6e4b37d6d07237019cbcf48fa915d5f5775
                  • Opcode Fuzzy Hash: 4e51794c442e4c4511cce6a0c5b0a22855655fd72a84de170837605d0e3304e1
                  • Instruction Fuzzy Hash: 2DE0483570465597CB092B75D85C29D7A66ABC4735F04002AE60983340CF79690187E9
                  Function 042D9550 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 760ac79d584b2277c55026330d7912690ca11193acdacf706c757a2fc78ded12
                  • Instruction ID: 9dc8c5c31967f25d79cc55e482e232509b15b9b38d45de78f544a49e6b623b12
                  • Opcode Fuzzy Hash: 760ac79d584b2277c55026330d7912690ca11193acdacf706c757a2fc78ded12
                  • Instruction Fuzzy Hash: 38D05E9272212627166831FA1800ABB95DF8EC44E4F050236EA19C3341ED41EC0643E1
                  Function 042DDCE8 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                  • Instruction ID: 17c090ac3f381417c8afd833805c52325aff9059bd31434d6c7c67e0b98c3a37
                  • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                  • Instruction Fuzzy Hash: 79E08631B30054978B0899A9D4104EDF7AADBCC221F04807AD90AA7340DA726915C6E1
                  Function 042DF460 Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 25936d632ef18eef88f2f2626ba2b12c49e30a3af8379ffd1878ad3c3d69e58d
                  • Instruction ID: abca08172e4afe8ade25ecf27979bf251c902b784347d524ba3a77231fd311a9
                  • Opcode Fuzzy Hash: 25936d632ef18eef88f2f2626ba2b12c49e30a3af8379ffd1878ad3c3d69e58d
                  • Instruction Fuzzy Hash: 83E0ED70D052459FCB51DFB8C48159AFFF0AF49310B2585AEC989D7211E3315611DB91
                  Function 042D8739 Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5f09fa69f263bf640fb56c8fe88580130fb07b3da1fa07671186e91abc741636
                  • Instruction ID: 69263cf7f3d72f181fb85ab23511b5022548c4cf5044325da439dd675f063a7f
                  • Opcode Fuzzy Hash: 5f09fa69f263bf640fb56c8fe88580130fb07b3da1fa07671186e91abc741636
                  • Instruction Fuzzy Hash: C3E04FB4C141498BCB0ABFA4D85A4AD7F70FB10321B4002A9E94392281EA35264ACA84
                  Function 042D8800 Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 26de86ad2b0310f1431e4f55547e452d8dccaba837f33d87f7b23b8d27a383e2
                  • Instruction ID: ffd95bc1221291f00bd17882249498cec2061aa8bd0b907b53dcefb11a1cacef
                  • Opcode Fuzzy Hash: 26de86ad2b0310f1431e4f55547e452d8dccaba837f33d87f7b23b8d27a383e2
                  • Instruction Fuzzy Hash: 79E086B4E1824A9BC744EFB4E4875AABFF4FB14319F004569FD4597780EA31A841CBC5
                  Function 042DF470 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                  • Instruction ID: 9f77a7e0dbfdc24f7f1830928281e648bf9ca18ac603751dfb32464f99fec8ee
                  • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                  • Instruction Fuzzy Hash: 16D067B0E142099F8780EFADC94156EFBF4EB48200F6085AA8919E7301F7729A12CBD5
                  Function 042D8748 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bcb49b3c3cefa2acce34532c96d2c4dae2aad8c2cda059fced106621d3236d4
                  • Instruction ID: cdc9a6fac7a1234b55a377dc5c5526809ca7bc1b196f195bd9778f108ecccd79
                  • Opcode Fuzzy Hash: 2bcb49b3c3cefa2acce34532c96d2c4dae2aad8c2cda059fced106621d3236d4
                  • Instruction Fuzzy Hash: A3D017389041098BCB09AFA5E89B4BDBB34FB00312F4001A9E90752290EA342A4ACAC0
                  Function 042D8810 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cce6396267b0ad6814e984adf50e68e15b9e9dfd552503d06ef330ec7afa7841
                  • Instruction ID: 1b5f38c64fe645c3da9ef5c0f14a0e1bbfb0bc7e08a161eab53cd9105af7960e
                  • Opcode Fuzzy Hash: cce6396267b0ad6814e984adf50e68e15b9e9dfd552503d06ef330ec7afa7841
                  • Instruction Fuzzy Hash: D0D01738A1820A8BCB08EFA4E88686EBBB4AB44300F004169ED4993344EA306801CBC5
                  Function 042D7932 Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 16aedb076015220b7b8ea44748643175f84948d9745ddc3f9b6d27103c234a69
                  • Instruction ID: c1048f1f1f2d6ff452f73666a9f7b0e99c2e1905a39488411fdf6eba0bb4c64d
                  • Opcode Fuzzy Hash: 16aedb076015220b7b8ea44748643175f84948d9745ddc3f9b6d27103c234a69
                  • Instruction Fuzzy Hash: D7D0923518E7C49FC7179F7894988943FA0AE0312470905DEE88A8F1A3C936848ACB46
                  Function 042DEA57 Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 64e976e1a5ea5d7a99b08a36616e71865a2c2966af75f04e179cad4ed24fc629
                  • Instruction ID: a1ed552a756add84e01d4561561d7e64cfb58b624a6e3b2bc49df2d47e82a47c
                  • Opcode Fuzzy Hash: 64e976e1a5ea5d7a99b08a36616e71865a2c2966af75f04e179cad4ed24fc629
                  • Instruction Fuzzy Hash: 0ED09239B40218CFCB14CBA8E895A9CF371FF88325F1180A6E5159B351CB32E912CB40
                  Function 042D7EA0 Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ed5e67c073821d7db35845a5e5d2296fc6b8a460db6bd13d28b0a5b86ee4b23
                  • Instruction ID: 9e720089fb71079c596886858629a0d5fe0889b78bea83f2fea5c95973b262a1
                  • Opcode Fuzzy Hash: 8ed5e67c073821d7db35845a5e5d2296fc6b8a460db6bd13d28b0a5b86ee4b23
                  • Instruction Fuzzy Hash: C7C0481A59FFC89EE70302364CA1582AFB02A5242038F02CFA180CE963C119880ECB92
                  Function 042D7940 Relevance: .0, Instructions: 8COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 681c65cd32d1a6e6393cc757d79f7bb807a202e3b9f9258fbcffdc0393995726
                  • Instruction ID: 2109d9b3b79f0bd22cfaa0a89127874da8f78d2580dc35690f7a085d3574be2d
                  • Opcode Fuzzy Hash: 681c65cd32d1a6e6393cc757d79f7bb807a202e3b9f9258fbcffdc0393995726
                  • Instruction Fuzzy Hash: 33B092310467098FC2496F75E4089147329FF4421978008A8E90E0A2928E37E889CA45

                  Non-executed Functions

                  Function 07141BE0 Relevance: 19.2, Strings: 15, Instructions: 425COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$4'^q$4'^q$84'l$84'l$tP^q$tP^q$J*l$J*l$J*l$J*l$J*l$r)l$r)l
                  • API String ID: 0-572979778
                  • Opcode ID: 5571f0d7e274d9761595245cc356680a0ee1508b4671832b37759568c2a5f808
                  • Instruction ID: 6f044255663923df7b07002016b1aae82ffdff5c444125beb91a2d456b64a977
                  • Opcode Fuzzy Hash: 5571f0d7e274d9761595245cc356680a0ee1508b4671832b37759568c2a5f808
                  • Instruction Fuzzy Hash: 1BE15BB1B0430EDFCB268B68941876AFFE6AFC1310F1484ABD8559B295DB31C8C5C7A1
                  Function 07143928 Relevance: 10.3, Strings: 8, Instructions: 323COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                  • API String ID: 0-3865595929
                  • Opcode ID: a5b13d0b0ed121da7510bfe51733036d26d19b5ecdff8b80d08beb08eeffb0f2
                  • Instruction ID: 67d3412c5c85b6e774809ddab18d0efecec9559d777b6cad7029e46faed8fefc
                  • Opcode Fuzzy Hash: a5b13d0b0ed121da7510bfe51733036d26d19b5ecdff8b80d08beb08eeffb0f2
                  • Instruction Fuzzy Hash: ECA17BB27143499FCB2A9B799800766BBE6AFC6710F24846BE415EB3E1CB31CC45C761
                  Function 042D7A21 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM)l$`_q$`_q$`_q$`_q
                  • API String ID: 0-636039193
                  • Opcode ID: 2d34cee6da38ab6b7866e65467894e71ca6ee04f611aab782270010cb4845f9a
                  • Instruction ID: fe82d2cf044dbf27ac8997d9b86e096b0b01ab4dc69ce142ecb9e26443638440
                  • Opcode Fuzzy Hash: 2d34cee6da38ab6b7866e65467894e71ca6ee04f611aab782270010cb4845f9a
                  • Instruction Fuzzy Hash: 27B19674E012099FDB55DFA9D990A9EFBF2FF88300F10862AD419AB315DB34A945CF90
                  Function 042D7A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1804066500.00000000042D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 042D0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_42d0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM)l$`_q$`_q$`_q$`_q
                  • API String ID: 0-636039193
                  • Opcode ID: 24008c192aa0dc82fdbf52d673a4778e771642d367457c2e957349a07ee15865
                  • Instruction ID: 5fbaca248b873b2c906223590ddd287e684fff3585dbaf0c8aaeee4297b40560
                  • Opcode Fuzzy Hash: 24008c192aa0dc82fdbf52d673a4778e771642d367457c2e957349a07ee15865
                  • Instruction Fuzzy Hash: F2B18774E012099FDB54DFA9D990A9EFBF2FF88300F108629D819AB315DB74A945CF90
                  Function 0714463B Relevance: 6.5, Strings: 5, Instructions: 211COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$4'^q$XY)l$XY)l
                  • API String ID: 0-1130957193
                  • Opcode ID: 9c45d568083387bb128886af8c049ea644f8dbca27078fd17553511eea331189
                  • Instruction ID: e7a0295bbedd485921e03d480584369d4381a49515080f49493445660d563d9b
                  • Opcode Fuzzy Hash: 9c45d568083387bb128886af8c049ea644f8dbca27078fd17553511eea331189
                  • Instruction Fuzzy Hash: 7D6137F1B002CACFDB15CF69C44576ABBE2BF8A212F15816ADC05DB295D731C842CBA1
                  Function 07143678 Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$$^q$$^q$$^q
                  • API String ID: 0-3272787073
                  • Opcode ID: 3b41dba8346437b9948441ad5fb666771b647a782a001f20cccaa8f5b24d2bf4
                  • Instruction ID: d235f1bfb334d71ec973417bc9e2d0091cba5c0fcd05ada9bf2a939340eaee01
                  • Opcode Fuzzy Hash: 3b41dba8346437b9948441ad5fb666771b647a782a001f20cccaa8f5b24d2bf4
                  • Instruction Fuzzy Hash: 1A518BF570430B9FCB2A4A298801667FBB6AFC2211F24847BD465EB3D1DB31C885C7A1
                  Function 071408B8 Relevance: 6.4, Strings: 5, Instructions: 117COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: fcq$4'^q$4'^q$r)l$r)l
                  • API String ID: 0-1752403509
                  • Opcode ID: bf7d6298a9da65ac8ab1976d26e6db1e0df96e3932701b6b1ab167171c4494fe
                  • Instruction ID: 635c6918cf16575ae51a35ed23afcaa23505e30c74758fd6609405f17c54dbd7
                  • Opcode Fuzzy Hash: bf7d6298a9da65ac8ab1976d26e6db1e0df96e3932701b6b1ab167171c4494fe
                  • Instruction Fuzzy Hash: 3B41D771B043558FC7168B3AC81466ABFB1AF8A210F1580EBD649CB291DB31CC85C792
                  Function 07145798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$$^q$$^q
                  • API String ID: 0-2125118731
                  • Opcode ID: a842e1c81fa1e018f716c42193b8d239562e64c62ca4b03430052c99bc93a6c0
                  • Instruction ID: d6c3af725eb1ce456978118eea4b78f23f12ef8d2ff71d3c5e4d5a49a2bf8f1e
                  • Opcode Fuzzy Hash: a842e1c81fa1e018f716c42193b8d239562e64c62ca4b03430052c99bc93a6c0
                  • Instruction Fuzzy Hash: DD2127B270030B9BDB28596B9C02B27B7DBABC0715F64843AA909CF3C5DE76C8558361
                  Function 07140308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$$^q$$^q
                  • API String ID: 0-2049395529
                  • Opcode ID: b7807a1871a2c93046b70088d00436cb59e3e06db7a8c9a2578b9747b0935e22
                  • Instruction ID: d2b5f01e8bd94be405245f204bc503dbbf7f655016afc6e5d199cd7f61c4ce4a
                  • Opcode Fuzzy Hash: b7807a1871a2c93046b70088d00436cb59e3e06db7a8c9a2578b9747b0935e22
                  • Instruction Fuzzy Hash: AA01F261B0D38A5FC72B12391C201556FB31FC7950B1A44DBC585DF3A7CE1A4C4A83A3
                  Function 0714212B Relevance: 5.0, Strings: 4, Instructions: 30COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1830380411.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_7140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$J*l$J*l
                  • API String ID: 0-2439580138
                  • Opcode ID: 39c037e07b2219dacb124644650e81c80bcda8138d3a6f9bf698d34c0eafb8e3
                  • Instruction ID: 3b86dd8b55899026980172d5fe0a2eda17a2602c5008a48a0936b70c21761da3
                  • Opcode Fuzzy Hash: 39c037e07b2219dacb124644650e81c80bcda8138d3a6f9bf698d34c0eafb8e3
                  • Instruction Fuzzy Hash: 9BF0A7B2B1021A4FC139058C5C11617E2A77BD0F10F254527A6456F39DCF31C8CAC756

                  Executed Functions

                  Function 01051958 Relevance: 4.2, Strings: 3, Instructions: 455COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$$^q
                  • API String ID: 0-831282457
                  • Opcode ID: a90f2513fd70875e957e616aaa374fd7768a02f9f4c21ad322b6cd9e06ebc570
                  • Instruction ID: c45b5cfacd849da71cec42ffdda8aa592046dbfbf5e1aa02c373e1f85fcd7fab
                  • Opcode Fuzzy Hash: a90f2513fd70875e957e616aaa374fd7768a02f9f4c21ad322b6cd9e06ebc570
                  • Instruction Fuzzy Hash: AFF18F347042049FDB59AB79D958B6E7BE2BFC9700F104568E84AAF3A9DF719C05CB80
                  Function 01050921 Relevance: 3.8, Strings: 3, Instructions: 68COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID: Q$ Q$Hbq
                  • API String ID: 0-292540989
                  • Opcode ID: 6cc9c55ea1ea2b6d4cc53982b818f3835fac0ea4c02cccd31895cc40691b51fa
                  • Instruction ID: 2ae3c288b896155ea3a6a8b9a549cdfb6d6995e992e79c7187cb9b6bb042a0c1
                  • Opcode Fuzzy Hash: 6cc9c55ea1ea2b6d4cc53982b818f3835fac0ea4c02cccd31895cc40691b51fa
                  • Instruction Fuzzy Hash: 5A21B030A052488FCB85EFB8C4556AE7FF1AF85300F1445FDD949AB295DA345D45CB81
                  Function 01051A88 Relevance: 2.8, Strings: 2, Instructions: 275COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q
                  • API String ID: 0-355816377
                  • Opcode ID: 1066bc79e1fb854116ccf03940993001bbf4b6eeaa3f3fd69562de808e7ae418
                  • Instruction ID: 07f83db5d0e1fc02b545f11c362e9ec69d70ed5d9022b7fd40b82f7378bbf67d
                  • Opcode Fuzzy Hash: 1066bc79e1fb854116ccf03940993001bbf4b6eeaa3f3fd69562de808e7ae418
                  • Instruction Fuzzy Hash: 30A19F307006049FDB59AB79D85877E3AE2BFC8740F148968E84AAB3E4DF719C05CB91
                  Function 01050F70 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID: LR^q
                  • API String ID: 0-2625958711
                  • Opcode ID: 9b9bc8bc2746e0540af9994c503143d106026a1267d952f588a9834c52cbb132
                  • Instruction ID: dfd63a30676125d7ad0fe5d93ba9d32c8eab52a0488e630da800622e881e88b1
                  • Opcode Fuzzy Hash: 9b9bc8bc2746e0540af9994c503143d106026a1267d952f588a9834c52cbb132
                  • Instruction Fuzzy Hash: BB21E630B002558FCB89EB79895463F7BF6AFC5704B1484A9E549DF399DE708C02C796
                  Function 01050E52 Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 693caa9a1360c4b02e0a49e0b81cfc2c2c91c293827f5a071f8a47386d4dc9b5
                  • Instruction ID: cbfc788f14dd54c81be7a977d392d8192893c8cda94ec9abbaeb3ce00a643212
                  • Opcode Fuzzy Hash: 693caa9a1360c4b02e0a49e0b81cfc2c2c91c293827f5a071f8a47386d4dc9b5
                  • Instruction Fuzzy Hash: 9E21F721F042459FCB44ABBD485827F7FEAAFCA310B14496ED49AE7395DD348C068761
                  Function 01050D32 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c24dcf75de409c639f56f623da6099c31a697f8ba1a1b5e23e4e2e108e5a9c9d
                  • Instruction ID: d176e5cc429b047b6796ef8c22500381cd7d83c255e568598733217284239183
                  • Opcode Fuzzy Hash: c24dcf75de409c639f56f623da6099c31a697f8ba1a1b5e23e4e2e108e5a9c9d
                  • Instruction Fuzzy Hash: D531B174904309DFCB01EB78D8816AEBFB2FF85300F1086A9D005AB359EB309A44CF91
                  Function 01050D40 Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ae3491905aa05ecb9b5dacf125cfcf70d43b480aac7524d4ed9ceea121aa635b
                  • Instruction ID: d0a59cbdf6b6adc280936dc447b5e7e93958fe6450bef21b7ab8d92a8b786c9d
                  • Opcode Fuzzy Hash: ae3491905aa05ecb9b5dacf125cfcf70d43b480aac7524d4ed9ceea121aa635b
                  • Instruction Fuzzy Hash: EB216074900209DFCB45FF78D9856AEBBB6FF85300F108669D405AB358EB709A44CF91
                  Function 01050848 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 27e2fce0e636e7e9a6f46e36e2056a15eb2f1c37a7426d3af8bc1c4bd1dea3fa
                  • Instruction ID: fed1e0b47ef6595dabac862505ca9814366c83686de5155b24c6ee81300bf5a4
                  • Opcode Fuzzy Hash: 27e2fce0e636e7e9a6f46e36e2056a15eb2f1c37a7426d3af8bc1c4bd1dea3fa
                  • Instruction Fuzzy Hash: 00119B34558A059FCB06FF1CFA85A56B7A5FF45704B00AB6494488F22DEB70A9498BC0
                  Function 01051878 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a4f08494f06d1446208257e434c163f1a096f538bd8eeee785aad1fe8d352c64
                  • Instruction ID: 9115107deac02c55c099e34492725b31f063188b6ebd8a579c185e16799d4054
                  • Opcode Fuzzy Hash: a4f08494f06d1446208257e434c163f1a096f538bd8eeee785aad1fe8d352c64
                  • Instruction Fuzzy Hash: 6911E870D0020DAFCB40EFB9E9856ADBBB1FF84300B1056A9D519BB355EB316A08CF80

                  Non-executed Functions

                  Function 01051FE8 Relevance: 7.8, Strings: 6, Instructions: 268COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.1864889013.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_1050000_BhTdjGetAH.jbxd
                  Similarity
                  • API ID:
                  • String ID: Q$ Q$Xbq$dbq$v$$^q
                  • API String ID: 0-3047755828
                  • Opcode ID: 94119a0f862097b1af62e173a834dc78510e47077291d5d3732ac63217ae23bd
                  • Instruction ID: 8378f0bf6b4a2f54bb7ece660419506e58f237e8216954795c1026795b8273ed
                  • Opcode Fuzzy Hash: 94119a0f862097b1af62e173a834dc78510e47077291d5d3732ac63217ae23bd
                  • Instruction Fuzzy Hash: FA91A074F04219DBDB58ABB9885477F7BB7BFC8740F04856DE886E7298CE3488029791

                  Executed Functions

                  Function 0414B490 Relevance: .3, Instructions: 258COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 87a3e1c38f82b9f804b11d19fbf8b8479b1a5059fac9348ad830913b03264c76
                  • Instruction ID: 6fc78db33c2b890a1e1b7e6ca784cc473454d031daf97678ade71d0025444bfc
                  • Opcode Fuzzy Hash: 87a3e1c38f82b9f804b11d19fbf8b8479b1a5059fac9348ad830913b03264c76
                  • Instruction Fuzzy Hash: 0A9161B1F006155BDB1AEBB4C4546AEB7B3EF84704B00892DD50AAF340DF75AD4A8BC6
                  Function 0414B4A0 Relevance: .3, Instructions: 252COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9e50ae62eb0936a50064eadcaa652662c4069243060d9a1952384f525888600d
                  • Instruction ID: c1680d28d4ff7f86d36af04087d34ce4efa9271f1ae6ca719c95d52c77d85a27
                  • Opcode Fuzzy Hash: 9e50ae62eb0936a50064eadcaa652662c4069243060d9a1952384f525888600d
                  • Instruction Fuzzy Hash: 749152B1F006155BDB1AEBB4C5146AEB7A3DF84704B00892DD51AAB340DF75AD0A8BC6
                  Function 07032308 Relevance: 13.2, Strings: 10, Instructions: 664COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$J*l$J*l$J*l$J*l$J*l$J*l$r)l$r)l
                  • API String ID: 0-2695109752
                  • Opcode ID: 666efe1468ded24b76847c690e34840d7c226e3680bf4478e01bc077857f20df
                  • Instruction ID: 08a5d73fa333ab50d10046af486498220b5eb00097b2e722af66ada1d074d18a
                  • Opcode Fuzzy Hash: 666efe1468ded24b76847c690e34840d7c226e3680bf4478e01bc077857f20df
                  • Instruction Fuzzy Hash: F4226AB1B0020ADFCB60CF69C8117AABBEABF85310F14817AE915DB251DB35DD45CBA1
                  Function 07033CE8 Relevance: 5.6, Strings: 4, Instructions: 595COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$4'^q$4'^q
                  • API String ID: 0-1420252700
                  • Opcode ID: b2d6fb0b93794296d6f6d5812a2be82379ea35faeea703d0925b909673569485
                  • Instruction ID: d0c8db4934067c5edbb79fe4d16b0e5be973e853a9a0abaae76708d1027550d3
                  • Opcode Fuzzy Hash: b2d6fb0b93794296d6f6d5812a2be82379ea35faeea703d0925b909673569485
                  • Instruction Fuzzy Hash: 86127BB1B042498FCB558B69D81167BFBEAAFC2310F14867AE915CF391DB31C885C7A1
                  Function 04146FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (bq
                  • API String ID: 0-149360118
                  • Opcode ID: 591e3f422f0b671258139d00d3d54b80b1e249278361b47958fd3e6b689edd42
                  • Instruction ID: 7f1765e8db231c012e14595069d2c473b2111b73510ec4c26145ee38f4266096
                  • Opcode Fuzzy Hash: 591e3f422f0b671258139d00d3d54b80b1e249278361b47958fd3e6b689edd42
                  • Instruction Fuzzy Hash: 4C413D34B012048FDB04DFA8C594AAEBBF2AFCE310F154499E402AB391DB35EC01CB51
                  Function 0414AFA8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (&^q
                  • API String ID: 0-2067289071
                  • Opcode ID: d7781cc2d1c518142aa47aa587295a03ccbd2406f8f3c67cde8f7fe249569386
                  • Instruction ID: 8130ce20eb59f8421e10d1b0826e731b02fd238a108bcb64401c680a2efe0a92
                  • Opcode Fuzzy Hash: d7781cc2d1c518142aa47aa587295a03ccbd2406f8f3c67cde8f7fe249569386
                  • Instruction Fuzzy Hash: E421DE71A042598FCB14DFAED84469EBFF5EF88320F24846AD418A7350DB34A805CFA5
                  Function 041429F0 Relevance: .2, Instructions: 209COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e4c6bab5f0b9b42025bf933f490fb61d613610c655c43f2ea9857749b0c46d61
                  • Instruction ID: 135ec95255300f0f9513eb5dc027acb2bb4698cec4a7901a48d1e84ef3fbfd88
                  • Opcode Fuzzy Hash: e4c6bab5f0b9b42025bf933f490fb61d613610c655c43f2ea9857749b0c46d61
                  • Instruction Fuzzy Hash: 45916A74A002458FCB15CF59C4D49AEFBB1FF88310B258599E819AB3A5C735FC91CBA4
                  Function 0414BAC0 Relevance: .2, Instructions: 160COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c79de58875adc15a57e83c8cf76ec6f9ffc057b1df3255617524e00bc0659cd2
                  • Instruction ID: 7d48a50d4f6f7f9bec3525d9de1fb563b45dd1ccaad0162d554d2c73f17e6da3
                  • Opcode Fuzzy Hash: c79de58875adc15a57e83c8cf76ec6f9ffc057b1df3255617524e00bc0659cd2
                  • Instruction Fuzzy Hash: FC6107B1E04248DFCB14DFA9D584A9DFBF5EF88310F14816AE819AB365EB30A945CB50
                  Function 04147728 Relevance: .2, Instructions: 158COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 13e439449bc833c552c3311d4bee1caad6ef2a509d353f567bc3fe5d26fd1770
                  • Instruction ID: 779bcfdf9b7b0c7a79a9126b8f330b995b1bc0b66fa71d7645283f690c0ee7cc
                  • Opcode Fuzzy Hash: 13e439449bc833c552c3311d4bee1caad6ef2a509d353f567bc3fe5d26fd1770
                  • Instruction Fuzzy Hash: 6151D4343042019FD714CB79D884A6A77EAFFC8324B1589B9E519CB396EB35EC01CBA0
                  Function 0414BAD0 Relevance: .2, Instructions: 155COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 18ee6f5303ce6a7a3ad98bdbbc403daf50cd3d477ce20cff0ac97fe5cf2de6eb
                  • Instruction ID: 7be0d8ceea12429c194906bda1e63df0327076e0f5cf8edc75617bd27260b167
                  • Opcode Fuzzy Hash: 18ee6f5303ce6a7a3ad98bdbbc403daf50cd3d477ce20cff0ac97fe5cf2de6eb
                  • Instruction Fuzzy Hash: AC61F8B1E00248DFCB14DFA9D58479DBBF5EF88310F158169E819AB364EB31AD85CB50
                  Function 07033CCC Relevance: .1, Instructions: 123COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09e382319aafe4ab13f89052f7c145c358cff5552893962146d2f17004c514a2
                  • Instruction ID: cbad86074f67022e4688631c18d59080d76bc6b173392fcd7eb698bb398db57d
                  • Opcode Fuzzy Hash: 09e382319aafe4ab13f89052f7c145c358cff5552893962146d2f17004c514a2
                  • Instruction Fuzzy Hash: CD4146F0A04206CFCB648F25D981AAAFBFAAF81254F1583A5D9109F392D735DC85C7A1
                  Function 04142B00 Relevance: .1, Instructions: 108COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7c80b05f88e793dcfa490c614b6e47b6e6bdeaf637ff2fb626b168ace2c84985
                  • Instruction ID: e9c5e07cd50737bf7ede48910edc69c4724710eebe4afc68c68748c11e6a8188
                  • Opcode Fuzzy Hash: 7c80b05f88e793dcfa490c614b6e47b6e6bdeaf637ff2fb626b168ace2c84985
                  • Instruction Fuzzy Hash: 944138B4A006059FCB05CF58C5D89AAFBB1FF88314B158599E815AB364C736FC91CFA4
                  Function 04146FB9 Relevance: .1, Instructions: 103COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 532206f2ff9f8b2369caf5d84a99fbc479736f9f9a32cac80750a95bf43be532
                  • Instruction ID: c20d3ca0420502f8e10f19386f85e3f83e63704309e4d7500041b8204ef87230
                  • Opcode Fuzzy Hash: 532206f2ff9f8b2369caf5d84a99fbc479736f9f9a32cac80750a95bf43be532
                  • Instruction Fuzzy Hash: B0315D74B011158FDB04CFA4D594AEEBBF2ABCE310F1454A9E412AB391DB31EC41CB61
                  Function 0414C398 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 71fd4bc4450e47458dafebfc8c615b0a30e37659a32ba78ccb7fc3d1838ce7ec
                  • Instruction ID: 26dc3382becd0e04724adc439ab873000761b62812b74574b553aa8626bbfd0b
                  • Opcode Fuzzy Hash: 71fd4bc4450e47458dafebfc8c615b0a30e37659a32ba78ccb7fc3d1838ce7ec
                  • Instruction Fuzzy Hash: 60319C313002019FD705DB78E894B9AB796EFC4310F048579D60ACB364EF72A885CBA1
                  Function 0414E051 Relevance: .1, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 12fa65bbb6e67f991f005cc60dc7e90fd4a8a0b689948cffee1c44e3bf384d06
                  • Instruction ID: 6e8bf627a2666b833ff68a5df0088326a321a51e825d5febe2a8bb8a38cb09c1
                  • Opcode Fuzzy Hash: 12fa65bbb6e67f991f005cc60dc7e90fd4a8a0b689948cffee1c44e3bf384d06
                  • Instruction Fuzzy Hash: 8D314D35B402058FCB149F69D5987AEBBF6BF88720F148569D416EB390DB31AC81CB91
                  Function 0414AE70 Relevance: .1, Instructions: 91COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 046fab6b27e0e54d7705cdb05371590a07d900ebb419df9081b698ed0e105b19
                  • Instruction ID: 0d7e92dde9bcfad75eea4a8fdf3d2d83d7a2577089a910cb54b82f467cdc512b
                  • Opcode Fuzzy Hash: 046fab6b27e0e54d7705cdb05371590a07d900ebb419df9081b698ed0e105b19
                  • Instruction Fuzzy Hash: 953150B0A402099FDB08DFB9D4947AEBBF6EFC8350F158069E405E7350EB359C818B61
                  Function 0414AD38 Relevance: .1, Instructions: 86COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7d3d4d790690dfe804657299ff55a6b868bcc6674d64370b82da521dfc867cd9
                  • Instruction ID: 0a5387cde9562fc357deb3e3b5193687b12c2a02a9fd9156c0100056364c1bc3
                  • Opcode Fuzzy Hash: 7d3d4d790690dfe804657299ff55a6b868bcc6674d64370b82da521dfc867cd9
                  • Instruction Fuzzy Hash: 103181B4A002059FDB05EBA4D898ABEBBB3EF85300F1184A9D114AB395DB399D41CF91
                  Function 0414AE80 Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e57e118b6b1346d473d9d6a031919e61e636f7df2b58ac1c53e75cedfa0bca08
                  • Instruction ID: b625d512d12fdae54f64e52b3b4b4fc3c4d85e7b540eb515086e17f9868a578e
                  • Opcode Fuzzy Hash: e57e118b6b1346d473d9d6a031919e61e636f7df2b58ac1c53e75cedfa0bca08
                  • Instruction Fuzzy Hash: 5A315EB0B402099FDB08DFA9D4947AEBBF6AFC8354F158069E405E7354EB359C818B61
                  Function 041493F8 Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f9a5bf8e48e2c9a2f45827c82f04a082ccc851700a5525c292d1094583adb1da
                  • Instruction ID: 906f613373f44d7c6aad0aba871b287573248b1190abdef233508dff4632a221
                  • Opcode Fuzzy Hash: f9a5bf8e48e2c9a2f45827c82f04a082ccc851700a5525c292d1094583adb1da
                  • Instruction Fuzzy Hash: 0A319AB59117048EDB60CF7AD0883DAFBF2EB88320F28C45AD45DAB605D7746481CB91
                  Function 0414E060 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0b87d1aad73014a9f31ba7abf4652f01f6a9980742c851fd61d51f15786899de
                  • Instruction ID: a48988551282a909e5500b1d7d13475eb116f1d49d7a9de71d21992b1e78982b
                  • Opcode Fuzzy Hash: 0b87d1aad73014a9f31ba7abf4652f01f6a9980742c851fd61d51f15786899de
                  • Instruction Fuzzy Hash: ED313A70B402048FCB14DF68D59869EBBF6BF8C720F148969D406EB390DB31AC41CB91
                  Function 0414AD48 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: daa08b1af3d813eb06896ea2707b5efdd3c48d59b00574afa96a5a565165ef23
                  • Instruction ID: a42ca43511d7378124a0dd4a79acd3589c3aa1fcc148a6b0eaad93ceac223dec
                  • Opcode Fuzzy Hash: daa08b1af3d813eb06896ea2707b5efdd3c48d59b00574afa96a5a565165ef23
                  • Instruction Fuzzy Hash: BF314FB4E002099FDB04EFA4D498ABEB7B3EF84304F1184B9D515AB394DB399D418F90
                  Function 0277F3D8 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1866177651.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_277d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 87c48a803a5b05001144a04b55ab52aa548b523eabac83324dfeff876aab6684
                  • Instruction ID: 070984936c4704d82d497d3d0f9cca1803401ca0c32851219836daaa4c449788
                  • Opcode Fuzzy Hash: 87c48a803a5b05001144a04b55ab52aa548b523eabac83324dfeff876aab6684
                  • Instruction Fuzzy Hash: AB21F172604200EFDF05DF54DAC0B26BFA5FB88314F24C5B9E9094A656C33AD456CBA2
                  Function 0277F02C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1866177651.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_277d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3c75d01bc02df9432946b7a7317891a8636b74648d4263277a018e1638a3e92e
                  • Instruction ID: 3160dba870c238333cf58b9d593e30430f546e2115a27a5bd06013d50f5f68df
                  • Opcode Fuzzy Hash: 3c75d01bc02df9432946b7a7317891a8636b74648d4263277a018e1638a3e92e
                  • Instruction Fuzzy Hash: 38214675604200DFDF10DF24CAC0B26BFA5FB94324F20C56DD80A4B756C33AD446CA62
                  Function 04149408 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f2f1969e3b8244b49e8a1db998984d64af9fd806302ea7370cccf145bb7ea954
                  • Instruction ID: c2aa29b8644a99d189c5215b83889279f68a21b4dd4f4f09ba3bbd85cfe8da59
                  • Opcode Fuzzy Hash: f2f1969e3b8244b49e8a1db998984d64af9fd806302ea7370cccf145bb7ea954
                  • Instruction Fuzzy Hash: 4C2168B49017448EEB60CF7AD58838AFFF2EB88314F28C46AD85DAB205D77464818B61
                  Function 04147664 Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7e921d3ad67ada2fc8afafbe5271307498b3ad694271b08c1cfb789abb883d93
                  • Instruction ID: 744139e775a4bc47a3451dd8f285a082e8f08c5bed5a45629b28463e03d6d545
                  • Opcode Fuzzy Hash: 7e921d3ad67ada2fc8afafbe5271307498b3ad694271b08c1cfb789abb883d93
                  • Instruction Fuzzy Hash: AB1128767001188FCF04DBACE9849EE77F6EBC8325B0540A5E909EB364DB35EC158BA1
                  Function 0277F3D3 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1866177651.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_277d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                  • Instruction ID: abd135803ab1c522514d41c427ba0e82a45645f2ad6cec640226c3a86b3b9ebf
                  • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                  • Instruction Fuzzy Hash: 0D219D76504240DFCF06CF54DAC4B16BF72FB88314F24C5A9D9494A656C33AD46ACB92
                  Function 041479AA Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 599bc224f329ba3d8ea9caa95bdba754f00a8702f9cc4fb5b20b195430d1ff2d
                  • Instruction ID: 73245089f8f4fdce90b416355199d3cfe74a67307afddbb591cba285877c57fa
                  • Opcode Fuzzy Hash: 599bc224f329ba3d8ea9caa95bdba754f00a8702f9cc4fb5b20b195430d1ff2d
                  • Instruction Fuzzy Hash: 370147717043156FDB11DBA9EC40AAF7BEAEBCA271B4005AEE409C3242DB31AD0187A0
                  Function 0277F027 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1866177651.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_277d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                  • Instruction ID: 9b8cdd0c8d726618a86cb9a7afc7569d457e88ebb6906d5301a3a5fbd316a11e
                  • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                  • Instruction Fuzzy Hash: 8D11DD75504280CFCB11CF14D6C4B15BFA1FB84328F28C6AAD8094BB56C33AD45ACB62
                  Function 0414DEC9 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5d0f86bcbb56cb260d5d89c99c19c656c54469bacf1ad20b0cad6d612873e1e5
                  • Instruction ID: 7b5d2d7a37cca44f9ce7420699ec2f2eb80541c6eff6044c0e5da6a8ee4f7cdf
                  • Opcode Fuzzy Hash: 5d0f86bcbb56cb260d5d89c99c19c656c54469bacf1ad20b0cad6d612873e1e5
                  • Instruction Fuzzy Hash: 0D019E357002418FCB109B6CE888999BBF6EFCE721B1800A6E449DB371DB31EC51CBA0
                  Function 0414BCF0 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cdf5e85ae2f579be787cece572e3a57994e42df81dd2aa078bafb4f52b10aa34
                  • Instruction ID: 4bf670ea5588a4b2bbf3049a70e3fd92892f0abcf54fe2ef087cce010e646bc1
                  • Opcode Fuzzy Hash: cdf5e85ae2f579be787cece572e3a57994e42df81dd2aa078bafb4f52b10aa34
                  • Instruction Fuzzy Hash: 2411A1316083849FD719CB35D494A557FE1EF45210F2488EEE089C76A2DB34E845C701
                  Function 0414DCA0 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4f9b1a0c4d3bcde8bb29f703fa4fa74a2e2f258c930c826e11a44952a743b5c
                  • Instruction ID: 3f0df51c37cce968ff9d6b487fd1f4c4bf6d3997c9390cfc814f7146f76385d8
                  • Opcode Fuzzy Hash: c4f9b1a0c4d3bcde8bb29f703fa4fa74a2e2f258c930c826e11a44952a743b5c
                  • Instruction Fuzzy Hash: 7D1105352047508FC728DF79D09086ABBF6EF8931536489ADD48A8B7A0DB36F946CB50
                  Function 0414DF28 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bf3c595a2541976396ab7f9114f5ec8f6fb92a4776f15ad28cd4f470fd4cf26
                  • Instruction ID: 400c818585d7aae87d355b57684f4e3ca767ec2d9fab1c1a454452b5dac91b9f
                  • Opcode Fuzzy Hash: 2bf3c595a2541976396ab7f9114f5ec8f6fb92a4776f15ad28cd4f470fd4cf26
                  • Instruction Fuzzy Hash: FD019E35B002148FCB159F74E808AAEBBF6FBC8315F00406DE91AE3241DB36A951CB91
                  Function 0414BF20 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cb67ddf79dc7032cc4cd6f8f20e3311a31f919cd6582ed8d60167679daea45f4
                  • Instruction ID: dd27fb43a4fed8eff65cccc26292d55e1208fc4969b87b990633aafec3a95ff1
                  • Opcode Fuzzy Hash: cb67ddf79dc7032cc4cd6f8f20e3311a31f919cd6582ed8d60167679daea45f4
                  • Instruction Fuzzy Hash: 3C0181763093A15FD7118A7AAC90AABBFE9AB96610F1540AAF484C7392DA74CC04C760
                  Function 0414DD68 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c6454809d84e60f9b196cd8114eccc8a5e209c6cc9c5502454b4324573b5cac8
                  • Instruction ID: 7bae317d3401d66a8fb585cb5b62d32297ffadf1faf7fec632533d47dd3dcea5
                  • Opcode Fuzzy Hash: c6454809d84e60f9b196cd8114eccc8a5e209c6cc9c5502454b4324573b5cac8
                  • Instruction Fuzzy Hash: 970144317001008BCB05972DE8005EDFBA6DFC8630F00C07AE429E7390DB31A956C7A1
                  Function 04147940 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a9fba3ba26f45ea5cb354094487e0a5b5f271f51f0d2ef0af65519404d916c72
                  • Instruction ID: 769014b5e0ac4a1d0e795d686e9674dd519d13612ce5ceb04288032dd0bca583
                  • Opcode Fuzzy Hash: a9fba3ba26f45ea5cb354094487e0a5b5f271f51f0d2ef0af65519404d916c72
                  • Instruction Fuzzy Hash: 4BF022712093126FD71266A6EC409EF7BEADB8A2A0744066EE009C3753CE246C8587B1
                  Function 0277D01D Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1866177651.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_277d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 81f6b98b87af64fd48e91a04288818527197511b1bb5a404d8d30f974cbcd1fe
                  • Instruction ID: 5a3a07490a02dbd281d61ce009ec378e7e747802797f989e486de6b3df2b2df2
                  • Opcode Fuzzy Hash: 81f6b98b87af64fd48e91a04288818527197511b1bb5a404d8d30f974cbcd1fe
                  • Instruction Fuzzy Hash: 9301D671509340AAEF308A29CD84B67FF98EF41328F1CC56AED485B246C779D841CAB1
                  Function 0277D007 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1866177651.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_277d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a997f7fd94f787fe368fe789c4fc5928a365331e6ba5241c229fd3ed74360692
                  • Instruction ID: 6c7d0072a8e1ae7e931ba5335b6f3e527d40cf8b8b4b563819ca0a2ffc9cde99
                  • Opcode Fuzzy Hash: a997f7fd94f787fe368fe789c4fc5928a365331e6ba5241c229fd3ed74360692
                  • Instruction Fuzzy Hash: E7010C7140E3C09ED7128B258894B62BFB4EF57224F1DC5DBD9888F1A7C2699849CB72
                  Function 0414C36F Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5cbd2abd7800c8fc2e54fa144ee79f30515a96bb9ff124623c5608a708c31633
                  • Instruction ID: d63580fc0437515539786e1e5c9a08c5fd46d34e840cd4c45f4b120a13777cd4
                  • Opcode Fuzzy Hash: 5cbd2abd7800c8fc2e54fa144ee79f30515a96bb9ff124623c5608a708c31633
                  • Instruction Fuzzy Hash: BCF02B3130A3905FD3164B6598A0912BFA58FC6350B0500FFCA44CB293EA158C1AC361
                  Function 0414F7C1 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1f6106a85988a30ba03ed531e9741cf25dfd05f1fb36e337b2d5b8367fd47b38
                  • Instruction ID: d31c0ae13760bbfb624a4ba6efde6fc04babfcc4e39ccab85517e41ad530f4e1
                  • Opcode Fuzzy Hash: 1f6106a85988a30ba03ed531e9741cf25dfd05f1fb36e337b2d5b8367fd47b38
                  • Instruction Fuzzy Hash: 32011371D0078BDBCB00CFA4C9406ADBBB1BF99310F20071AE115A6680EBB02696CB90
                  Function 0414C4D0 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ba9f0f5cb6afea999d5b9dbb891dccdc4689041be9ee6618aa0c77de690bdeca
                  • Instruction ID: 01c9c4b65bbb6784796556335cc02811349e202e25ce6cf8d3250d2edc843dae
                  • Opcode Fuzzy Hash: ba9f0f5cb6afea999d5b9dbb891dccdc4689041be9ee6618aa0c77de690bdeca
                  • Instruction Fuzzy Hash: 1BF0FCB1104241AFC302973CD95496AFB96EFC2314B1446BEC04DCB7A1DF329C45C7A4
                  Function 041490E0 Relevance: .0, Instructions: 37COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 96ea34d2ecf6ffb4b239fb33bab31398fdd77e60ef09a6814c262542a52317b0
                  • Instruction ID: 803b480e94081736ce6e86636ee110e15bb83ab78c32b4275b11dff5fbd64b7e
                  • Opcode Fuzzy Hash: 96ea34d2ecf6ffb4b239fb33bab31398fdd77e60ef09a6814c262542a52317b0
                  • Instruction Fuzzy Hash: 33F0F6FAA082445FE715AB78D4193AB7BA6DFC1329F1440AAC419473C1DE792842CBE2
                  Function 0414CB62 Relevance: .0, Instructions: 37COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d7f1cb5194b2b0b7a6c8f7b6164b115a55ec7cfc401a0e406eff4f3ee95cfb9e
                  • Instruction ID: 062970ea519989f4e2d7df14fe8bffe1c12a574d2ccaf3275d3c3a692f80078a
                  • Opcode Fuzzy Hash: d7f1cb5194b2b0b7a6c8f7b6164b115a55ec7cfc401a0e406eff4f3ee95cfb9e
                  • Instruction Fuzzy Hash: D2F0E9716083415FC306922D5C9465DAFD7DFC612076946AAC09DC76A1DA254847C761
                  Function 0277D9A7 Relevance: .0, Instructions: 37COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1866177651.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_277d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b40b526ba98139758bc7e85ea2ece1860be26e491d4bb7918224d207d2a34204
                  • Instruction ID: 1cdb33635667beae8d4c5b8f1bc546b6ae60a46f19dc834c0ce29246f3667994
                  • Opcode Fuzzy Hash: b40b526ba98139758bc7e85ea2ece1860be26e491d4bb7918224d207d2a34204
                  • Instruction Fuzzy Hash: BEF0F976200600AF97608F0AD985C23FBADEFD4774719C59AE84A5B616C771EC41CEA0
                  Function 0414DD17 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8e4b1f3431d28a88de1a7c92a6dad7903e0be04e115ccce6ea6793d628b112d9
                  • Instruction ID: bbd1ba40716819482af6d234407fad99780f4d9723b273d31c855348d81d8868
                  • Opcode Fuzzy Hash: 8e4b1f3431d28a88de1a7c92a6dad7903e0be04e115ccce6ea6793d628b112d9
                  • Instruction Fuzzy Hash: 58F05C313003514BC712122D78046DBBBDECFC6231B0400ABE01CDB241EF94A84283E1
                  Function 0414F7D0 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 809c599cec00841ab5868ab6b1af37783e589bcf38c342126810054caf7c7b23
                  • Instruction ID: 8087026ac7ca8f9f2c6a3bccc308d37dc3e08d1c4ff78d3136f8e2e6badca885
                  • Opcode Fuzzy Hash: 809c599cec00841ab5868ab6b1af37783e589bcf38c342126810054caf7c7b23
                  • Instruction Fuzzy Hash: 2D01D271D0074ADBCB04CFE4C8446EEBBB0FF99300F10472AE005A6604EBB06686CB80
                  Function 04147950 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 43fcdeddc95c0faee6c62d0f2e467ffc1d955346a60e32db4c6019cab749c2fd
                  • Instruction ID: a4fc63d12a385e071fcce36ce8deb840abb3bd19964221a4570f8ac713b075e7
                  • Opcode Fuzzy Hash: 43fcdeddc95c0faee6c62d0f2e467ffc1d955346a60e32db4c6019cab749c2fd
                  • Instruction Fuzzy Hash: 9EF0A7717006159FD7109B99E884A6FB7EAEBC8271B00052DE10ED3350DF35AC418760
                  Function 0277D998 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1866177651.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_277d000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bb7cf30272a36cd2d2b37fd0475c465c0ea3aea5e6310fda136d1c1960a1b7ea
                  • Instruction ID: 6f59a1545663adc5da6b68a44af147dc4bfa8cfc6a0d69fbbf3b9d2f7ba38311
                  • Opcode Fuzzy Hash: bb7cf30272a36cd2d2b37fd0475c465c0ea3aea5e6310fda136d1c1960a1b7ea
                  • Instruction Fuzzy Hash: 57F0F976104640AFD765CF06CD85D23BBB9EF89624B198499A84A5B312C731FC42CFA0
                  Function 0414C4E0 Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b2b7c16090de124cefce79cf97bd9d4797ebe2ce47d27ab79957fd07a6331824
                  • Instruction ID: 58fc71c8b06b79de89a595b0ca8f87336fef87a6d63ba333711ae2cc181eb488
                  • Opcode Fuzzy Hash: b2b7c16090de124cefce79cf97bd9d4797ebe2ce47d27ab79957fd07a6331824
                  • Instruction Fuzzy Hash: B8F082B12002016FC715A729D98495BF797EFC13147008A7DD50D9B715DE32AC45CBE4
                  Function 04149160 Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1c0e5501d95c235131ef777e02a2a505e6d8a48578a485c94c8b9aaf68dc5d81
                  • Instruction ID: a03cffbcb1e0321b49d89c105d375c4307b7534ef23dc8efd4f8c4accc638414
                  • Opcode Fuzzy Hash: 1c0e5501d95c235131ef777e02a2a505e6d8a48578a485c94c8b9aaf68dc5d81
                  • Instruction Fuzzy Hash: 69F0E2B09083408FD7218F78D8DC397BFE4EB41320F0405AAD29EC7282DB396881CBA1
                  Function 04148969 Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24b1ec1a25f90543096cdf4d9eb3a662103e0d08393aeaaf44bde77d2a4e5d38
                  • Instruction ID: 9a5fa3f55189b57c688b6a178b6a0de4ef0074baed14fdce276452f296c9ec3e
                  • Opcode Fuzzy Hash: 24b1ec1a25f90543096cdf4d9eb3a662103e0d08393aeaaf44bde77d2a4e5d38
                  • Instruction Fuzzy Hash: D0F082753087955BCB0B2774A8182EE7F96AFC6724F0801A6D61587282CF690D4583EA
                  Function 0414767F Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 18ac3a48ce96a4cb93a64544a815db82343ec5d5da1e3f90662b03c69f6bf5b3
                  • Instruction ID: 643d440c8be8d714b476fa8218cd59710153e585770b8347e14135091e1336e7
                  • Opcode Fuzzy Hash: 18ac3a48ce96a4cb93a64544a815db82343ec5d5da1e3f90662b03c69f6bf5b3
                  • Instruction Fuzzy Hash: 6BF0E5753001148FDB00EBADE8809D977E7EBC935070541A4E41ACB368DB34EC064B81
                  Function 041490F0 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: af18c56d8e9e21f0fd363a8e2c9b21d387f0e662d5de09a9f8759dc616898a85
                  • Instruction ID: f6a275241dd273f39512921e9473c8bcc91b03720f61c394cd0daf44ddb0f218
                  • Opcode Fuzzy Hash: af18c56d8e9e21f0fd363a8e2c9b21d387f0e662d5de09a9f8759dc616898a85
                  • Instruction Fuzzy Hash: 10F027F57001089BE714AF64C0187AB7796DFC432CF20817AC909473C4CE3A2842CBE1
                  Function 04149549 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d9c50d671d09ce61fc45d1e8ff9ceeeceb797098ce52f8220c22ab32d9f4010f
                  • Instruction ID: ce6c647d5d25929e90f4822e19c6075510f9275bb3b7ee42d213b9a0a8411cc3
                  • Opcode Fuzzy Hash: d9c50d671d09ce61fc45d1e8ff9ceeeceb797098ce52f8220c22ab32d9f4010f
                  • Instruction Fuzzy Hash: EAE0D1F77151651F971471B928406A75B8ECBC1574F1401778519DF6C1EF40EC0543F1
                  Function 0414DED8 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4236ed0aa65041c7ec95da4518928f3eb8de79118e90a3d449242f1f7a90dde2
                  • Instruction ID: 7805cf7b44c81e58f56f9552795ee24f0d1a59d4f659adc92c01bc29fd32de86
                  • Opcode Fuzzy Hash: 4236ed0aa65041c7ec95da4518928f3eb8de79118e90a3d449242f1f7a90dde2
                  • Instruction Fuzzy Hash: CAE0E5753405118F8B109B1DE498C26B7FAEFCEA2932900AAF549DB735DB61EC028B90
                  Function 0414AF98 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3eebcda51120d21b983bd4ea343ea4e4d18e66b8372cdc3c9aba95ffe8c0c475
                  • Instruction ID: f6329ba8a5ffcd2cf3b50d16ac9bd51d2435cb6e54305f79de287620c9553757
                  • Opcode Fuzzy Hash: 3eebcda51120d21b983bd4ea343ea4e4d18e66b8372cdc3c9aba95ffe8c0c475
                  • Instruction Fuzzy Hash: 29E0D8263482910BDB26416D7890195BF668FC726071A44B7E440CB283EF51DC464361
                  Function 0414CB78 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 58a5a2901005889e9f5092345a3c7885eee50771098f6b1f27a9da1493d6638a
                  • Instruction ID: 4b05ab018b41c25c61ba5dc894f0069f0c9cde56c2039fef69e21dd7ae0236a6
                  • Opcode Fuzzy Hash: 58a5a2901005889e9f5092345a3c7885eee50771098f6b1f27a9da1493d6638a
                  • Instruction Fuzzy Hash: CBE026B17003002B8219A26FAC8596FF7CBDEC4260394893DC51E87724DE31AC46D7A4
                  Function 04149170 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7945b00b490ca02abe45004f1f3bb95f00e3a4edbce03738d94deb9e967615cd
                  • Instruction ID: b6e90d99c384405bd0fe87bebc68efef166c006763ce17d9be1e3e4b6daeebfd
                  • Opcode Fuzzy Hash: 7945b00b490ca02abe45004f1f3bb95f00e3a4edbce03738d94deb9e967615cd
                  • Instruction Fuzzy Hash: BAF0EDB09013049BD7649F79D89D79BBBE5FB84324F004469D55ED7240DB396881CB91
                  Function 04148978 Relevance: .0, Instructions: 24COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fc74662bc0b43d6fa65ea291766081c06437d3df9a7b2dafd3c932ed0c4c1f8f
                  • Instruction ID: a8995b02ea6164b70fbff228c149223cd9dc41f1b54e37835d82955ef412ac43
                  • Opcode Fuzzy Hash: fc74662bc0b43d6fa65ea291766081c06437d3df9a7b2dafd3c932ed0c4c1f8f
                  • Instruction Fuzzy Hash: 54E04F7570471497CB092775A81C3AF7B96ABC4729F04002AD60A83340CF6A5D4287EA
                  Function 04149558 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ea81ed34f2d5a5aa9d9c254e17c540f2648ab9b3a90df414582a427d12136e9d
                  • Instruction ID: c47caef9b6a6fc4bf1ebebe96ff64b099a5534bd033bbe410a2187823c4a92cf
                  • Opcode Fuzzy Hash: ea81ed34f2d5a5aa9d9c254e17c540f2648ab9b3a90df414582a427d12136e9d
                  • Instruction Fuzzy Hash: 04D05EF67111391B5A5471BA18806FB96CFCBC54A8B1900779A09EB241EE40EC0A43F1
                  Function 0414DD28 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5edf04a0cec90a53266b634531c813004036296c818eab61dc2fcfb243e1f68f
                  • Instruction ID: 1114be6cc82759337804478faf2b303acc693e00148db6289d927e6e74bfd0fd
                  • Opcode Fuzzy Hash: 5edf04a0cec90a53266b634531c813004036296c818eab61dc2fcfb243e1f68f
                  • Instruction Fuzzy Hash: 9DE0C2317407140B8A12662EB9148DFB7DBDFC5671300407EE02AD7340DF64EC458BE5
                  Function 0414DD78 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                  • Instruction ID: b975bbfa42d61b3814a7bae0eab3f5659fda2b625d23bcc304e241c137078d24
                  • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                  • Instruction Fuzzy Hash: E6E08631B00014978B089559E4514DDF7AADBCC620F04807AD90AA7340DB32691586E1
                  Function 0414C590 Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dd14a9d6f1a3b7002e6a170690fb1c1b2125b567574e622ced0b933241e33c27
                  • Instruction ID: 36fcb1e52f130cfab922a1d31b79770245c9a270eb9d8af859c7f8d506f5d6fa
                  • Opcode Fuzzy Hash: dd14a9d6f1a3b7002e6a170690fb1c1b2125b567574e622ced0b933241e33c27
                  • Instruction Fuzzy Hash: 55E07D717042605BC304536CE8584587BE6EBC5B5135400BFE50CD3341EF169C01C794
                  Function 04148739 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d97586a90276d452ce3316ef7d6b627554c56f5236c761f60650907d327f39b2
                  • Instruction ID: 04afbe9a5f07e3c95f5242925f927b092f7078f7cc0b42a5d90ca6a1b2a1f278
                  • Opcode Fuzzy Hash: d97586a90276d452ce3316ef7d6b627554c56f5236c761f60650907d327f39b2
                  • Instruction Fuzzy Hash: EAE04F79C1424A8BCB09BB74E85B5EDBFB4FB50321F000659D546522D1EB351A96CBC2
                  Function 04148800 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 106b0b601c4e96449715c3584c0020f70b91be4aa727991df582ea260762bfa1
                  • Instruction ID: f41c7345a5eaacff011c5b00ae79a19be8433454f4958e1a0020b7c7027fa2a1
                  • Opcode Fuzzy Hash: 106b0b601c4e96449715c3584c0020f70b91be4aa727991df582ea260762bfa1
                  • Instruction Fuzzy Hash: 88E0923490430B8BC7099B78D847479BFB0AB49310F108255D95563281EB3129D1CB81
                  Function 0414F860 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 05d5ecc370ec03ff3221f6d1d1a13c82df100b668804f00d7e4b42051da8ddd0
                  • Instruction ID: 791a0d4ffc47710f33b0f478c777706d8922bcc08835ef9f8bdba7085be4f7f1
                  • Opcode Fuzzy Hash: 05d5ecc370ec03ff3221f6d1d1a13c82df100b668804f00d7e4b42051da8ddd0
                  • Instruction Fuzzy Hash: 9FE01AB0D04209AF8780DFB8C84265ABFF4EB59210B5085AA9808EB201E7319652CBD1
                  Function 0414C5A0 Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6aa590825bc80410fa17e15ab52f9dff36ab9d5e289fd2e71017a9fed26524ce
                  • Instruction ID: 6eba7b563e10b0f1c4a29f2184dfecf48909bc0d3622016ee66b88f33a518071
                  • Opcode Fuzzy Hash: 6aa590825bc80410fa17e15ab52f9dff36ab9d5e289fd2e71017a9fed26524ce
                  • Instruction Fuzzy Hash: 80D0A7713002106B8204635DB40955977DAE7C9F62340017AE60DE3340DE229C0187D4
                  Function 0414791A Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e17a172f054cf6923116df9978cb81da3a9d5643f554e2cdb181a90904587909
                  • Instruction ID: 387a24cf729bba077e0275d14f3c698fb895e6ceb77b9cc9d079f668be26e157
                  • Opcode Fuzzy Hash: e17a172f054cf6923116df9978cb81da3a9d5643f554e2cdb181a90904587909
                  • Instruction Fuzzy Hash: 72D0A73608C3854FC2062771BC144C03B25DB5219538508DAE809461E7861A65498752
                  Function 0414F870 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                  • Instruction ID: c4ca5f96668ec07157fd6e862f37e3c5d8afcd8a9015a1d617dd77cb7b05ac70
                  • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                  • Instruction Fuzzy Hash: CCD06270D042099F8784EFADC94156DFBF4EB48210F5085AA8919E7301F7315612DBD1
                  Function 04148748 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f2c74658b2b59e6c2dcd92c8b2912d18b09dbdaacd92d72f3c8b2e5cf5c0edd9
                  • Instruction ID: c59bda3c867563e54141c2d857e5c6abe2f4ef08ac2dcd1b504a9b8462eef136
                  • Opcode Fuzzy Hash: f2c74658b2b59e6c2dcd92c8b2912d18b09dbdaacd92d72f3c8b2e5cf5c0edd9
                  • Instruction Fuzzy Hash: F6D067799042098BCB08BBA5E85B5BDBBB4FB54312F404169D90762190EB362A9ACAC5
                  Function 04147E90 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a869c2238006e9cfda43afae82a1474e91df1797752bd5dc9ed9486705d327f8
                  • Instruction ID: 330f9d37bfbee2413ddd54e4fe6fd9765ecb75807d75aa31bc790537249ee9a4
                  • Opcode Fuzzy Hash: a869c2238006e9cfda43afae82a1474e91df1797752bd5dc9ed9486705d327f8
                  • Instruction Fuzzy Hash: FDC08C168DC3F10FFE07B2321D220D12F3245532A038E02C3D8018A037C81D8949C282
                  Function 04148810 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d9084d0da76332c57e3b7d2e809fdc0e14ff87ab02989710d6d22ae48b9f9ce1
                  • Instruction ID: 1c6a8883718ecab26660427f1d2decb34129f2bbf36a33b407a9ac33a76affec
                  • Opcode Fuzzy Hash: d9084d0da76332c57e3b7d2e809fdc0e14ff87ab02989710d6d22ae48b9f9ce1
                  • Instruction Fuzzy Hash: F1D01274A0420A8BC718EFA4D84696EBBF4A784300F004159D90593380EB356C41CBC1
                  Function 04147928 Relevance: .0, Instructions: 8COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b07bda5303d0f059dc905a540735da9553e2576856cd9cacf2e44ce49c3002e9
                  • Instruction ID: 6ee9c8167aac27a186559e38edc3c619755c181ac593661f998e1bc0c772a7ed
                  • Opcode Fuzzy Hash: b07bda5303d0f059dc905a540735da9553e2576856cd9cacf2e44ce49c3002e9
                  • Instruction Fuzzy Hash: 71B092350847098FC299AF75E8088147329BB4021978008A8EA0E1A2938E3AE889CE45

                  Non-executed Functions

                  Function 07031BE0 Relevance: 19.1, Strings: 15, Instructions: 397COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$4'^q$4'^q$84'l$84'l$tP^q$tP^q$J*l$J*l$J*l$J*l$J*l$r)l$r)l
                  • API String ID: 0-572979778
                  • Opcode ID: e4df6ef5aa524b7a4ee8c6e1cc24a1b6e824438624ebc48ae072e866fac9ac7e
                  • Instruction ID: f7223ce88e19407e9c9e709a58ec16a359214b0066e70f37d2cc995e6fb666a6
                  • Opcode Fuzzy Hash: e4df6ef5aa524b7a4ee8c6e1cc24a1b6e824438624ebc48ae072e866fac9ac7e
                  • Instruction Fuzzy Hash: 10D14AB1B0470A8FC7648B69940466AFBFAAFCA310F18C6BBD515CF256DB31C845C7A1
                  Function 07033110 Relevance: 10.4, Strings: 8, Instructions: 422COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: ,S)l$,S)l$4'^q$4'^q$tP^q$tP^q$R)l$R)l
                  • API String ID: 0-1217992738
                  • Opcode ID: 31def0465127ec27a4f8d2be30c44f649180b67387ebc84238ac1f0225c5e104
                  • Instruction ID: 5d9292563ec2c37243bd09043dcec12bc0c428a0aac42f47fa4b43c217763be5
                  • Opcode Fuzzy Hash: 31def0465127ec27a4f8d2be30c44f649180b67387ebc84238ac1f0225c5e104
                  • Instruction Fuzzy Hash: F6D18BB1B043499FDB608B698841B6AFFEAAFC6310F14C27BD915CB351DA35D881C7A1
                  Function 07033928 Relevance: 10.3, Strings: 8, Instructions: 324COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                  • API String ID: 0-3865595929
                  • Opcode ID: a0ad37087f8473ef7374783f8124ddcee362f02025f79b438ea53272276dadb0
                  • Instruction ID: bf5f46c076ab81fbb24b58e8172e0db910802a39b9e067f5d0ff7bd0c41ae855
                  • Opcode Fuzzy Hash: a0ad37087f8473ef7374783f8124ddcee362f02025f79b438ea53272276dadb0
                  • Instruction Fuzzy Hash: A8A19AB17043498FCB148A69984176AFFEAAFC6710F1486AFE559CF3A2CA31CC45C761
                  Function 0414EBB8 Relevance: 8.9, Strings: 7, Instructions: 150COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: ,bq$$^q$$^q$$^q$$^q$$^q$$^q
                  • API String ID: 0-13851718
                  • Opcode ID: 7b5e6b6754a26670866c977db5ff3f751b37fdb76b4af2f079869345f9b8c396
                  • Instruction ID: 01f923f21cb594c48a6293fac06edd3bb92f2b46f304a1359e0ac38d3beeb25e
                  • Opcode Fuzzy Hash: 7b5e6b6754a26670866c977db5ff3f751b37fdb76b4af2f079869345f9b8c396
                  • Instruction Fuzzy Hash: DC413B303C46588FCB2D6B7999D452C2A937BC9B5031118EAD427CF3B5EF19EC828752
                  Function 04147A09 Relevance: 6.5, Strings: 5, Instructions: 245COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM)l$`_q$`_q$`_q$`_q
                  • API String ID: 0-636039193
                  • Opcode ID: 6bb077dea6dee0e2e8b0717d7846a600f439cde0f494f852fca1fce35117ac1f
                  • Instruction ID: e8f305e804be8724c7011559685f2a7af4450b962aca4bea72097c2e1cd5e9f4
                  • Opcode Fuzzy Hash: 6bb077dea6dee0e2e8b0717d7846a600f439cde0f494f852fca1fce35117ac1f
                  • Instruction Fuzzy Hash: 92B18374E0020A9FDB55DFA9D990A9DFBF2FF88300F108669D819AB355DB30A945CF90
                  Function 04147208 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM)l$`_q$`_q$`_q$`_q
                  • API String ID: 0-636039193
                  • Opcode ID: 9ec66b50d7c8f17a526f65267d07b294ca8f94486cf7106baee72b8c28f283be
                  • Instruction ID: 82e12451899b03d525cf4e5f3fc6b878e9589dedabf37da7962198c9d94fc756
                  • Opcode Fuzzy Hash: 9ec66b50d7c8f17a526f65267d07b294ca8f94486cf7106baee72b8c28f283be
                  • Instruction Fuzzy Hash: 11B18474E002099FDB55DFA9D990A9DFBF2FF88300F108669D819AB355EB30A945CF90
                  Function 04147A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM)l$`_q$`_q$`_q$`_q
                  • API String ID: 0-636039193
                  • Opcode ID: 49eef163691dd92a972d4f4a1be22edbe3f20069faf92910c15cea41c56a983c
                  • Instruction ID: 695746348705439a1bd5b21cce4f21c3905256eb85b357ace423dfd6f55c0b8d
                  • Opcode Fuzzy Hash: 49eef163691dd92a972d4f4a1be22edbe3f20069faf92910c15cea41c56a983c
                  • Instruction Fuzzy Hash: 4CB17374E0020A9FDB55DFA9D990A9DFBF2FF88300F108629D819AB355DB70A945CF90
                  Function 070307B8 Relevance: 6.5, Strings: 5, Instructions: 216COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: fcq$4'^q$4'^q$r)l$r)l
                  • API String ID: 0-1752403509
                  • Opcode ID: 1d824827cf0a1122d8d94bf2a5700267d6b5e268534e92d949b9f04eca62492d
                  • Instruction ID: 5bc34954b0d1fd0e3c7ecf0595d669d40eea2f98291f1332134eccb079bf6491
                  • Opcode Fuzzy Hash: 1d824827cf0a1122d8d94bf2a5700267d6b5e268534e92d949b9f04eca62492d
                  • Instruction Fuzzy Hash: 4D713570B053458FCB199B69D810A6ABBE7AFC6310F1484BBD945CB251CB318C46CBD2
                  Function 07033678 Relevance: 6.4, Strings: 5, Instructions: 191COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$$^q$$^q$$^q
                  • API String ID: 0-3272787073
                  • Opcode ID: 98c3c851b972b39154efbac101be2c16fca21a045c7d8a1f887f2e52fb85d1a1
                  • Instruction ID: 00b330e7d829fb31bf37ff5b72bb19565c490bb4d690924b5ed4c6c50caec9dd
                  • Opcode Fuzzy Hash: 98c3c851b972b39154efbac101be2c16fca21a045c7d8a1f887f2e52fb85d1a1
                  • Instruction Fuzzy Hash: EA514BF570430A9FCB748B2A885076AFBE9AFC2612F24867BD415CB351DB31C885C7A1
                  Function 0414EDE8 Relevance: 5.5, Strings: 4, Instructions: 453COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1868597149.0000000004140000.00000040.00000800.00020000.00000000.sdmp, Offset: 04140000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_4140000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: `Q^q$$^q$$^q$$^q
                  • API String ID: 0-2499013975
                  • Opcode ID: d8007e6bc8c849f39eb15a916c2522ea8542c7fc1a736b94e12d198389a20f0c
                  • Instruction ID: 39351595379e844b0a38f0a987f79a28a4134729f38fb711d74ad57ecdb466f9
                  • Opcode Fuzzy Hash: d8007e6bc8c849f39eb15a916c2522ea8542c7fc1a736b94e12d198389a20f0c
                  • Instruction Fuzzy Hash: DBE1F2307402148FDB189FB98594A2E77D7AFC9B10B2544AAD906DF3A4EF35EC428792
                  Function 07035798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$$^q$$^q
                  • API String ID: 0-2125118731
                  • Opcode ID: 65a204b49091353be8696ddbdfea88e6bd6a914c3861d39be0d018a2def6c5e6
                  • Instruction ID: 4b4755595599cfe9f7735cc9bc7cb6301adb7af95adb368755e1d1ee0c7d3ed8
                  • Opcode Fuzzy Hash: 65a204b49091353be8696ddbdfea88e6bd6a914c3861d39be0d018a2def6c5e6
                  • Instruction Fuzzy Hash: E121ABB170030A9BDB745A3A9C00B2BBBDEAFC0711F24853AA909DF3A1DD75C8518360
                  Function 07030308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$$^q$$^q
                  • API String ID: 0-2049395529
                  • Opcode ID: 9654526e20b6f99f4405e32ec093f9a630c5909c56b9a7ad6be61e6415027deb
                  • Instruction ID: 0258d8eaf14700e59cc2af4f2855ff7addf0f18f578a601ffdc7e5785ebde195
                  • Opcode Fuzzy Hash: 9654526e20b6f99f4405e32ec093f9a630c5909c56b9a7ad6be61e6415027deb
                  • Instruction Fuzzy Hash: 3501A26170E38A5FC72B162818245656FFB5FC3A0072A45DBC491DF36BCD1A4C4E8367
                  Function 07032108 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000013.00000002.1892175885.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_19_2_7030000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$J*l$J*l
                  • API String ID: 0-2439580138
                  • Opcode ID: 4280ab9b15bf4e4292be811f8070d9c7fd9ec6e307b88bcaca09df932b735f97
                  • Instruction ID: 2b822e80fb4d0f89a50baace95d2faf0d72c94c8711e64d7a36e4ea6355ab8eb
                  • Opcode Fuzzy Hash: 4280ab9b15bf4e4292be811f8070d9c7fd9ec6e307b88bcaca09df932b735f97
                  • Instruction Fuzzy Hash: 0E01B1726093954FC327422C4D21547BFBA6EE361072A4697D5A0EF3ABC9398C49C3A2

                  Executed Functions

                  Function 045FB490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: {YLn^$YLn^
                  • API String ID: 0-2180512150
                  • Opcode ID: 174a766499b57e96a182efa33a7e53f51c2c686030a7070267acfb8787a21bbd
                  • Instruction ID: 442150da20a8ca677acd53604f5c8fabf2ad8e13158325c591097eb3b6e1b485
                  • Opcode Fuzzy Hash: 174a766499b57e96a182efa33a7e53f51c2c686030a7070267acfb8787a21bbd
                  • Instruction Fuzzy Hash: 73918871F006155BEB19EFB5C8145AEB7E3EFC4A04B00891DD50AAB344EF74AD068BD6
                  Function 07462308 Relevance: 13.1, Strings: 10, Instructions: 630COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$J5l$J5l$J5l$J5l$J5l$J5l$r4l$r4l
                  • API String ID: 0-277704837
                  • Opcode ID: 8f50df482ca6cf0d720c6cdf2bff05c75273e3d9a54b14682849e7b0af8e9fac
                  • Instruction ID: 97bf511a345ff9115300be73a7a56ff05cbe1bbe7c139801b2208d6b62206943
                  • Opcode Fuzzy Hash: 8f50df482ca6cf0d720c6cdf2bff05c75273e3d9a54b14682849e7b0af8e9fac
                  • Instruction Fuzzy Hash: 672214B5B00206AFCB148F7988486EBBBE1BF85311F04847BE505DB352DBB5D945CBA2
                  Function 07463CE8 Relevance: 5.6, Strings: 4, Instructions: 584COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$4'^q$4'^q
                  • API String ID: 0-1420252700
                  • Opcode ID: df5b4a4b4da6101ca0ccfcbd823afed7a31af2737df7098f8fc2f1222d1ddffc
                  • Instruction ID: 96f0529d2d09b00462b20dffd7c27f9cd49d35bd43abad986e2c95883c75d564
                  • Opcode Fuzzy Hash: df5b4a4b4da6101ca0ccfcbd823afed7a31af2737df7098f8fc2f1222d1ddffc
                  • Instruction Fuzzy Hash: 4C1246F5B042958FCB159E6C88096EBBBE29F82310F1484BBD501CF351DB31D946CBA2
                  Function 074617B8 Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: *l$*l
                  • API String ID: 0-4214049032
                  • Opcode ID: 03d533755d576ec93a9de68a821938691924759e780b7606f929f2712d1df0a6
                  • Instruction ID: 314e3d50622cab33c1b02567a9aa6d1eeab2765057bbb3d25a10c63895d39809
                  • Opcode Fuzzy Hash: 03d533755d576ec93a9de68a821938691924759e780b7606f929f2712d1df0a6
                  • Instruction Fuzzy Hash: A7B135B1B042499FCB149F6984086EBBBE2AFC6310F14C4BBD545CB352EB31D945CBA2
                  Function 045FE5B9 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: J5l
                  • API String ID: 0-2959599269
                  • Opcode ID: e7d2b1dd60dbbcc45c3a2d99b4f69a6384c858b16a45dc2ecd3e97d9ef359337
                  • Instruction ID: dc740ea930e38da42c735846864a14a9923543325d0bb93cc57fcb5ee12a0b11
                  • Opcode Fuzzy Hash: e7d2b1dd60dbbcc45c3a2d99b4f69a6384c858b16a45dc2ecd3e97d9ef359337
                  • Instruction Fuzzy Hash: A641AC30A022499FDB15DFB9E954A9DBFF2FF89304F0485A9D405AB361CB34AD05CB91
                  Function 045F6FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (bq
                  • API String ID: 0-149360118
                  • Opcode ID: 5b6627b530a4f426d720fe85c50a654535bb023fb17e5372b65a6e05432448a0
                  • Instruction ID: 7fdb7c147881848663d126d4bfa8b70e452dfda6177a508c23850f75c5840505
                  • Opcode Fuzzy Hash: 5b6627b530a4f426d720fe85c50a654535bb023fb17e5372b65a6e05432448a0
                  • Instruction Fuzzy Hash: 42414934B002058FDB149FA8D858AAABBF5EF8D311F1440A9E906AB395DB35ED01DB61
                  Function 045FE610 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: J5l
                  • API String ID: 0-2959599269
                  • Opcode ID: 4cd3fb77417d824c46c7e71244cbccfb994c3cd801b224f33291cafab82f98c1
                  • Instruction ID: 2ec6cb469f1d31e212f50a7d0749b3f7d63c709d0692c350ab15aac08528a332
                  • Opcode Fuzzy Hash: 4cd3fb77417d824c46c7e71244cbccfb994c3cd801b224f33291cafab82f98c1
                  • Instruction Fuzzy Hash: 2241CD30A022859FDB12DF79D954A9DBFF2FF49304F048569D405AB3A2CB34AC05CBA2
                  Function 045FE640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: J5l
                  • API String ID: 0-2959599269
                  • Opcode ID: 9b169af91501e030913fd03aca268335f2df33c057d0c35d5f39515b264c969a
                  • Instruction ID: 0644922a714bab2161e7ca0e800416b5b602db62dde8a5d0af5c563f66ebbbe3
                  • Opcode Fuzzy Hash: 9b169af91501e030913fd03aca268335f2df33c057d0c35d5f39515b264c969a
                  • Instruction Fuzzy Hash: 12318C30A01605DFDB14DF79E994A9EBBF2FF88304F108529D416AB3A4DB34AD05CB91
                  Function 045FAF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (&^q
                  • API String ID: 0-2067289071
                  • Opcode ID: 03dac77941819010c5a115e797bdd45ea9cb90a3f558172f715592d3cf1d6937
                  • Instruction ID: acdb7992d38168d46eeb9549410ad8edad2bdfeec8fb08bed14d74c670d5e687
                  • Opcode Fuzzy Hash: 03dac77941819010c5a115e797bdd45ea9cb90a3f558172f715592d3cf1d6937
                  • Instruction Fuzzy Hash: 7F21B071A042588FCB14DFAED804A9EBFF5EF89320F14846AD518E7340CA75A905CFE6
                  Function 045FDC88 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: +/Ln^
                  • API String ID: 0-265697349
                  • Opcode ID: 962546ab27ea638541832791446091b03492703d5a1344a5a85d05f2c8d8b002
                  • Instruction ID: a234640269723fe813258b61c98244a6039dbe8d28def4d93c2c900a65afd80c
                  • Opcode Fuzzy Hash: 962546ab27ea638541832791446091b03492703d5a1344a5a85d05f2c8d8b002
                  • Instruction Fuzzy Hash: 3FF059357476806FC712472DAC008EE7FB5EEC227130404ABE65ACF602DA20A80D97E3
                  Function 045FDC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: +/Ln^
                  • API String ID: 0-265697349
                  • Opcode ID: b1c5c8c3d308dddbfe6d15092864087536e7bd7a436b47dfa4a88d51f0c4ed99
                  • Instruction ID: e95d28d27a64c91f3f44262dd88dca2c0f83bea13aed182ed20ab49fa4d76b1d
                  • Opcode Fuzzy Hash: b1c5c8c3d308dddbfe6d15092864087536e7bd7a436b47dfa4a88d51f0c4ed99
                  • Instruction Fuzzy Hash: 9DE0CD31742614175615661EAC1445FB7EAEFC4571300403EE11AC7345DF64FC0547D5
                  Function 045FE7B8 Relevance: .3, Instructions: 254COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 89fd8c953c3a0fd74b2590fa94db84bcebf8259bb7e542269c189b033216949b
                  • Instruction ID: f975cecd7ca151f4861743dcd5a941bafd8da34c048f90009dcbe6c6334a01fa
                  • Opcode Fuzzy Hash: 89fd8c953c3a0fd74b2590fa94db84bcebf8259bb7e542269c189b033216949b
                  • Instruction Fuzzy Hash: B291AC34B002188FCB14DF78D95556EBBE6BF88710B14846AE906EB364DF35EC42DB92
                  Function 045F29F0 Relevance: .2, Instructions: 211COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3da87a610b179387c6ae889cf6729f9b391e637c7eebe9e4c85ca6e5284bedcb
                  • Instruction ID: f1c8cbcc077e001f797c917910320f34912ba9d26dbda20d813229dc3e28a09d
                  • Opcode Fuzzy Hash: 3da87a610b179387c6ae889cf6729f9b391e637c7eebe9e4c85ca6e5284bedcb
                  • Instruction Fuzzy Hash: 3D918AB4A002459FCB15CF58C8989AAFBB1FF48310F248599E915AB369C736FC51CFA1
                  Function 045F7740 Relevance: .2, Instructions: 156COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eb9b1f1ac4bfd69ba199d91ae55dff71c3d6dce8ebba6c2d10052ede474d2317
                  • Instruction ID: 1493ebe4ee5585d0d5e2ffaa64c421840be3d0393a66ebab47073c2618bca80e
                  • Opcode Fuzzy Hash: eb9b1f1ac4bfd69ba199d91ae55dff71c3d6dce8ebba6c2d10052ede474d2317
                  • Instruction Fuzzy Hash: 8051C0343042019FD704DB69EC54A2ABBEAFFCD214B1548AAE509CB352EB35EC01CB91
                  Function 045FBAC0 Relevance: .2, Instructions: 155COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 46c6c873f531e429c2a58deb78ee76b79b4f4266cd47efeaacf36a4625d2f03f
                  • Instruction ID: d285afe012528a883b4d6ca238e1596af1a98850753252df167a35d04378cae2
                  • Opcode Fuzzy Hash: 46c6c873f531e429c2a58deb78ee76b79b4f4266cd47efeaacf36a4625d2f03f
                  • Instruction Fuzzy Hash: 59613671E01209DFDB14DFA9D98468DBBF2FF88310F14812AE919AB364EB34AD41CB51
                  Function 045FBAB0 Relevance: .2, Instructions: 151COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: da84a74c40446b45c101ad5a4a296c7af6add92404fc42544a2c3a7f224bb87c
                  • Instruction ID: a20bc7a1d36ce43cf7c4016f116439eb6cb288375759778fdbb8b9ae8e29aad0
                  • Opcode Fuzzy Hash: da84a74c40446b45c101ad5a4a296c7af6add92404fc42544a2c3a7f224bb87c
                  • Instruction Fuzzy Hash: 8F513770E01249DFDB14CFA9D984A8DBFF2FF88310F148069E919AB365EB34A945CB51
                  Function 045FE419 Relevance: .1, Instructions: 140COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b5aa3a74b0acf1b2b29daa5c905e4cd691fc87467b688d24584300a348b352ee
                  • Instruction ID: 64c1aea22e21d7da183586cf8f738dc2f974efce418630b994cf989ab235e6fb
                  • Opcode Fuzzy Hash: b5aa3a74b0acf1b2b29daa5c905e4cd691fc87467b688d24584300a348b352ee
                  • Instruction Fuzzy Hash: 67514B34B002058FDB10EF6CD99492ABBE6FF88314B1585A9E549DF366EB38EC05CB51
                  Function 045FE428 Relevance: .1, Instructions: 130COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7710b0fc40dcefe8e0f8bf07717f07648c8a8865e5b1c8b16538844cdd7de741
                  • Instruction ID: 27bb952e57acf57e9d8391aa22b614fab9b84ad2d09751f1ba64f6ef31352633
                  • Opcode Fuzzy Hash: 7710b0fc40dcefe8e0f8bf07717f07648c8a8865e5b1c8b16538844cdd7de741
                  • Instruction Fuzzy Hash: E5413D347002058FDB10EF6CD99492EBBE6FFC8314B158469E549DB365EB34EC018B51
                  Function 045F2B00 Relevance: .1, Instructions: 111COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ec97968673b7a3b24be928b4de3dc5dd5f04cb6239d9e25dd437cc3e38717c82
                  • Instruction ID: 10606a73c7f55f3822d3cf9ee9853dfd8ef823e9e5c128675c8fa9113387059f
                  • Opcode Fuzzy Hash: ec97968673b7a3b24be928b4de3dc5dd5f04cb6239d9e25dd437cc3e38717c82
                  • Instruction Fuzzy Hash: 5B4136B4A001059FCB09CF58C9989AAFBB1FF48310F258599E915AB368C736FC51DFA1
                  Function 045F6FB0 Relevance: .1, Instructions: 110COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a9262d55d68d0ac8a0f49bcbacbec1433efd9733fb1375353e7a551be42d4426
                  • Instruction ID: af71dec51f66f1686e9653ddbfb0ec4386870662c7300d1fed58c2e242056f0f
                  • Opcode Fuzzy Hash: a9262d55d68d0ac8a0f49bcbacbec1433efd9733fb1375353e7a551be42d4426
                  • Instruction Fuzzy Hash: 00416B34A04245CFDB19CFA4D868AA9BBF5FF8E311F1540A9D946AB361CB35AC01DF21
                  Function 07463CE6 Relevance: .1, Instructions: 110COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6bf7ae09329319d98a5997ac217ade96fbb8c758cc8f4e4711a8b43121ed3822
                  • Instruction ID: d81dc2a571d3401452136aead9951956c1e1f4287466ecf6ecfbaa596d40d70f
                  • Opcode Fuzzy Hash: 6bf7ae09329319d98a5997ac217ade96fbb8c758cc8f4e4711a8b43121ed3822
                  • Instruction Fuzzy Hash: 2D31D9F4A00286DBCB248F18C649AABB7E3AF84754F1484A6DA019F355D735EC45CBE2
                  Function 045FC388 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e729cfa4c475145027e4c8bed1022701238554bff7dd5d69e0cbb5e0de5183bc
                  • Instruction ID: 2a90a07088f63d786d14362b9e2fbb7ecd1ab5050b19f248253f57983e015c54
                  • Opcode Fuzzy Hash: e729cfa4c475145027e4c8bed1022701238554bff7dd5d69e0cbb5e0de5183bc
                  • Instruction Fuzzy Hash: 8F31DC313016019FE705EB38EC44BAAB7A2FFC4215F008239D60ACB365DF75A845CBA1
                  Function 045FAE60 Relevance: .1, Instructions: 91COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 638c324f582b8f28736a4b12cfe96a8da2d1b813a5d3c0e751fbeb7a77ee872b
                  • Instruction ID: 18bd9a89cae9772c0509e614a3d4bf824797bcf4725d92163e111a11e04b0983
                  • Opcode Fuzzy Hash: 638c324f582b8f28736a4b12cfe96a8da2d1b813a5d3c0e751fbeb7a77ee872b
                  • Instruction Fuzzy Hash: EC316C70E016099FDB04DFB9D9946AEBBF6AFC9310F148069E505EB350EA349C41DF62
                  Function 045FDFC1 Relevance: .1, Instructions: 86COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: da89da786b64bec37acc05d49a6a477096f6276e646d82721e5a1b8f451f6938
                  • Instruction ID: 13b05a9b924352bd0232a45aaa71e706fbcd5152df6befe6d1fbf26be92171f4
                  • Opcode Fuzzy Hash: da89da786b64bec37acc05d49a6a477096f6276e646d82721e5a1b8f451f6938
                  • Instruction Fuzzy Hash: 6E315830B012048FDB189F68E459AAEBBF2FF89614F14456DD802EB7A1CB75AC45CB91
                  Function 045FAD28 Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a330ec2fe3a667ebf3737748b5e3b90c116209e28adc118d280f681a5d3d1bf9
                  • Instruction ID: bb9b3c7ca8528cc32515ca61c9a643fefa93c5ddc237a486391a83e5c2ff15a5
                  • Opcode Fuzzy Hash: a330ec2fe3a667ebf3737748b5e3b90c116209e28adc118d280f681a5d3d1bf9
                  • Instruction Fuzzy Hash: 8D31A1B4E002459FEB05DFA4D855ABEBBB2EFC5304F1184ADC514AB395CA38AD01CB51
                  Function 045FAE70 Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e5f7ebb886cb435afc4a0998bbaf7de2b3bfdfeff9864744864dbd539d3eaf8
                  • Instruction ID: 1a9d41714e7640b9cb6f6ea12009c101bc6bd0847c6a4662f9669b8f86fac648
                  • Opcode Fuzzy Hash: 3e5f7ebb886cb435afc4a0998bbaf7de2b3bfdfeff9864744864dbd539d3eaf8
                  • Instruction Fuzzy Hash: 9B317C70E012099FDB04DFA9D9947AEBBF6EFC8310F148029E509EB354EA349C419B66
                  Function 045FAD38 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 77546b7aaf3d2662759a16d0cf037ab5f123d9a0b34e35092dc253a9e30376df
                  • Instruction ID: 40f00d82273f0cebd1d5f03a7a3104f7d97f81aa960a8eb7b42dfc3e0fca9ba3
                  • Opcode Fuzzy Hash: 77546b7aaf3d2662759a16d0cf037ab5f123d9a0b34e35092dc253a9e30376df
                  • Instruction Fuzzy Hash: 96318EB4F002099FEB04EFA4D855ABEB7B2EFC4704F118469D614AB395DA38AD018B91
                  Function 045FDFD0 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0bb579727cee52367f0e105447dbde39796712f151d5caa3241fee572cce8fe4
                  • Instruction ID: f9840d2008b3ad56c9615a41f50aeb6a87e3ab319bac1f7abed8a8cb9dd1faed
                  • Opcode Fuzzy Hash: 0bb579727cee52367f0e105447dbde39796712f151d5caa3241fee572cce8fe4
                  • Instruction Fuzzy Hash: 3A314670B002048FDB149FA9D858AAEBBF6FF88614F144569D802E77A0CB74AC41CB91
                  Function 045F93F0 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67132fd4e75fead892ea31b82a12c07d2f5d1945f17c1c7c8b651503037c5561
                  • Instruction ID: 2094516f630e194e7035fa36f62c362d1526c6c65ecf4d3d36fe7bdb8e28abaf
                  • Opcode Fuzzy Hash: 67132fd4e75fead892ea31b82a12c07d2f5d1945f17c1c7c8b651503037c5561
                  • Instruction Fuzzy Hash: 1D319CB0A067448EDB60CF6AD4887CAFFE2FF89320F28845DC54D9B216D6746485CB62
                  Function 045F9400 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f3ea4aac09cd0c35526322e819cf1310573ddadb76a2023dc77db278d7d10f83
                  • Instruction ID: 6e3f349380af367629db64ad3711d386c900104a5c7310df1bbefcc96a752e04
                  • Opcode Fuzzy Hash: f3ea4aac09cd0c35526322e819cf1310573ddadb76a2023dc77db278d7d10f83
                  • Instruction Fuzzy Hash: 72216BB0A01B448EDB60DF6AD4883CAFBF2FF98310F28C41ED95D97245D67464818B62
                  Function 045F767C Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2d6e2816b6ed9dc66b6eaef085347034aedae54570839a6d81b9ae8aeadd471e
                  • Instruction ID: da483ffe194215e04bfb5cfe4654d045ce1ad9c478d85707e3fd34142f3b694f
                  • Opcode Fuzzy Hash: 2d6e2816b6ed9dc66b6eaef085347034aedae54570839a6d81b9ae8aeadd471e
                  • Instruction Fuzzy Hash: 9A1119397001188FCF04DBA9E940AAD77F6FBCC225B1440A9E909EB365DA35ED11CB91
                  Function 045FBCE0 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bee3333a2c88ae9680f2519466b52a99dce3755fc3f49aacb8e34026349a0c55
                  • Instruction ID: eb885ae121fb600e046365ae1518a280ae07560baaa8667f3bfe2e473ede3f1d
                  • Opcode Fuzzy Hash: bee3333a2c88ae9680f2519466b52a99dce3755fc3f49aacb8e34026349a0c55
                  • Instruction Fuzzy Hash: CE0126312087449FD715CB79D8946967FE0EF46210F1844EED08ACB6A2CA20FC45C702
                  Function 045FDCD9 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6811b350a2b74f93d6a0643e4a024ef3e7aeccce5f7ac4ac22853eee4f6cfa5c
                  • Instruction ID: 209d3755e4cb444048f072de4faba665cbeaf62f92b7bf39731f21625a7602ac
                  • Opcode Fuzzy Hash: 6811b350a2b74f93d6a0643e4a024ef3e7aeccce5f7ac4ac22853eee4f6cfa5c
                  • Instruction Fuzzy Hash: 5801DB34B061849FCB15CB78D8544FDBFB1EF89250B1848A9D646DB362D5215C0ADBA2
                  Function 045FE100 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f35aa7e91c2fdfaf3317d087ba1d27e7f1c429d60a9d6ae85b155894bf44d79c
                  • Instruction ID: 32d8417729b8204e2e7c5136cac9eda85bd101d9164dcf1a3d1b6358931f40a8
                  • Opcode Fuzzy Hash: f35aa7e91c2fdfaf3317d087ba1d27e7f1c429d60a9d6ae85b155894bf44d79c
                  • Instruction Fuzzy Hash: 781135302047408FC728DF35D48086ABBF6EF8931532089ADD08A8B7A0DB36F802CB50
                  Function 045FDE98 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 545620d534f9089d15ef638596ec1fdecca974c97d1f00ebafd8fec9b7b181f0
                  • Instruction ID: 89bba7db1d76ff9e042d9c1b9a47bdb7c8d09057aedb2970cecd1dd6b47a7f96
                  • Opcode Fuzzy Hash: 545620d534f9089d15ef638596ec1fdecca974c97d1f00ebafd8fec9b7b181f0
                  • Instruction Fuzzy Hash: F3019235B012149FCB119F74EC08AAEBBF5FB88315F00406DE61AD3342DB366915CB91
                  Function 045FBF10 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7798c9ed919671b3fea6f468540919646286ad61f1d33dc3469705adedbdd708
                  • Instruction ID: 396d87259a32f4fa4f409d4767205306ca0148da82839af49812299938dc932e
                  • Opcode Fuzzy Hash: 7798c9ed919671b3fea6f468540919646286ad61f1d33dc3469705adedbdd708
                  • Instruction Fuzzy Hash: 390181213093946FD7124A799C549A77FE9DF87620B0944ABF584CB262C964CD04CB71
                  Function 045F7958 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 916ee4b41db710ce6c779ed424fe5bb2233e32e6d7ca6fbe53e1a6fe33b7bc40
                  • Instruction ID: 2ddd58c58fad44bc618ed09ca1418409c19182c956716d2e5d4257632fd575ac
                  • Opcode Fuzzy Hash: 916ee4b41db710ce6c779ed424fe5bb2233e32e6d7ca6fbe53e1a6fe33b7bc40
                  • Instruction Fuzzy Hash: ACF0F430205304AFD7014B55DC4496E7BA8EF89621700096EE109C3352DF346C45C7B1
                  Function 045F90D8 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e4371f1dceebacbddc62725031825380ea3f82d2d4652fbfcef1077cb37a66e
                  • Instruction ID: 8b624f00e2e382a259af08c26066f83fb747a08e9fc65e9e10c1ab1d0265edfd
                  • Opcode Fuzzy Hash: 3e4371f1dceebacbddc62725031825380ea3f82d2d4652fbfcef1077cb37a66e
                  • Instruction Fuzzy Hash: A3F0F4357092415FEB125B78D0153EA3FA2DFC2328F14419EC8994B292CE3D280ADBA1
                  Function 045FDE38 Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 232b478ce17832ef6edff7f78fead073bb070db958e6cdd91b9ba7ac12349f1c
                  • Instruction ID: c866821a6bc5437bf1a90eab8496a08b04bd2fc9fa83501f2865a6ee5075c20b
                  • Opcode Fuzzy Hash: 232b478ce17832ef6edff7f78fead073bb070db958e6cdd91b9ba7ac12349f1c
                  • Instruction Fuzzy Hash: 22F058393451808FC3118B2CE8948A6BBF6AFCA715329009AE5C6DB372DA61DC46DB91
                  Function 045F9158 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3fced90416b47729919582f05367d1206e17462410751e37f276fc1911f1b629
                  • Instruction ID: be6d571e24cf27aa10344ebbb854d1895e0785bcfc5846865b490c3304a08d32
                  • Opcode Fuzzy Hash: 3fced90416b47729919582f05367d1206e17462410751e37f276fc1911f1b629
                  • Instruction Fuzzy Hash: 8CF0307190A3904FD7629B78D89879ABFE1EB42310F0444AED18EDB253CB386845CB61
                  Function 045F7968 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aad1a3aae6654a4e5f3311095cfd7c711f871f04ed3367956fbf4673163f6815
                  • Instruction ID: 7599c96d81d79adbd5ef273c4521b55715b9e8ed0b52fb208b6cde136577ac3f
                  • Opcode Fuzzy Hash: aad1a3aae6654a4e5f3311095cfd7c711f871f04ed3367956fbf4673163f6815
                  • Instruction Fuzzy Hash: 3CF0A7717006189FD7149B5AED4496FB7E9EBC8665B00052DE209C3341DF30BD4587A1
                  Function 045F7697 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 948d08e87e0ee3c9233f0b684c5b8c5ce4381487d88d12b6cb2528670c6d6ab9
                  • Instruction ID: 854ef3162ed2e272ac32aec6fd95c82f53aa14b9cc896a365eac5ea9e627926a
                  • Opcode Fuzzy Hash: 948d08e87e0ee3c9233f0b684c5b8c5ce4381487d88d12b6cb2528670c6d6ab9
                  • Instruction Fuzzy Hash: D7F0A7393001048FCB00EB6D9840A5977A6FBCC755B154199E909DB314DE35DC01CB91
                  Function 045FE7A8 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 93d625eac4546d0aa034c56ffb2f11a002c156f3843b59b9b64cf8f01b3972b0
                  • Instruction ID: 34316663aaeee3292d49a41c536afe4e75e8a073b5a918a4b9b5bfa568b12674
                  • Opcode Fuzzy Hash: 93d625eac4546d0aa034c56ffb2f11a002c156f3843b59b9b64cf8f01b3972b0
                  • Instruction Fuzzy Hash: F9E06831B04394AA9F1105BDBC828DABFA49BC6224F0505BBEA42A7211D661080AA792
                  Function 045F90E8 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b7ac008f802ff1bb86cc713f00b4483be348617e97cb807da3bc3faed1bcc70b
                  • Instruction ID: 9eec9924f29e6e818655cfbbdf55cad5522eabfe369488292bfb4e1dc8aa424c
                  • Opcode Fuzzy Hash: b7ac008f802ff1bb86cc713f00b4483be348617e97cb807da3bc3faed1bcc70b
                  • Instruction Fuzzy Hash: BEF0E2317001054BEB10AB65C0153AB7796DBC4728F10816EC90A47385CE3E2806CBE1
                  Function 045FDE48 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 571d20d38effd7affa0b1f76d92909cfc5e805a9a764af1456d98b512e761dad
                  • Instruction ID: 4cb565aaafff7bb668477228d29c75acf70426a3c2ee0c82c410b063a5b0f245
                  • Opcode Fuzzy Hash: 571d20d38effd7affa0b1f76d92909cfc5e805a9a764af1456d98b512e761dad
                  • Instruction Fuzzy Hash: 31E0ED353001118F87109B1DD854C66B7FAEFCE75571500AAE645DB335DA61EC01DB91
                  Function 045FE92E Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fbb35d4c8f88021ff9d4af0f6b2301e84057e6fa65d48334fdd1fb15a21af648
                  • Instruction ID: d212308fd81af08373cd9e70c528cdc23ce61fb0d54a53534381755d099285fe
                  • Opcode Fuzzy Hash: fbb35d4c8f88021ff9d4af0f6b2301e84057e6fa65d48334fdd1fb15a21af648
                  • Instruction Fuzzy Hash: 0EF06D39A12118DFCB00CF98E999D9DFBB2FB88311B15C595E909A7351CB31AD01CB40
                  Function 045FAF88 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98f9994efbbdfaadd99e022e4488088fdd41f5e4b69f731d441f602dbdebb6e6
                  • Instruction ID: 773bda80c22f77878ea36345cb19a3a69a0276bcc5ef21c9861fdd6cd74ddef5
                  • Opcode Fuzzy Hash: 98f9994efbbdfaadd99e022e4488088fdd41f5e4b69f731d441f602dbdebb6e6
                  • Instruction Fuzzy Hash: 0FE09A2630E3D21B8B17823D68104AAAF634AC323030D81FAE188CF257C8264C0A97A3
                  Function 045F8973 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 717d5597f65714adc2c67b7f4852978b87ffc366ae3bd4231ed6ee13bd61ca53
                  • Instruction ID: 0a5e0d2e975b1ec8ce7a353419c15740c6ee85d328030a8eb95c6f55c047d345
                  • Opcode Fuzzy Hash: 717d5597f65714adc2c67b7f4852978b87ffc366ae3bd4231ed6ee13bd61ca53
                  • Instruction Fuzzy Hash: 6DE09235B052515BDF092B74A80C2EE7B62FBD4729F04012EDA0B83242CF790806C795
                  Function 045F9549 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 59a60a26bf651de04b35ed07a3ec75f76d1fe90add1586d50673b2677f8a2128
                  • Instruction ID: 21241fcd07d47ac9bf97296fd0a89fcbaece4beb4c0412461994d871e28f2e59
                  • Opcode Fuzzy Hash: 59a60a26bf651de04b35ed07a3ec75f76d1fe90add1586d50673b2677f8a2128
                  • Instruction Fuzzy Hash: C7E0C222742417061B5470F92C407FF4ACB9FC00A9309013ADB45C7241EE54FC0663E3
                  Function 045F9168 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: af88c0f813dc63e785928aa192cb7d632cc4fa873842646407a4778ed703267a
                  • Instruction ID: 43c818435d06a2deb5a8345035bce1a6c28c88a1deba19316de400c232c2fcc7
                  • Opcode Fuzzy Hash: af88c0f813dc63e785928aa192cb7d632cc4fa873842646407a4778ed703267a
                  • Instruction Fuzzy Hash: 23F06D70A013044FD7649FB9D89C79ABBE5FB44310F00442ED64ED3341DB3968818B90
                  Function 045F8978 Relevance: .0, Instructions: 24COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9ab49a75a1a9d79e6e2da864cfa9186e36ac930a34d11ef5c9f2394919a3df11
                  • Instruction ID: e4a7dec8872acd705c596022b17578f99035e58985c5f056f8aced78fc1b0720
                  • Opcode Fuzzy Hash: 9ab49a75a1a9d79e6e2da864cfa9186e36ac930a34d11ef5c9f2394919a3df11
                  • Instruction Fuzzy Hash: 79E02631B052104BDF083B75A80C2AE7A56FBC4B29F04002EDA0B83382CF3C180283DA
                  Function 045F9550 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2e9119f09aa9262af1f819b89fb3305038e610b7a9b4c39780860787e4699bae
                  • Instruction ID: 424294029f97e895eb1e359631d577726bc5a6fd04d837e1de33c62d05b9d650
                  • Opcode Fuzzy Hash: 2e9119f09aa9262af1f819b89fb3305038e610b7a9b4c39780860787e4699bae
                  • Instruction Fuzzy Hash: F1D05E22702527171A5470FA6C407BFA5CF9FC54A970900369B09C7281EE44FC0163F3
                  Function 045FDCE8 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                  • Instruction ID: c823f78e24bbf529a18c501a9d5b8785936afd0c1c890445c38f05456f1c69a6
                  • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                  • Instruction Fuzzy Hash: D6E08631B10014A78B089959D8104EDFBBAEBCC220F04847ADA0AA7340DA32691996E1
                  Function 045F8739 Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 382229567acc05efc38f14ab6cebad0ff682cf354b1bd163f0e6f2790fdc0da8
                  • Instruction ID: 06184f05bfb5d41b95e2dac18bdfc2f76ab7db7f3a1a7e0aa17f9630be5572ae
                  • Opcode Fuzzy Hash: 382229567acc05efc38f14ab6cebad0ff682cf354b1bd163f0e6f2790fdc0da8
                  • Instruction Fuzzy Hash: 5EE04830D0A185DBCB06AB79D8494ED7F70FF12311B0105EDD55396552D631498FCF81
                  Function 045F8800 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3084799b47cb427ccb9070e1f76538006fcb5c6fba157b29f43668cf1e5bf431
                  • Instruction ID: b73362889be9fff335d48c713e187e28aee049d1387503b3443a8734a87b1b1d
                  • Opcode Fuzzy Hash: 3084799b47cb427ccb9070e1f76538006fcb5c6fba157b29f43668cf1e5bf431
                  • Instruction Fuzzy Hash: 75E09230D0A28A8FCB05DB78D485469BFB0EB06210B0445A9DD869B612D6304815DF81
                  Function 045FF460 Relevance: .0, Instructions: 20COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02128d290a31dd54204ab0f8eea9c46b55cd61c9ae87b52ed073f967be0f9b24
                  • Instruction ID: 951c50afcd31bba8890eb4177cb134ab1d0b1fe2b2d291ef89fb932a15c20b5e
                  • Opcode Fuzzy Hash: 02128d290a31dd54204ab0f8eea9c46b55cd61c9ae87b52ed073f967be0f9b24
                  • Instruction Fuzzy Hash: F3E01270E441469E8B80DF78C8809AAFFF0AF49240B1485AED549E7211E7318511DF91
                  Function 045FF470 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                  • Instruction ID: 9fdc31bd671ed49e7832f7ba2a6ad3f56d2865fd7d022b0d81737965c83ccd9f
                  • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                  • Instruction Fuzzy Hash: 4ED067B1D042099F8780EFADC94156EFBF4EB48200F6085AA8919E7301F7329A12DBD1
                  Function 045F8748 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d0d1dfd56144e718243722400aa2fff8c26dcd42ff438fc7425f0b3bf28f8b5c
                  • Instruction ID: 289fefef77503b5ee278337610d05e8f0832d788fc09a24f5610570e1979bcde
                  • Opcode Fuzzy Hash: d0d1dfd56144e718243722400aa2fff8c26dcd42ff438fc7425f0b3bf28f8b5c
                  • Instruction Fuzzy Hash: F3D01730D06109DBCB08BBA4EC1A4BDBB74FA00301F40016DDA1762291EB356A4BCAC1
                  Function 045F8810 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d02717e0353a01e68ab0e86850a1ae234e5a95db3dea60ecc17b71ff9452b163
                  • Instruction ID: fb9cebe2aac11db85c3e0ba79ea4f775b34256a42ae080496d8b4b77eb6288bd
                  • Opcode Fuzzy Hash: d02717e0353a01e68ab0e86850a1ae234e5a95db3dea60ecc17b71ff9452b163
                  • Instruction Fuzzy Hash: EBD01734E0920A9F8B08EFA4E94686EBFB4EB44200F00456ADE4AA3741EA306801DBC1
                  Function 045FEA57 Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3237eb3f7d6a11e7cfb7e7dad22ccca0ead111aca9f1bbd71e9a82275419a99b
                  • Instruction ID: b7e610ecd223c16aee500f00dbee7a74495b93215297743d6e312d145431962c
                  • Opcode Fuzzy Hash: 3237eb3f7d6a11e7cfb7e7dad22ccca0ead111aca9f1bbd71e9a82275419a99b
                  • Instruction Fuzzy Hash: ABD09239F41218CFDB04CB98E895A9CF371FB84325F1084A6E619A7251CB32A912CB40
                  Function 045F7EA0 Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 971d5f389d7f0aa395132ed6e6ac4b17b412b470200fcd16f6787c28b7109b90
                  • Instruction ID: 8e3a28b0f6f992f1bc58e387b705ce8cf1761cf0ac85cb258914ab0da9394a72
                  • Opcode Fuzzy Hash: 971d5f389d7f0aa395132ed6e6ac4b17b412b470200fcd16f6787c28b7109b90
                  • Instruction Fuzzy Hash: 26C08C309183809FFF07473C5CA20087F709A4731230701E6E800CB532D9388C85CB61
                  Function 045F7938 Relevance: .0, Instructions: 12COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6e5b8fc83808eeff6ea68d1d4e7b06474c77dd79a97531faa4f17b8451358fdc
                  • Instruction ID: 57c2fa01e44395dbdae701663e9e99378e19022fd3fb7b74c8a9cdb206acd1ef
                  • Opcode Fuzzy Hash: 6e5b8fc83808eeff6ea68d1d4e7b06474c77dd79a97531faa4f17b8451358fdc
                  • Instruction Fuzzy Hash: C6C0123404538A8FCB155F34D0448583B20FFC121531109ECD90E0A663C6329485CF01
                  Function 045F7940 Relevance: .0, Instructions: 8COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ea4618469d5601dbcbed117a117a492d35cf878e278113337940a1ed6dc4cea1
                  • Instruction ID: acefce1864e3376eae4641c357f11094bdc75dc64c648e34408e6d198f0ff2d4
                  • Opcode Fuzzy Hash: ea4618469d5601dbcbed117a117a492d35cf878e278113337940a1ed6dc4cea1
                  • Instruction Fuzzy Hash: 68B0923104470D8FC3496F75E4088247329BF8121938008ECE90E0A2939F36E899CA45

                  Non-executed Functions

                  Function 07461BE0 Relevance: 20.4, Strings: 16, Instructions: 390COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $c'k$4'^q$4'^q$4'^q$4'^q$842l$842l$tP^q$tP^q$J5l$J5l$J5l$J5l$J5l$r4l$r4l
                  • API String ID: 0-779766678
                  • Opcode ID: a483f90b555323ca707930ad4b8e01ed54ba44d665b88a581dba333e2b443602
                  • Instruction ID: 2b0b3d972c89ad31eccb63bb96e8c6b8970972dce029b2da9f667561a5c62d50
                  • Opcode Fuzzy Hash: a483f90b555323ca707930ad4b8e01ed54ba44d665b88a581dba333e2b443602
                  • Instruction Fuzzy Hash: 19D127B5B0420ADFC7249B6894086EBBBE6AFC5310F14C4BBD6158B355DB32D846CB93
                  Function 07460488 Relevance: 9.2, Strings: 7, Instructions: 490COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: fcq$4'^q$4'^q$4'^q$4'^q$r4l$r4l
                  • API String ID: 0-771570787
                  • Opcode ID: 2a7f24665721177ad3084f1a82bd812dace99eec7a211b7b19bdd3b374cbe841
                  • Instruction ID: d3da5ce45e27766d3634ad99bbdf0cfb76f7055e39645512dfc8036472af24c5
                  • Opcode Fuzzy Hash: 2a7f24665721177ad3084f1a82bd812dace99eec7a211b7b19bdd3b374cbe841
                  • Instruction Fuzzy Hash: 77F135B17043558FC7258B789418AABBBE2AFC2310F14C4BBD545CB366DB31D846CBA2
                  Function 07463678 Relevance: 8.9, Strings: 7, Instructions: 190COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$$^q$$^q$$^q$*l$*l
                  • API String ID: 0-575290175
                  • Opcode ID: c867df4db214b0d1e569118b4deafc1cdce373792f9f955f1132f63197226243
                  • Instruction ID: a2c7a7e51badf504d15348c5da23e4e9d587c83a104dd6d5dfc2e82e7dfea3f6
                  • Opcode Fuzzy Hash: c867df4db214b0d1e569118b4deafc1cdce373792f9f955f1132f63197226243
                  • Instruction Fuzzy Hash: 075135B57043868FCB245E6988082E7BBE6AFC2711F14C47BD445CB352DA31C886CBA2
                  Function 045F7A21 Relevance: 6.5, Strings: 5, Instructions: 243COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM4l$`_q$`_q$`_q$`_q
                  • API String ID: 0-2693823794
                  • Opcode ID: ed8ba6aa5069358d7023bd9b3ebb0537b11c67891578e25649b27c220119de3b
                  • Instruction ID: 2919a874953d18b394d0fe874580a517490a1e87e467b48cd1ef30f44183ca11
                  • Opcode Fuzzy Hash: ed8ba6aa5069358d7023bd9b3ebb0537b11c67891578e25649b27c220119de3b
                  • Instruction Fuzzy Hash: CEB1C974E012099FDB54DFA9D990A9DFBF2FF88300F10862AD919AB355DB30A945CF90
                  Function 045F7A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1926740068.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_45f0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM4l$`_q$`_q$`_q$`_q
                  • API String ID: 0-2693823794
                  • Opcode ID: 5c1087edaf775cce1137b3b209f1693a8ad48e2c816f4c3d62f5d370376c1f5d
                  • Instruction ID: 24cfeaab2a763fde975a8fe4c0fdaedb734923c4f7f18e3f5f6c03f96a3f3343
                  • Opcode Fuzzy Hash: 5c1087edaf775cce1137b3b209f1693a8ad48e2c816f4c3d62f5d370376c1f5d
                  • Instruction Fuzzy Hash: DEB1C974E012099FDB54DFA9D990A9DFBF2FF88304F108629D819AB315EB30A945CF90
                  Function 07465798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$$^q$$^q
                  • API String ID: 0-2125118731
                  • Opcode ID: 5e64833480804908bcb73211b67cb8e9c65d49a753d467f8f163f62cba61a134
                  • Instruction ID: 57cad7d0dfb4e00c161619b5caffcfddec4d4c9e4c68a64e0f383039aeb35ebd
                  • Opcode Fuzzy Hash: 5e64833480804908bcb73211b67cb8e9c65d49a753d467f8f163f62cba61a134
                  • Instruction Fuzzy Hash: 54214DB170430A9BDB34597A9848BBBF7D6ABC0B11F24883BE505CF785DD75C8618362
                  Function 07462108 Relevance: 5.1, Strings: 4, Instructions: 61COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$J5l$J5l
                  • API String ID: 0-793414356
                  • Opcode ID: 049da04989b659bf1f987a01f1c8ebe86aec65e8d6893db3068936076a8de796
                  • Instruction ID: a434ff1a2cdc73af3f915747184fc79138d3fedbad3c2e54b8fd14ce99dbc18e
                  • Opcode Fuzzy Hash: 049da04989b659bf1f987a01f1c8ebe86aec65e8d6893db3068936076a8de796
                  • Instruction Fuzzy Hash: 861136F6A0C3815FC326462C5C144D7BFE2AFC271071989A7D180DF36AC5618C9AC763
                  Function 07460308 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000015.00000002.1967036747.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_21_2_7460000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$$^q$$^q
                  • API String ID: 0-2049395529
                  • Opcode ID: 3bb81bd0236f6128c93f6f8ce5689a3b24d1836560596f7bd402ccae8a96ff69
                  • Instruction ID: 9f774b27d24efd75095060fa6c84431ef65e65ae7525a559d59e9684f328175c
                  • Opcode Fuzzy Hash: 3bb81bd0236f6128c93f6f8ce5689a3b24d1836560596f7bd402ccae8a96ff69
                  • Instruction Fuzzy Hash: C401D42170D3854FC32B172808245966FF25F83A1171944DBC481DF3A7CE158C8987A7

                  Executed Functions

                  Function 068EB490 Relevance: .3, Instructions: 258COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8f9374e8f663acca9238f836f85c22a797e0551a7a13a4950c4ba0e2ed3a411f
                  • Instruction ID: 658db59d8cef46f2512fae97d12e4534e815536f44a812dbdcf942b29410118a
                  • Opcode Fuzzy Hash: 8f9374e8f663acca9238f836f85c22a797e0551a7a13a4950c4ba0e2ed3a411f
                  • Instruction Fuzzy Hash: AD919371B006195BDB59EFB5C8146BEB7E2EF84604B00891DD11AAB740DF74AE0B8BC6
                  Function 068EB4A0 Relevance: .3, Instructions: 252COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 21a51d90c1751c9b2c2d49c7a8c45f7bac2cb122735bd675c57f431b6d531ca8
                  • Instruction ID: ed79ea18103ad4fa7e7a14726fb09adbcbb58017b4ade316e9b8471275a87ee7
                  • Opcode Fuzzy Hash: 21a51d90c1751c9b2c2d49c7a8c45f7bac2cb122735bd675c57f431b6d531ca8
                  • Instruction Fuzzy Hash: 3C91A371B006195BDB59EFB5C8146BEB7E2EF84604B00891DD11BAB740DF74AE0A8BC6
                  Function 072924D8 Relevance: 9.2, Strings: 7, Instructions: 488COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$J5l$J5l$J5l$r4l$r4l
                  • API String ID: 0-3014605459
                  • Opcode ID: a2ef95d300b33d7ff6f88d8321961511eb1da496511806dd502e520e1fce4ecd
                  • Instruction ID: 0d40f6565777ffbdcbd5dc544faff67ac64d19d17cffe4a8f217cd502d668ac6
                  • Opcode Fuzzy Hash: a2ef95d300b33d7ff6f88d8321961511eb1da496511806dd502e520e1fce4ecd
                  • Instruction Fuzzy Hash: BAF148B5B20307EFDF158F6888406AABBE6BF86311F1880BAD505DB251DB31DD45CBA1
                  Function 07293D9D Relevance: 5.5, Strings: 4, Instructions: 497COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$4'^q$4'^q
                  • API String ID: 0-1420252700
                  • Opcode ID: 4404deb3ac58bd92e6473ae692c5de0cd7d56ae456cd00bbe7a21efd7f97699e
                  • Instruction ID: 41c8bb7b52770daaa6028d02e941f887cc11f41902762364ee6fc4bc2459d227
                  • Opcode Fuzzy Hash: 4404deb3ac58bd92e6473ae692c5de0cd7d56ae456cd00bbe7a21efd7f97699e
                  • Instruction Fuzzy Hash: A8F14AB5B243968FCF159A78941166BBFE2AF82210F1C84BAD541CF392DB31DC46CB91
                  Function 068EE779 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: J5l
                  • API String ID: 0-2959599269
                  • Opcode ID: 1b55fbaa43b92c4d7a25f77c2d76684a54f120d419c196058495477016cdb88d
                  • Instruction ID: dda1ab4cbd28334ae3e4e2519c5d3833abaebb11039013fc086fa5cae3b3a5f6
                  • Opcode Fuzzy Hash: 1b55fbaa43b92c4d7a25f77c2d76684a54f120d419c196058495477016cdb88d
                  • Instruction Fuzzy Hash: 7F419A71A002099FCB14DFA9D998AADBBF1FF49304F148169E416EB3A0DB34AD45CB91
                  Function 068E6FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (bq
                  • API String ID: 0-149360118
                  • Opcode ID: abc1fc93d0f70272c43b99818b9c455be7dbe9f0da7230d3e81d5ffc2f3f1aaf
                  • Instruction ID: b7d6b2f65c8ee504308e23d1773adc3f289fa22ba4cb8f2b685cbccd7a946565
                  • Opcode Fuzzy Hash: abc1fc93d0f70272c43b99818b9c455be7dbe9f0da7230d3e81d5ffc2f3f1aaf
                  • Instruction Fuzzy Hash: A9413934B042048FDB44DB68C558AAEBBF2EF8E315F1444A9E906EB391DB36DC41CB60
                  Function 068EE7D0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: J5l
                  • API String ID: 0-2959599269
                  • Opcode ID: 1cdb68b2f960d8593b46e53a70193651a70522b25d3b5423463ab8470444c9d3
                  • Instruction ID: d0b47aa1179415eff2b7d39120cf7e266493f7e15ad88f458ef5acebee158091
                  • Opcode Fuzzy Hash: 1cdb68b2f960d8593b46e53a70193651a70522b25d3b5423463ab8470444c9d3
                  • Instruction Fuzzy Hash: C141AD71A002059FCB11DFB9D998A9EBBF1FF4A304F148169D416EB3A1DB38AC45CB91
                  Function 068EE800 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: J5l
                  • API String ID: 0-2959599269
                  • Opcode ID: 0a270a169bc7af34f0528da65085f861251dd68bdcf5e3c207bc40f6043ce563
                  • Instruction ID: 8097d8f0ff139ac0c49771f5a36c0371c930995c1a4e5c7d07650d8d314470f3
                  • Opcode Fuzzy Hash: 0a270a169bc7af34f0528da65085f861251dd68bdcf5e3c207bc40f6043ce563
                  • Instruction Fuzzy Hash: 4A317C30A002099FCB54DF79D598A9EBBF2FF49304F148528E406EB794DB34AD45CB91
                  Function 068EAFA8 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (&^q
                  • API String ID: 0-2067289071
                  • Opcode ID: 5410f4c91549d12f02486a21ba8d9536338190f65ada54c36b55a01e83658de0
                  • Instruction ID: fdc6b1b318597bbe00642bbaa2d302107a8e560d128b7117557ab57bafc102eb
                  • Opcode Fuzzy Hash: 5410f4c91549d12f02486a21ba8d9536338190f65ada54c36b55a01e83658de0
                  • Instruction Fuzzy Hash: 0921B071A002588FCB14DFAED9047AEBBF5EF89320F14846AD518E7350CB75A905CFA5
                  Function 068E29F0 Relevance: .2, Instructions: 210COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 207ca46abab071726091f336adade16f4c86dca227b5fc9388dca1c050e894e9
                  • Instruction ID: 31c164f65a2d771245acaca02dded43337237de1e3efff751b61b3b9dc9bb1f2
                  • Opcode Fuzzy Hash: 207ca46abab071726091f336adade16f4c86dca227b5fc9388dca1c050e894e9
                  • Instruction Fuzzy Hash: EB917B70A006058FCB15CF59C4949AEFBB6FF89310B2485A9D915EB364C735FD51CBA0
                  Function 068EBAC0 Relevance: .2, Instructions: 158COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 73d532d3225e58550d997d8b56e482c93ae5993846b168c39789c737ee4e5074
                  • Instruction ID: 174f6057064cc85e3c82b0aecaebee2f4ec88aed43b9d4ced5d6de1a472ddab5
                  • Opcode Fuzzy Hash: 73d532d3225e58550d997d8b56e482c93ae5993846b168c39789c737ee4e5074
                  • Instruction Fuzzy Hash: 096134B1E04248DFCB54CFA9D584A9DBBF1FF89310F14816AE809EB364EB349845CB50
                  Function 068EBAD0 Relevance: .2, Instructions: 155COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5953ffdad9a8ea7028c7e40a256a4369b4d28046a1f9f48078ffc27060655e11
                  • Instruction ID: 7d963aa045536851ddcea245653f66b88c37a27ed3f1dd38afe3644f83b122af
                  • Opcode Fuzzy Hash: 5953ffdad9a8ea7028c7e40a256a4369b4d28046a1f9f48078ffc27060655e11
                  • Instruction Fuzzy Hash: B8612571E00248DFDB54CFA9D584A9DBBF1FF89310F14816AE909AB364EB349C41CB50
                  Function 068E7728 Relevance: .2, Instructions: 154COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 684b2f95d0a7541c2f447ecdc88878c969a914975bcf6fbb8f1a6107588fb838
                  • Instruction ID: 861dfdcab6ca5e779f5521460115682d9bb6b718843210efa387b98d695f8d63
                  • Opcode Fuzzy Hash: 684b2f95d0a7541c2f447ecdc88878c969a914975bcf6fbb8f1a6107588fb838
                  • Instruction Fuzzy Hash: 6151BD357042159FD754DB69D844A2EB7EAFFCA314F14886AE909CB391EB35EC01CBA0
                  Function 068EE5D9 Relevance: .1, Instructions: 139COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 80304ddf4256e871e7d0a7636db896589836ad6a99c60cb75e7955f9447c44d9
                  • Instruction ID: f423cd9903cbafc1b1739ca191e5c89773b3c955a0db5bfdb4631b87a7b28efb
                  • Opcode Fuzzy Hash: 80304ddf4256e871e7d0a7636db896589836ad6a99c60cb75e7955f9447c44d9
                  • Instruction Fuzzy Hash: 0B515FB4B102059FCB10DF6DC99896EBBE6EF89314B158469E609CF365EB34EC05CB80
                  Function 068EE5E8 Relevance: .1, Instructions: 130COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6e80a8395e7c8db0916657ed220669f9ce954f6b91e8d9ca7ef0f798ca6ae403
                  • Instruction ID: 4bef89ba4abe73298a58ed9bda4a8e88de3e60b79ceef2d4af989c79b592e253
                  • Opcode Fuzzy Hash: 6e80a8395e7c8db0916657ed220669f9ce954f6b91e8d9ca7ef0f798ca6ae403
                  • Instruction Fuzzy Hash: 9E4133B4B502059FCB14DF6DC59892EBBE6EF89304B158468E609CF365DB34EC05CB91
                  Function 068E2B00 Relevance: .1, Instructions: 109COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 733a233f59988f366fb41befae8d14bea421157f4ad235179347b8c2911dd721
                  • Instruction ID: 9df5081ab39437e8324b4d55c4afac931e01d0482fc8508dee748ffe56eb4d14
                  • Opcode Fuzzy Hash: 733a233f59988f366fb41befae8d14bea421157f4ad235179347b8c2911dd721
                  • Instruction Fuzzy Hash: CB4168B4A005059FCB09CF48C5A89AEFBB6FF88310B158199D919AB364C736FD51CFA0
                  Function 068EC398 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 723d6399151d7cc095e0526c838d60d8fcee8dfc3e2f231096c14285bc671d4a
                  • Instruction ID: 51b9f9978b60cb73caa5e3fded4c2e3983fc92b0784f4f258a04e533c4b8a953
                  • Opcode Fuzzy Hash: 723d6399151d7cc095e0526c838d60d8fcee8dfc3e2f231096c14285bc671d4a
                  • Instruction Fuzzy Hash: 9731AB32300201AFD715EB79E854AAEB796EF85214F008139D60ACB364DF70EC4ACB91
                  Function 068E6FA0 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3392029023fa8aa9f5bb6afb29512778db738c03c06b96c410f90aefeffb69d2
                  • Instruction ID: 1d765d0e706fc398fd22267b5ed9dc8372b7fdd1c557005df1be50d478d69ce7
                  • Opcode Fuzzy Hash: 3392029023fa8aa9f5bb6afb29512778db738c03c06b96c410f90aefeffb69d2
                  • Instruction Fuzzy Hash: AE317274A04204CFDB54CB68C558AAEBBF1EF8E315F1480A9E905EB3A1DB36DC41CB60
                  Function 068EAE70 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67d8b00c6c434f341b710c1c575ecd2e211c06274e1e7277225a91051599ec03
                  • Instruction ID: bad47cd63ce5d570c3a6b59cfb6e332c40b8a9b7029e20225024f81b82b038d1
                  • Opcode Fuzzy Hash: 67d8b00c6c434f341b710c1c575ecd2e211c06274e1e7277225a91051599ec03
                  • Instruction Fuzzy Hash: E5318D70E006099FCB48DFA9D4957AEBBF6EF8A710F148029E505E7350EB788C418B91
                  Function 068EAD38 Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b96ac724ca0a656d8987ccb98421398cf90768fc2ef0f672e14a33a7ed5d63cb
                  • Instruction ID: ee7a98c7ff0871268c22ce2ab38627020128d31630f6642d4e6da0cf7700cfeb
                  • Opcode Fuzzy Hash: b96ac724ca0a656d8987ccb98421398cf90768fc2ef0f672e14a33a7ed5d63cb
                  • Instruction Fuzzy Hash: 2231C4B4A002059FDB04EFB4D855ABFBBB2EF85304F1184A9D515AB394DA389D41CF61
                  Function 068EE209 Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a854ca368632127dbe9d57f27a106e0c8bc36335fd818e37efeae4f03811c438
                  • Instruction ID: a674e431909036c90f72d04a3d5821ff2b21d603d9d7f31c803d86a5af32039a
                  • Opcode Fuzzy Hash: a854ca368632127dbe9d57f27a106e0c8bc36335fd818e37efeae4f03811c438
                  • Instruction Fuzzy Hash: D9316A71A002058FDB14DFA8D459AAEBBF2FF4D614F144469D806EB7A0DB34AC81CB94
                  Function 068EAE80 Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 45ebace800b6c555ff8b31911c43f60dc373baf4a180e895d50e4786b8ab2351
                  • Instruction ID: 37ecfe614ec4ed9d7fa3ed81ec521887f834c5e0c93f346aff2404a1c6367485
                  • Opcode Fuzzy Hash: 45ebace800b6c555ff8b31911c43f60dc373baf4a180e895d50e4786b8ab2351
                  • Instruction Fuzzy Hash: FB318F70E006099FDB88DFBDD4947AEBBF6AF8A700F148029E505EB350EB748C418B61
                  Function 068E9400 Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f2025d7cda33c85c08efc532c556608af21ee376b52ecdb75dbc31d51b69407a
                  • Instruction ID: 956153e30dcee757ec1b1ce117e4d18c72fe2d2f2b156ba677e0165d7fa59c6e
                  • Opcode Fuzzy Hash: f2025d7cda33c85c08efc532c556608af21ee376b52ecdb75dbc31d51b69407a
                  • Instruction Fuzzy Hash: 9A319C759013449EDBA0CF6AD0883DEFBF2EF8A324F28C05AD55DAB205D6B45481CBA1
                  Function 068EE218 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6c7c804f657335b3a44f3c3575f906c3252858acf546a8610e0fd7051416b1a3
                  • Instruction ID: ab7274e8399c09e73284ae35faa8fe5d84d6ccecfe5f9db9dc9761b2fc0f3eee
                  • Opcode Fuzzy Hash: 6c7c804f657335b3a44f3c3575f906c3252858acf546a8610e0fd7051416b1a3
                  • Instruction Fuzzy Hash: BC313A70B002058FDB14DFA9D458AAEBBF2EF8D614F144569D806EB7A0DB34AC85CB94
                  Function 068EAD48 Relevance: .1, Instructions: 77COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fc7645ddb2b8410c304149fda33fb9202391bec33bb159a566a0a3ac30cb57a1
                  • Instruction ID: 712850ef51196b9dfba83a48f7dcd92938dda5b88904bfe2dcb602cd1a788b29
                  • Opcode Fuzzy Hash: fc7645ddb2b8410c304149fda33fb9202391bec33bb159a566a0a3ac30cb57a1
                  • Instruction Fuzzy Hash: D53173B4E002099FDB04EFA5D854ABEB7B2EFC5304F118469D615AB394DA35ED058F90
                  Function 043EF3D8 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 235d96e7564f219f5ec548a9baa8cb867a0425d6556451ae7eb47148f6f409c4
                  • Instruction ID: 3d12bd6f6cd31a20d6e53861537ca715cb4bb791e0c2392a891b9fedd4b33ffd
                  • Opcode Fuzzy Hash: 235d96e7564f219f5ec548a9baa8cb867a0425d6556451ae7eb47148f6f409c4
                  • Instruction Fuzzy Hash: C921F172604200EFCB05DF54D9C0B26BFA5FB88314F24C5A9E9094A296C37AE856CFA1
                  Function 07292700 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c1d4d2bdd0200b0de5d6ff55625c15ddde1d810f037ab3643e2ee9070ecc7068
                  • Instruction ID: 78b67a8a53ab007ae8be0e9971887ab518839e8d562dae604dad4e96a6267801
                  • Opcode Fuzzy Hash: c1d4d2bdd0200b0de5d6ff55625c15ddde1d810f037ab3643e2ee9070ecc7068
                  • Instruction Fuzzy Hash: 24217CB5A30207EFEF24CE59C585BA6B7E5BB05321F0C8076E908AB250D374D944CBA1
                  Function 043EF02C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cf7fe78c6d91f1e4b34934e88074ce2a9c39b4ed36ef9df66e2fdd25505924df
                  • Instruction ID: 6c825527dbf3beeec1a35a449e4ac66c6aae552c5b1f86e15f9e885ac0169957
                  • Opcode Fuzzy Hash: cf7fe78c6d91f1e4b34934e88074ce2a9c39b4ed36ef9df66e2fdd25505924df
                  • Instruction Fuzzy Hash: 86214671605200EFCB10DF25D9C0B36BFA5FB84314F24C66DDA094B296C3BBE846CA61
                  Function 068E9410 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e9a0c61d8ce8f74f597e08e7a9bd227991f5d44b191d3d8b13c64d3909dc2f5
                  • Instruction ID: 12f9fb015a3fbd0624545b954480f7c53d887b26c37247b9627bde1f29316fe2
                  • Opcode Fuzzy Hash: 1e9a0c61d8ce8f74f597e08e7a9bd227991f5d44b191d3d8b13c64d3909dc2f5
                  • Instruction Fuzzy Hash: FF219C70D017449EDBA0CF6AD48839EFBF6EF8A314F28C05EC95DA7205C6B46481CB60
                  Function 043EF4CC Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dcfcfb759aa79fc50928b7e3716c88289bba06ad690e5eb3f952726012869380
                  • Instruction ID: 650386c491051f2972bdad7b2769f7af879ba87631456bd4569be4168e0668ee
                  • Opcode Fuzzy Hash: dcfcfb759aa79fc50928b7e3716c88289bba06ad690e5eb3f952726012869380
                  • Instruction Fuzzy Hash: F62135B1605644EFCB04EF19D5C4B36BBA9EB94318F20C57DD8094B2C1C3BAE446CE61
                  Function 068E7664 Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce004fde0360b1afe31efc5e130d6879563fb41427581bf9d0a70ceeb2c90336
                  • Instruction ID: 3c0a095c8405c8dd83cea99011f3bbc19453167b377bb3825a2d7c959b85126b
                  • Opcode Fuzzy Hash: ce004fde0360b1afe31efc5e130d6879563fb41427581bf9d0a70ceeb2c90336
                  • Instruction Fuzzy Hash: 1E111C35B00118CFCF04DBA8E9449AE77F6EBC8215B0540A9EA09EB364DA35DD02CB90
                  Function 068EDE99 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ca0754af83e1aa87dfbe8a328b79c47eac85fc34dcb3454b6e975f2d9bf97e7d
                  • Instruction ID: c46f90c29b73462c57048994a2fd5fcddad0f6f0733b3ee8e556e30b561b1144
                  • Opcode Fuzzy Hash: ca0754af83e1aa87dfbe8a328b79c47eac85fc34dcb3454b6e975f2d9bf97e7d
                  • Instruction Fuzzy Hash: 4A113831A1C244AFCB10DB74E85A4ECBFB1EF9A310B1400AAD605D7356CA78984ACBA1
                  Function 043EF3D3 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                  • Instruction ID: cf4a59dacf2f9a07eb47db580b7bf1af62a03eef26ee638f915e7bc0bc300556
                  • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                  • Instruction Fuzzy Hash: 79219D76504240EFCF06CF10D9C4B26BF72FB88314F24C5A9E9494A696C33AD46ACF91
                  Function 068E2C70 Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 86bffd7399546e54a1cb7edbe4a3ca20c7bfe816ba19b23ea72436e93db9a28d
                  • Instruction ID: 296e92a52aef2bcbc8b011e1990300fdf4934d399b1999c2e490b158000d0421
                  • Opcode Fuzzy Hash: 86bffd7399546e54a1cb7edbe4a3ca20c7bfe816ba19b23ea72436e93db9a28d
                  • Instruction Fuzzy Hash: 5B11A5316096A45FC703DF6CD8606E9BF71EF87220B1545D3D190DB1A2C226DD89C7A5
                  Function 043EF027 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                  • Instruction ID: de629bae4f839c81c5fad36d629efa97899aafbc539815df954163a64b8883fc
                  • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                  • Instruction Fuzzy Hash: 0D11D075505280DFCB11CF14D5C4B25BF61FB44318F28C6AAD9094B696C37AE84ACB51
                  Function 068EBCF0 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6eb10ab1472c013f277f258b733314fa5b8148bbadadeea3573ea0b7376d0d9a
                  • Instruction ID: 7de0113e655943c18afaef46de1aee04f1b1f608efa7389f4f499b1eb676f502
                  • Opcode Fuzzy Hash: 6eb10ab1472c013f277f258b733314fa5b8148bbadadeea3573ea0b7376d0d9a
                  • Instruction Fuzzy Hash: 1A118032B083449FD715DB76D594A6A7FF5EF46210B1488EEE19AC76A2CB34EC45C700
                  Function 043EF4C7 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
                  • Instruction ID: f3663129fbbadf900ff3eea20796fc8fa3c92f76da3397734d119aef2be75e50
                  • Opcode Fuzzy Hash: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
                  • Instruction Fuzzy Hash: FD112CB1504284CFCB01CF24C5C4B25BBB1FB98318F24C6AEC8494B682C33AE44ACF92
                  Function 068EE058 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e7818df872b9d5308960482909195a5d8062e8d65a3208649a0b3102de9705e3
                  • Instruction ID: 11b1595419225c774f0628d284d5d9468454242bc5988e32fd4c99879fa3406d
                  • Opcode Fuzzy Hash: e7818df872b9d5308960482909195a5d8062e8d65a3208649a0b3102de9705e3
                  • Instruction Fuzzy Hash: 9701B536B00214DFCB219F74E8096AEBBF5FB88315F144069E91AD3341DB359912CB91
                  Function 068EE190 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2d50141fac61215cab111cd145c3a5f2bd059644a80bd6272a630cc22cd6c20c
                  • Instruction ID: 8a555574c968a62e5ab0a733c4b2efbec220e6940b24e63d4fde75e78ec91ce1
                  • Opcode Fuzzy Hash: 2d50141fac61215cab111cd145c3a5f2bd059644a80bd6272a630cc22cd6c20c
                  • Instruction Fuzzy Hash: C41135302047408FC728DF75C08086ABBF6EF8931532089ADD08A8B7A0DB36E942CB50
                  Function 068EBF20 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 12266e1ecb88538942fea1da26e545ad8ff1d888564eec9718203406d61dc827
                  • Instruction ID: 13d41da99feddb04ea9ef5817b6f545c1260d4b040f1950971b3d6164834a232
                  • Opcode Fuzzy Hash: 12266e1ecb88538942fea1da26e545ad8ff1d888564eec9718203406d61dc827
                  • Instruction Fuzzy Hash: 5BF0F4323183615FD3008AAADC95DA7BFFCEF8622071840ABF940C7251CA78CC00C760
                  Function 043ED01D Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 604fc9ec0bedefcdb6dc595aa4f6339c7582c016b51ad68a53fc3d34e2e36fc6
                  • Instruction ID: c0e5657a41749d443ba8f555c71315f3dd3daf2dfc5ae658c5611c0aef6924e3
                  • Opcode Fuzzy Hash: 604fc9ec0bedefcdb6dc595aa4f6339c7582c016b51ad68a53fc3d34e2e36fc6
                  • Instruction Fuzzy Hash: 1E01F27110A3159AE7208E2AE984B77BF9CEF41324F0CD42AEC080A686C279AC41C6B1
                  Function 043ED006 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 33a1a697ce87088d39709e2115a3c25bc76381c60f05dc130974156358641b67
                  • Instruction ID: 132b2a3072ca9788a3e1530b603600f5fa44fdfd7aa3ebc16a3b0fcae614b760
                  • Opcode Fuzzy Hash: 33a1a697ce87088d39709e2115a3c25bc76381c60f05dc130974156358641b67
                  • Instruction Fuzzy Hash: DC015E6100E3C09ED7128B259994B62BFB4EF43224F1DC4CBD8888F1A3C2699849C772
                  Function 068EDE48 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 25fdadc89baa8e2234181033a7982d1e5b87b5eb4b44abb88ab4740fd96628f5
                  • Instruction ID: 9f8e75627361c09db7e3329c5bf6f9bb0c0c6b0907f0e7ddc117f31c599cd3f2
                  • Opcode Fuzzy Hash: 25fdadc89baa8e2234181033a7982d1e5b87b5eb4b44abb88ab4740fd96628f5
                  • Instruction Fuzzy Hash: 2FF059322056146FC301D31DEC118EEFBA9DFC727030400ABE559C7201EB64A80987E1
                  Function 068E90E8 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 314387d61165a3c6ed04aed0855105d8caa19b319001ef1572e176f3a634af18
                  • Instruction ID: d82847776480cc147563a3c69cfd2f41ac513306d07873efda232a0b84479151
                  • Opcode Fuzzy Hash: 314387d61165a3c6ed04aed0855105d8caa19b319001ef1572e176f3a634af18
                  • Instruction Fuzzy Hash: 230128726146049FD312AB78D4547ABBFA2EFC2318F24809AC8558B281CE3D7806CBA1
                  Function 068E7940 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 030f0306d4d82392a9d95b782fff5f19f5457c2782479b3e8e93391b71c57d32
                  • Instruction ID: e88c86c8ea936f83123514a7780590f6e74b9c05fa48c7d722f9cd8d2346864e
                  • Opcode Fuzzy Hash: 030f0306d4d82392a9d95b782fff5f19f5457c2782479b3e8e93391b71c57d32
                  • Instruction Fuzzy Hash: DAF024717012149FD7109769E884ABFBBE9EF89261B00092EE00EC3390DE349C09C761
                  Function 043ED9A7 Relevance: .0, Instructions: 37COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d6f17a2bfd3d8de6b66a24939a3e72ca72858007cd2e21ebdd1867398bc6adae
                  • Instruction ID: a296a9b14f40a4c7aaa48efa0a236d782d7f3b9f0c05014d75c6a9143b48f183
                  • Opcode Fuzzy Hash: d6f17a2bfd3d8de6b66a24939a3e72ca72858007cd2e21ebdd1867398bc6adae
                  • Instruction Fuzzy Hash: 61F0F976200610AF97208F0ADD85C27FBADEFD4770719C55AED4A5B652C671FC41CEA0
                  Function 068E9168 Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ae6fdb4731b834ee8c8e476840127b90fbb8867ab4846203e09ab8e6c0c2e57a
                  • Instruction ID: d00ddb6ecfcadb7329c3738dcc4e08bc3b7fb7f24f577779462c41e35abae192
                  • Opcode Fuzzy Hash: ae6fdb4731b834ee8c8e476840127b90fbb8867ab4846203e09ab8e6c0c2e57a
                  • Instruction Fuzzy Hash: 44F090729053009FD3618BB8E8A979ABFE4FF01310F04449AD149C7282CB39A881CB51
                  Function 068EDFF8 Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 49336fc47ec1a39d951a78cd0f3e65c3394a200a81d41ff4f35437b7103c8689
                  • Instruction ID: 3e08cfef64176df5a567d1c060ff3fd8ffe727a30afa02d3d60ce4dad3d8fdee
                  • Opcode Fuzzy Hash: 49336fc47ec1a39d951a78cd0f3e65c3394a200a81d41ff4f35437b7103c8689
                  • Instruction Fuzzy Hash: 5CF082357141404FC7018B2DD4A4866BBF9EFCF61431900DAE588DB732DA61DC12CB91
                  Function 068E7950 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c2fa6cd238cd12054aea35ba3a3939180941382201ce6fad89d503cd30e3ca04
                  • Instruction ID: 4840cc7a8b2756407af2b98757e1dc8cf932f314de544efead01df5bda260b7c
                  • Opcode Fuzzy Hash: c2fa6cd238cd12054aea35ba3a3939180941382201ce6fad89d503cd30e3ca04
                  • Instruction Fuzzy Hash: 2FF0A0317006189FD750AB6AEC44A7FB7E9EB89265B00092DE50ED3350DF75AC4587A1
                  Function 043ED998 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.1988869152.00000000043ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 043ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_43ed000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dcc4f890e3867d880a030a0e898173c74233f3d5f840fc8ec75f52bcc6b59e13
                  • Instruction ID: d6d7ae3d7180390b65c00af53a6c457d769f63bcb0543e9550d80e6b5b403047
                  • Opcode Fuzzy Hash: dcc4f890e3867d880a030a0e898173c74233f3d5f840fc8ec75f52bcc6b59e13
                  • Instruction Fuzzy Hash: CDF0F975200A40AFD725CF06CD85D33BBB9EB89720B198499F84A5B752C671FC42CF60
                  Function 068E896A Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7e98546b9d85bb2ce4b51d5daf70d0415e036907638f804ab2aab138be35c532
                  • Instruction ID: 41e763d146b3a041ea47d4ea6dbf86a6a60ea1a2f37913749d62856c54cd7340
                  • Opcode Fuzzy Hash: 7e98546b9d85bb2ce4b51d5daf70d0415e036907638f804ab2aab138be35c532
                  • Instruction Fuzzy Hash: 25F052363083409BCB066B74E81D6AC7BA1FF86224F050096E50087282CF399802C3A2
                  Function 068E767F Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a72fafb50452913e4cc568d7730fa79b46d87e5356e33f2dd9f430c22eee58f0
                  • Instruction ID: bdaf386dc013d1266c18f2170b826d6932360a54eb73a8ddaffac15101681bdd
                  • Opcode Fuzzy Hash: a72fafb50452913e4cc568d7730fa79b46d87e5356e33f2dd9f430c22eee58f0
                  • Instruction Fuzzy Hash: 07F0A0397001148FDB009BADAA40AAE77A2EBC97597054199EA09CB364DF35DC02CB91
                  Function 068E90F8 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 806a2d9ba84fe0e62deaf999562d1a5da55c1600bc4623bf5b21dbe6e68a27ed
                  • Instruction ID: be8f789f599945b2feb14e1a8e3a4365c81977c09d842a92c518fba952189d20
                  • Opcode Fuzzy Hash: 806a2d9ba84fe0e62deaf999562d1a5da55c1600bc4623bf5b21dbe6e68a27ed
                  • Instruction Fuzzy Hash: 53F02E757001049BE310AB65D0143AF77D6DFC1319F10816ACD09473C4CD3D6806CBE1
                  Function 068EE008 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5b1e4cd31aae70d2f6f93c9516f72bf91ad6b8615fc61e88a2070be05978b6f5
                  • Instruction ID: 3e27a1faa15fb4436eac4afacf0310a52cf433093fc2903c91da816ab05283c8
                  • Opcode Fuzzy Hash: 5b1e4cd31aae70d2f6f93c9516f72bf91ad6b8615fc61e88a2070be05978b6f5
                  • Instruction Fuzzy Hash: F4E0E5397101118F86109B5ED498C2AB7EAEFCE76571900AAE649DB725DE72EC01CB90
                  Function 068EAF98 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f5a8bca4cd6862006fd526c55c9ca6c55ab7f0d999e5cacb3752dc5c1a7e6985
                  • Instruction ID: 736342fd437d37ed4fbe29792ad03796c42f10beb276eb57524985d36c98cb60
                  • Opcode Fuzzy Hash: f5a8bca4cd6862006fd526c55c9ca6c55ab7f0d999e5cacb3752dc5c1a7e6985
                  • Instruction Fuzzy Hash: 91E0D8337183D21B875AC22DDC5046ABFB78ED392031C80BBE150CB243EE55D8128761
                  Function 068E9559 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fbf88c095e29fd1d7b25640cf6cfec04163d9987899c06ba541e16da56c59859
                  • Instruction ID: 1a348796a85ed246cd5d7df326415acff20bbcaa780e5ba8455f98d8bfcaa90b
                  • Opcode Fuzzy Hash: fbf88c095e29fd1d7b25640cf6cfec04163d9987899c06ba541e16da56c59859
                  • Instruction Fuzzy Hash: 37E01252B112551B49D461BE5E506BEAACE8EDB4927050576DA14C3242ED40CC1283E2
                  Function 068E9178 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 644bb2035f989d45b2923ac258234e66a6120e6b0eb9cbf7683f9c1cf0062f02
                  • Instruction ID: db23c817466ecedc3d6061775c5065e4a327286ebcc22dab127b0be6d05e0244
                  • Opcode Fuzzy Hash: 644bb2035f989d45b2923ac258234e66a6120e6b0eb9cbf7683f9c1cf0062f02
                  • Instruction Fuzzy Hash: E6F06D70A003049BD7649FB9E89C79ABBE9FB44310F005469E64EC3280DB3AA881CB90
                  Function 068E8978 Relevance: .0, Instructions: 24COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 335b345f20a8e21b957bde82fef996978d86a4433d2242a25a587cebaf33210c
                  • Instruction ID: 9538d73e19b5eb3520d9f474f3a29d405a91ae7296df9f96e0ff91d3a7ba8371
                  • Opcode Fuzzy Hash: 335b345f20a8e21b957bde82fef996978d86a4433d2242a25a587cebaf33210c
                  • Instruction Fuzzy Hash: 39E02035704314D7CB193775B80C6AD7696FBC4724F01102AE61583341CF7D580383D5
                  Function 068E9560 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7561078b6c926059256c7f3c62856089bccfb9cdd0da68e711a1d29004356dec
                  • Instruction ID: f3a12266c9f9ae96e4329dae1c10ba39fa54e69882ad93a85230ea229e7ac15a
                  • Opcode Fuzzy Hash: 7561078b6c926059256c7f3c62856089bccfb9cdd0da68e711a1d29004356dec
                  • Instruction Fuzzy Hash: 9ED05E52B112250B49E460BE1E006BFA5CE8ECB4A2B050176DA18C3242EC80CC0283F2
                  Function 068EDEA8 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                  • Instruction ID: a830dc5c91332f421534688f0db4706fd4e81ec32248be8f4d91b6019e8085bd
                  • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                  • Instruction Fuzzy Hash: 39E08C35B04018ABCB48D6A9D8114EDFBAADFCD224F04807AD90AE7340DA72691A86E1
                  Function 068EDE58 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ed28ea9e232eebf9734d6524d08001b10e1ed494ae7521a4dfb343ce6e18d047
                  • Instruction ID: 655544828c1c6c2e5ebe929a77f1b1bd9d3869593f5c179f0f1404446eb6ac24
                  • Opcode Fuzzy Hash: ed28ea9e232eebf9734d6524d08001b10e1ed494ae7521a4dfb343ce6e18d047
                  • Instruction Fuzzy Hash: AFE0C232741A245B8251A72EA81486FB7EAEFC5671310802EE62AC7340DEA4ED0A47D5
                  Function 068E8739 Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: af2b86a77562d3e80b29faa0a400d76e5113e197349acf9250a4c0b823ae6501
                  • Instruction ID: a89223ed3f7ad0a768b395f631a6da91b76c7337888be35ed1471900ab9f15ff
                  • Opcode Fuzzy Hash: af2b86a77562d3e80b29faa0a400d76e5113e197349acf9250a4c0b823ae6501
                  • Instruction Fuzzy Hash: 96E01A3291414ADBCB19EBA4E85B8ADBFB0FB15301B010299D94292181EB369657CF84
                  Function 068E8800 Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a4e06a7ec7d75151f0597893456bdc13d38fe363f374af15606661ab9360333
                  • Instruction ID: 2049a9ef95737a900d0184b7074b6c524b8d612d6869b95b364bdb0534a29322
                  • Opcode Fuzzy Hash: 5a4e06a7ec7d75151f0597893456bdc13d38fe363f374af15606661ab9360333
                  • Instruction Fuzzy Hash: 4EE09A3AA0820ADFC724EF74E8879ADBFF0BB0A204B044059D95487740DB31A851CBC2
                  Function 068EF620 Relevance: .0, Instructions: 18COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a10051730a162efbbbd108dd99f97598d2231fd07fd911bdeae5ce756eed8201
                  • Instruction ID: 6ff092cf3fb758f3b66fd1310c75f3a8c30dd864c7938ccbe9aefbc21219c11d
                  • Opcode Fuzzy Hash: a10051730a162efbbbd108dd99f97598d2231fd07fd911bdeae5ce756eed8201
                  • Instruction Fuzzy Hash: 4CE01AB0D001899F8B80DFB8C55196EBFF1AB49204F2480AE8A09DB721EA318A01CF80
                  Function 068EF630 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                  • Instruction ID: c15efd7803801cb1b3c7c69592f8d8c9b4f34feb7583bea1657c7ed8bf580fdf
                  • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                  • Instruction Fuzzy Hash: 78D062B0D0420D9F8780DFADC94156EFBF4EB49204F5085AA891DD7311E7319A128BD1
                  Function 068E8748 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 20e116989bc00d106ad819902b253e74ee4831b8240f8d8f240f7cc22f6e16e7
                  • Instruction ID: aaf5d9a61ed5d5d659a7aca220a2f2732fa5d4a7c3525b622906d3562910ece8
                  • Opcode Fuzzy Hash: 20e116989bc00d106ad819902b253e74ee4831b8240f8d8f240f7cc22f6e16e7
                  • Instruction Fuzzy Hash: 97D0173080410DDBCB18ABA4F81F4BDBBB4FB00302F411269D90792190EA375A4BCAC0
                  Function 068E8810 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3ac2bdbe2cf9abc6391764749f0f84dfcaf5ca76bac76d7afc8f39c49747abd1
                  • Instruction ID: 22e2597ddc4802a504e4dfc8bd9b9738a4cba995f9631a2e2c06f3b0ce566e46
                  • Opcode Fuzzy Hash: 3ac2bdbe2cf9abc6391764749f0f84dfcaf5ca76bac76d7afc8f39c49747abd1
                  • Instruction Fuzzy Hash: 97D01734E0820ADFCB68EFA4E84B86EBBF4BB45204F004169D90993344EA319C02CBC1
                  Function 068E7E90 Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5f62a2410cf5d5290b29523d1e421862e3e5224ed32e82d12334a3fdc25c1c93
                  • Instruction ID: 928e8c4d84df7a5fcb8f2ffdbc1b30cee22851db21a5d733784905ffd134ff94
                  • Opcode Fuzzy Hash: 5f62a2410cf5d5290b29523d1e421862e3e5224ed32e82d12334a3fdc25c1c93
                  • Instruction Fuzzy Hash: BCC02B504081C01DFF95C33044D83033EF15F8390AF0543C8C0C096811D859C805CF02
                  Function 068E791A Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5936e53d18d44f943170b13705edb84f52bb1959c59adbb32bb54fc2b8ebfb81
                  • Instruction ID: 726c7f617c2bc50b2ab1da1e96df1e3870b7064c75601bb1462a61ebc02d1302
                  • Opcode Fuzzy Hash: 5936e53d18d44f943170b13705edb84f52bb1959c59adbb32bb54fc2b8ebfb81
                  • Instruction Fuzzy Hash: DAD012754483899BCB565F78E0C89053F51AB02256B0009EDD84A4A193C936C049CF01
                  Function 068E7928 Relevance: .0, Instructions: 8COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e7b2cdb07354ca0441ef6b85d52baae47328d4f25191f50ea111475a23b7479
                  • Instruction ID: 1ba4f20a58524c7935c4e27cdced53792482d72865e3a5948a63476b5dbb4872
                  • Opcode Fuzzy Hash: 4e7b2cdb07354ca0441ef6b85d52baae47328d4f25191f50ea111475a23b7479
                  • Instruction Fuzzy Hash: D8B0923104870D8FC2496F75E4488157329BB4121A38008E8E90E0A292DE36E889CA45

                  Non-executed Functions

                  Function 07290FDD Relevance: 20.3, Strings: 16, Instructions: 293COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: fcq$842l$842l$`Q^q$`Q^q$`Q^q$`Q^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                  • API String ID: 0-4269484475
                  • Opcode ID: 76e362f8ba248ffa2c4bd6d11b816fd537c65cefe48475355a723fff3f9cb221
                  • Instruction ID: 60d9c8a95fcec4ecec68f6e7385cea31b9ee00f3dd8041eb31ac811d810d4bb6
                  • Opcode Fuzzy Hash: 76e362f8ba248ffa2c4bd6d11b816fd537c65cefe48475355a723fff3f9cb221
                  • Instruction Fuzzy Hash: DBB1E5B4A2020FDFCF189F5AC8446AA7BF2FB85301F188475E8018B295CB75DC65CBA1
                  Function 07293678 Relevance: 8.9, Strings: 7, Instructions: 184COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$$^q$$^q$$^q$*l$*l
                  • API String ID: 0-575290175
                  • Opcode ID: c6949e5619502a957da9b5c493d2331b0b77e860bd3e6b95af2ff2cfcaa9cebd
                  • Instruction ID: 2030a554341baafddf09daf2f2c9f80e0138ef430b0f5b824c7fb9940cec051c
                  • Opcode Fuzzy Hash: c6949e5619502a957da9b5c493d2331b0b77e860bd3e6b95af2ff2cfcaa9cebd
                  • Instruction Fuzzy Hash: CB5114B57243479FCF24DA6988006AAFBE6AFC6610F2C847BD445CB253DA35C885CB91
                  Function 068EED78 Relevance: 8.9, Strings: 7, Instructions: 150COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: ,bq$$^q$$^q$$^q$$^q$$^q$$^q
                  • API String ID: 0-13851718
                  • Opcode ID: 361b4f086c4b7f8cbab3d5804869f23fa42fbf7655b644283e4f57bfb97639be
                  • Instruction ID: b314c0c3009a2f5c71b48081c720f5093cfc569c34ab38fa11fbe2e71aab5bf1
                  • Opcode Fuzzy Hash: 361b4f086c4b7f8cbab3d5804869f23fa42fbf7655b644283e4f57bfb97639be
                  • Instruction Fuzzy Hash: D84181707940198FD769AB79A95D53C3AD37B8E70431018EAE122CF3A5DF5ACC838792
                  Function 068E7A09 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM4l$`_q$`_q$`_q$`_q
                  • API String ID: 0-2693823794
                  • Opcode ID: 1477b37927bec2af710adac6eb80dcd3e12efe5533fb7953b049d00bb940f88f
                  • Instruction ID: 1cfd0c2c129e695657d2386d487e0c268631e09e0c7f80531fb0982dd4737268
                  • Opcode Fuzzy Hash: 1477b37927bec2af710adac6eb80dcd3e12efe5533fb7953b049d00bb940f88f
                  • Instruction Fuzzy Hash: FCB1A374E012099FDB54DFA9D990A9DFBF2FF89300F108629D919AB354EB30A945CF90
                  Function 068E7A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM4l$`_q$`_q$`_q$`_q
                  • API String ID: 0-2693823794
                  • Opcode ID: 8866b74b41582136cf85b901c452d66d236f6eb627ef14ee9e388e013e69aca9
                  • Instruction ID: 8adf84d4127c20c339fe61675effc52887846cd2b89fc12e439c8528577aaf95
                  • Opcode Fuzzy Hash: 8866b74b41582136cf85b901c452d66d236f6eb627ef14ee9e388e013e69aca9
                  • Instruction Fuzzy Hash: 24B19474E012099FDB54DFA9D990A9DFBF2FF89300F108629D919AB354DB30A945CF90
                  Function 068E7228 Relevance: 6.5, Strings: 5, Instructions: 207COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tM4l$`_q$`_q$`_q$`_q
                  • API String ID: 0-2693823794
                  • Opcode ID: 700c51bf5aff7d046d7ef4fc459dc89d839e2b63cb29d3b45d6ec0557561cabb
                  • Instruction ID: 3bc9d33844b81ebfae396f93f72178f7383de01c959973b74a2c8d6894da66a0
                  • Opcode Fuzzy Hash: 700c51bf5aff7d046d7ef4fc459dc89d839e2b63cb29d3b45d6ec0557561cabb
                  • Instruction Fuzzy Hash: B9A18174E012199FDB54DFA9D990A9DFBF2FF89300F10862AD819AB354D730A945CF90
                  Function 068EEFA8 Relevance: 5.5, Strings: 4, Instructions: 454COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2019852702.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_68e0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: `Q^q$$^q$$^q$$^q
                  • API String ID: 0-2499013975
                  • Opcode ID: 665e4133ffe84beefb0417214f337f0002d469137539963759ee99beb4ad1904
                  • Instruction ID: cc644df9ec72e6d0c1d0a031349984a2eb3107cb7e966e2399ac5315620399ae
                  • Opcode Fuzzy Hash: 665e4133ffe84beefb0417214f337f0002d469137539963759ee99beb4ad1904
                  • Instruction Fuzzy Hash: E4E11230B501148FDBA49B79951463E76D7AFCAA18B2444BADB02CF3A4EE75CC4287D2
                  Function 072924B9 Relevance: 5.1, Strings: 4, Instructions: 116COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$J5l$J5l$r4l
                  • API String ID: 0-278684878
                  • Opcode ID: 680685f984b570936a8933720c6b83e6148835d7db2c9f3303a56f87f9326813
                  • Instruction ID: 623c853e8203c41929f5d6ccc26fec6df7f0124693c2df9779b616d77e07d68f
                  • Opcode Fuzzy Hash: 680685f984b570936a8933720c6b83e6148835d7db2c9f3303a56f87f9326813
                  • Instruction Fuzzy Hash: 4B4122F5A20207FBDF28CF55C850A6AB7E4BF41311F0C81BAD8108B291D734D994CBA2
                  Function 07295798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$$^q$$^q
                  • API String ID: 0-2125118731
                  • Opcode ID: 41a03ec4fcc2dddc95af1888f49122316894dce7ac0b5b717f865a543e3110e9
                  • Instruction ID: 4fc3122f66df9e8f45d2f8a3bd3b111f1a3fb122c9460b7a87fe1870d683335b
                  • Opcode Fuzzy Hash: 41a03ec4fcc2dddc95af1888f49122316894dce7ac0b5b717f865a543e3110e9
                  • Instruction Fuzzy Hash: 202135B173031B9BDF25192B9804B6BFBDAABC1710F28843AA905CB3C5DD76C9918361
                  Function 072933F4 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: ,S4l$,S4l$p5$k$R4l
                  • API String ID: 0-3766996042
                  • Opcode ID: ee86316cc665268e607091d6f2424a5bedce3a734c6eb763df6bdc14fe25b0df
                  • Instruction ID: 4a476c4e1aad254f038cc7aa1df560c436a50794c8430b264433eebb8a0dd517
                  • Opcode Fuzzy Hash: ee86316cc665268e607091d6f2424a5bedce3a734c6eb763df6bdc14fe25b0df
                  • Instruction Fuzzy Hash: A1216BF67202178BCF26CA689C012A6F7D29FC6210F0D847AD546CB652DA31C841C751
                  Function 0729030B Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'^q$4'^q$$^q$$^q
                  • API String ID: 0-2049395529
                  • Opcode ID: c4005004c7d42ba22008cfceee14bb4b14c294fe9d98b550e694ea5ecc0e9e9f
                  • Instruction ID: c09ee747616a04c36138c4d4097cdcc3d158cb36520ad498652d6b103119e593
                  • Opcode Fuzzy Hash: c4005004c7d42ba22008cfceee14bb4b14c294fe9d98b550e694ea5ecc0e9e9f
                  • Instruction Fuzzy Hash: 0501B16066938B4FCB3B127818241196FF25F8395572D45EBC081CF2ABCE688C49876B
                  Function 0729210B Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000019.00000002.2024688641.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_25_2_7290000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$J5l$J5l
                  • API String ID: 0-793414356
                  • Opcode ID: b759dc899f883a8082b627cc113b5e76728670337262a3071a493bfebebc265d
                  • Instruction ID: 76a9b828498dc0b735f82b7940926a6df25a3ac4016e7ae96039187be1d02c8b
                  • Opcode Fuzzy Hash: b759dc899f883a8082b627cc113b5e76728670337262a3071a493bfebebc265d
                  • Instruction Fuzzy Hash: AC01B175A29386DFCB2702385C10452BFF66F8361071E91E7C184CF66BC9248C69C7A3

                  Execution Graph

                  Execution Coverage:11.3%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:163
                  Total number of Limit Nodes:11
                  execution_graph 34277 50f77bd 34279 50f7734 34277->34279 34278 50f7825 34279->34278 34283 50f9938 34279->34283 34297 50f99a4 34279->34297 34312 50f9948 34279->34312 34284 50f9948 34283->34284 34295 50f996a 34284->34295 34326 50f9dfb 34284->34326 34331 50fa0dc 34284->34331 34336 50fa53c 34284->34336 34341 50fa43d 34284->34341 34346 50fa052 34284->34346 34354 50fa065 34284->34354 34359 50f9d45 34284->34359 34363 50fa1f6 34284->34363 34368 50fa0e7 34284->34368 34373 50f9e38 34284->34373 34378 50fa248 34284->34378 34295->34278 34298 50f99a7 34297->34298 34299 50f9953 34297->34299 34298->34278 34300 50f996a 34299->34300 34301 50fa43d 2 API calls 34299->34301 34302 50fa53c 2 API calls 34299->34302 34303 50fa0dc 2 API calls 34299->34303 34304 50f9dfb 2 API calls 34299->34304 34305 50fa248 2 API calls 34299->34305 34306 50f9e38 2 API calls 34299->34306 34307 50fa0e7 2 API calls 34299->34307 34308 50fa1f6 2 API calls 34299->34308 34309 50f9d45 2 API calls 34299->34309 34310 50fa065 2 API calls 34299->34310 34311 50fa052 4 API calls 34299->34311 34300->34278 34301->34300 34302->34300 34303->34300 34304->34300 34305->34300 34306->34300 34307->34300 34308->34300 34309->34300 34310->34300 34311->34300 34313 50f9953 34312->34313 34314 50f996a 34313->34314 34315 50fa43d 2 API calls 34313->34315 34316 50fa53c 2 API calls 34313->34316 34317 50fa0dc 2 API calls 34313->34317 34318 50f9dfb 2 API calls 34313->34318 34319 50fa248 2 API calls 34313->34319 34320 50f9e38 2 API calls 34313->34320 34321 50fa0e7 2 API calls 34313->34321 34322 50fa1f6 2 API calls 34313->34322 34323 50f9d45 2 API calls 34313->34323 34324 50fa065 2 API calls 34313->34324 34325 50fa052 4 API calls 34313->34325 34314->34278 34315->34314 34316->34314 34317->34314 34318->34314 34319->34314 34320->34314 34321->34314 34322->34314 34323->34314 34324->34314 34325->34314 34327 50f9e01 34326->34327 34382 50f6ef8 34327->34382 34386 50f6ef2 34327->34386 34328 50f9e95 34328->34295 34332 50fa588 34331->34332 34390 50f6fca 34332->34390 34394 50f6fd0 34332->34394 34333 50fa5a6 34337 50fa4f2 34336->34337 34337->34336 34338 50fa344 34337->34338 34398 50f6a09 34337->34398 34402 50f6a10 34337->34402 34338->34295 34342 50fa453 34341->34342 34343 50fa344 34342->34343 34344 50f6a09 ResumeThread 34342->34344 34345 50f6a10 ResumeThread 34342->34345 34343->34295 34344->34342 34345->34342 34347 50fa05f 34346->34347 34348 50fa138 34346->34348 34350 50f6ef8 Wow64SetThreadContext 34347->34350 34351 50f6ef2 Wow64SetThreadContext 34347->34351 34349 50fa344 34348->34349 34352 50f6a09 ResumeThread 34348->34352 34353 50f6a10 ResumeThread 34348->34353 34349->34295 34350->34348 34351->34348 34352->34348 34353->34348 34355 50fa5bb 34354->34355 34356 50fa318 34355->34356 34406 50f7178 34355->34406 34410 50f7180 34355->34410 34356->34295 34414 50f730c 34359->34414 34418 50f7318 34359->34418 34364 50fa1fa 34363->34364 34422 50f7088 34364->34422 34426 50f7090 34364->34426 34365 50fa229 34370 50f9db5 34368->34370 34369 50f9fab 34369->34295 34370->34369 34371 50f7088 WriteProcessMemory 34370->34371 34372 50f7090 WriteProcessMemory 34370->34372 34371->34370 34372->34370 34374 50f9e4d 34373->34374 34376 50f7088 WriteProcessMemory 34374->34376 34377 50f7090 WriteProcessMemory 34374->34377 34375 50fa229 34376->34375 34377->34375 34380 50f7088 WriteProcessMemory 34378->34380 34381 50f7090 WriteProcessMemory 34378->34381 34379 50fa26c 34380->34379 34381->34379 34383 50f6f3d Wow64SetThreadContext 34382->34383 34385 50f6f85 34383->34385 34385->34328 34387 50f6ef8 Wow64SetThreadContext 34386->34387 34389 50f6f85 34387->34389 34389->34328 34391 50f6fd0 VirtualAllocEx 34390->34391 34393 50f704d 34391->34393 34393->34333 34395 50f7010 VirtualAllocEx 34394->34395 34397 50f704d 34395->34397 34397->34333 34399 50f6a10 ResumeThread 34398->34399 34401 50f6a81 34399->34401 34401->34337 34403 50f6a50 ResumeThread 34402->34403 34405 50f6a81 34403->34405 34405->34337 34407 50f7180 ReadProcessMemory 34406->34407 34409 50f720f 34407->34409 34409->34355 34411 50f71cb ReadProcessMemory 34410->34411 34413 50f720f 34411->34413 34413->34355 34415 50f73a1 CreateProcessA 34414->34415 34417 50f7563 34415->34417 34419 50f73a1 CreateProcessA 34418->34419 34421 50f7563 34419->34421 34423 50f7090 WriteProcessMemory 34422->34423 34425 50f712f 34423->34425 34425->34365 34427 50f70d8 WriteProcessMemory 34426->34427 34429 50f712f 34427->34429 34429->34365 34237 2e7abf0 34238 2e7abff 34237->34238 34240 2e7ace8 34237->34240 34241 2e7acf9 34240->34241 34242 2e7ad1c 34240->34242 34241->34242 34248 2e7af80 34241->34248 34252 2e7af70 34241->34252 34242->34238 34243 2e7af20 GetModuleHandleW 34245 2e7af4d 34243->34245 34244 2e7ad14 34244->34242 34244->34243 34245->34238 34249 2e7af94 34248->34249 34251 2e7afb9 34249->34251 34256 2e7a070 34249->34256 34251->34244 34253 2e7af94 34252->34253 34254 2e7a070 LoadLibraryExW 34253->34254 34255 2e7afb9 34253->34255 34254->34255 34255->34244 34257 2e7b160 LoadLibraryExW 34256->34257 34259 2e7b1d9 34257->34259 34259->34251 34260 50faa98 34261 50fac23 34260->34261 34262 50faabe 34260->34262 34262->34261 34264 50f9038 34262->34264 34265 50fad18 PostMessageW 34264->34265 34266 50fad84 34265->34266 34266->34262 34267 2e7cf80 34268 2e7cfc6 GetCurrentProcess 34267->34268 34270 2e7d018 GetCurrentThread 34268->34270 34273 2e7d011 34268->34273 34271 2e7d055 GetCurrentProcess 34270->34271 34272 2e7d04e 34270->34272 34274 2e7d08b 34271->34274 34272->34271 34273->34270 34275 2e7d0b3 GetCurrentThreadId 34274->34275 34276 2e7d0e4 34275->34276 34430 2e7d5d0 DuplicateHandle 34431 2e7d666 34430->34431 34217 2e74668 34218 2e74672 34217->34218 34220 2e74759 34217->34220 34221 2e7477d 34220->34221 34225 2e74858 34221->34225 34229 2e74868 34221->34229 34227 2e7488f 34225->34227 34226 2e7496c 34227->34226 34233 2e744b0 34227->34233 34230 2e7488f 34229->34230 34231 2e7496c 34230->34231 34232 2e744b0 CreateActCtxA 34230->34232 34232->34231 34234 2e758f8 CreateActCtxA 34233->34234 34236 2e759bb 34234->34236

                  Executed Functions

                  Function 056FD3D0 Relevance: .7, Instructions: 651COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 039c7154522de93c43a9163ec6da3fe5c2e1a86cd0702280cf9c4e2614827678
                  • Instruction ID: 7cd410ef17b24b3843996dd8f925d209d521ad85212feb695be856a12cfd8151
                  • Opcode Fuzzy Hash: 039c7154522de93c43a9163ec6da3fe5c2e1a86cd0702280cf9c4e2614827678
                  • Instruction Fuzzy Hash: FC42C534B11200CFDB699B74D45866E7BF2FF89705B50586DEA0BDB3A4DE31A881CB50
                  Function 056FF708 Relevance: .5, Instructions: 487COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a33baac123040c3bcc0ed800b76b341b58fb0163c74e883069f9451e7c7b0196
                  • Instruction ID: 784bc2ac0b141aea5e214fb46179ca5750d0f951d63575c4faad58ac25d96be6
                  • Opcode Fuzzy Hash: a33baac123040c3bcc0ed800b76b341b58fb0163c74e883069f9451e7c7b0196
                  • Instruction Fuzzy Hash: 9C22F530E10219CFCB54DF68D884A9DBBB2FF85314F1585A9E909AB365DB30AD85CF90
                  Function 02E7CF71 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 263 2e7cf71-2e7cf78 264 2e7cf32-2e7cf6f 263->264 265 2e7cf7a-2e7d00f GetCurrentProcess 263->265 272 2e7d011-2e7d017 265->272 273 2e7d018-2e7d04c GetCurrentThread 265->273 272->273 274 2e7d055-2e7d089 GetCurrentProcess 273->274 275 2e7d04e-2e7d054 273->275 277 2e7d092-2e7d0ad call 2e7d558 274->277 278 2e7d08b-2e7d091 274->278 275->274 282 2e7d0b3-2e7d0e2 GetCurrentThreadId 277->282 278->277 284 2e7d0e4-2e7d0ea 282->284 285 2e7d0eb-2e7d14d 282->285 284->285
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 02E7CFFE
                  • GetCurrentThread.KERNEL32 ref: 02E7D03B
                  • GetCurrentProcess.KERNEL32 ref: 02E7D078
                  • GetCurrentThreadId.KERNEL32 ref: 02E7D0D1
                  Strings
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID: 4'^q
                  • API String ID: 2063062207-1614139903
                  • Opcode ID: ec0cc70e6c9348fa6b2abfa838120af45571a0e819ceedf644a0e8f1d075fc31
                  • Instruction ID: b3ba18e81328d88d47e8e31f380c830a6aef6e5a3ca0f433036d408e81266e2f
                  • Opcode Fuzzy Hash: ec0cc70e6c9348fa6b2abfa838120af45571a0e819ceedf644a0e8f1d075fc31
                  • Instruction Fuzzy Hash: 016138B0A012499FDB14DFA9D948B9EBBF1EF48308F20C469E409A7260DB359945CF65
                  Function 02E7CF80 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 292 2e7cf80-2e7d00f GetCurrentProcess 296 2e7d011-2e7d017 292->296 297 2e7d018-2e7d04c GetCurrentThread 292->297 296->297 298 2e7d055-2e7d089 GetCurrentProcess 297->298 299 2e7d04e-2e7d054 297->299 301 2e7d092-2e7d0ad call 2e7d558 298->301 302 2e7d08b-2e7d091 298->302 299->298 305 2e7d0b3-2e7d0e2 GetCurrentThreadId 301->305 302->301 306 2e7d0e4-2e7d0ea 305->306 307 2e7d0eb-2e7d14d 305->307 306->307
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 02E7CFFE
                  • GetCurrentThread.KERNEL32 ref: 02E7D03B
                  • GetCurrentProcess.KERNEL32 ref: 02E7D078
                  • GetCurrentThreadId.KERNEL32 ref: 02E7D0D1
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: 3d873868c875d9d24db1d5d938e84949d4d85e010ecd66ce49b90028ef6fc14e
                  • Instruction ID: 038a1e52fcaa31b30a62e3881251757ab4c717a9067aba5bf24baca4a1f76cea
                  • Opcode Fuzzy Hash: 3d873868c875d9d24db1d5d938e84949d4d85e010ecd66ce49b90028ef6fc14e
                  • Instruction Fuzzy Hash: D85155B09013498FDB14DFAAD948B9EBBF1EF88318F20C459E419A7360D7349985CF65
                  Function 056F2468 Relevance: 2.7, Strings: 2, Instructions: 209COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 377 56f2468-56f24ca call 56f141c 383 56f24cc-56f24ce 377->383 384 56f2530-56f255c 377->384 385 56f24d4-56f24e0 383->385 386 56f2563-56f256b 383->386 384->386 391 56f24e6-56f2521 call 56f1428 385->391 392 56f2572-56f26ad 385->392 386->392 402 56f2526-56f252f 391->402 409 56f26b3-56f26c1 392->409 410 56f26ca-56f2710 409->410 411 56f26c3-56f26c9 409->411 416 56f271d 410->416 417 56f2712-56f2715 410->417 411->410 418 56f271e 416->418 417->416 418->418
                  Strings
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: Hbq$Hbq
                  • API String ID: 0-4258043069
                  • Opcode ID: b30c3f52edaf1bda59a564f92d7484bbde500a7d1c2cfe1672068ed210a21d5c
                  • Instruction ID: db99795174a4b9d40530356cf625393913e165228b16a290d00ea9b5ee47d24a
                  • Opcode Fuzzy Hash: b30c3f52edaf1bda59a564f92d7484bbde500a7d1c2cfe1672068ed210a21d5c
                  • Instruction Fuzzy Hash: DA814A74E003598FCB04DFA9C9946EEBBF6BF89300F24852AE409AB355DB349945CF91
                  Function 056FEB60 Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 470 56feb60-56feb98 472 56feb9a-56feba5 470->472 473 56febe4-56febe8 470->473 476 56febab-56febb1 472->476 477 56fecd9-56fed05 472->477 474 56febee-56febf0 473->474 475 56febea-56febec 473->475 478 56febf3-56febf7 474->478 475->478 479 56fed0c-56fed4b 476->479 480 56febb7-56febb9 476->480 477->479 482 56febf9-56febfb 478->482 483 56fec22-56fec24 478->483 480->479 484 56febbf-56febc2 480->484 485 56febfd-56febff 482->485 486 56fec01 482->486 489 56fecab-56fecaf 483->489 490 56fec2a-56fec5b 483->490 487 56febc8 484->487 488 56febc4-56febc6 484->488 493 56fec06-56fec21 485->493 486->493 496 56febcd-56febd3 487->496 488->496 494 56fecb8 489->494 495 56fecb1-56fecb6 489->495 503 56fec5d-56fec60 490->503 504 56fec62-56fec64 490->504 497 56fecbb-56fecd8 494->497 495->497 498 56febda 496->498 499 56febd5-56febd8 496->499 502 56febdf-56febe2 498->502 499->502 502->478 503->504 509 56fec6d 504->509 510 56fec66-56fec6b 504->510 511 56fec6f-56fec7c 509->511 510->511 519 56fec7e call 56fef20 511->519 520 56fec7e call 56feef0 511->520 514 56fec84-56fec86 516 56fec88-56feca1 514->516 517 56feca3-56fecaa 514->517 516->517 519->514 520->514
                  Strings
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: Hbq$Hbq
                  • API String ID: 0-4258043069
                  • Opcode ID: ebc638e442ad379130930c4825d3e19776bcd38b2fb35eed821326e0441ebf72
                  • Instruction ID: 256f28a814578f735f9d95ce18cedba68d687b654193bcf4d8520c5103ad954b
                  • Opcode Fuzzy Hash: ebc638e442ad379130930c4825d3e19776bcd38b2fb35eed821326e0441ebf72
                  • Instruction Fuzzy Hash: 5C51BE31F00519CBCF509FA9C9446BEBFBAFB88314F204429E616A3754DB36AD16CB90
                  Function 050F730C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 521 50f730c-50f73ad 523 50f73af-50f73b9 521->523 524 50f73e6-50f7406 521->524 523->524 525 50f73bb-50f73bd 523->525 529 50f743f-50f746e 524->529 530 50f7408-50f7412 524->530 527 50f73bf-50f73c9 525->527 528 50f73e0-50f73e3 525->528 531 50f73cd-50f73dc 527->531 532 50f73cb 527->532 528->524 540 50f74a7-50f7561 CreateProcessA 529->540 541 50f7470-50f747a 529->541 530->529 534 50f7414-50f7416 530->534 531->531 533 50f73de 531->533 532->531 533->528 535 50f7439-50f743c 534->535 536 50f7418-50f7422 534->536 535->529 538 50f7426-50f7435 536->538 539 50f7424 536->539 538->538 543 50f7437 538->543 539->538 552 50f756a-50f75f0 540->552 553 50f7563-50f7569 540->553 541->540 542 50f747c-50f747e 541->542 544 50f74a1-50f74a4 542->544 545 50f7480-50f748a 542->545 543->535 544->540 547 50f748e-50f749d 545->547 548 50f748c 545->548 547->547 549 50f749f 547->549 548->547 549->544 563 50f75f2-50f75f6 552->563 564 50f7600-50f7604 552->564 553->552 563->564 565 50f75f8 563->565 566 50f7606-50f760a 564->566 567 50f7614-50f7618 564->567 565->564 566->567 570 50f760c 566->570 568 50f761a-50f761e 567->568 569 50f7628-50f762c 567->569 568->569 571 50f7620 568->571 572 50f763e-50f7645 569->572 573 50f762e-50f7634 569->573 570->567 571->569 574 50f765c 572->574 575 50f7647-50f7656 572->575 573->572 577 50f765d 574->577 575->574 577->577
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 050F754E
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: bcc188c55169779972058de9180f730fa08ad9d8d9a65c3102798cce4b9a363b
                  • Instruction ID: 5f06dee2e7c17b29493861e110c480d5e49b174d278f48d6e78f11c10329b82d
                  • Opcode Fuzzy Hash: bcc188c55169779972058de9180f730fa08ad9d8d9a65c3102798cce4b9a363b
                  • Instruction Fuzzy Hash: CD914771D002199FDF20CFA8D841BADBBF2FF48314F1485AAE949A7640DB749985CF92
                  Function 050F7318 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 578 50f7318-50f73ad 580 50f73af-50f73b9 578->580 581 50f73e6-50f7406 578->581 580->581 582 50f73bb-50f73bd 580->582 586 50f743f-50f746e 581->586 587 50f7408-50f7412 581->587 584 50f73bf-50f73c9 582->584 585 50f73e0-50f73e3 582->585 588 50f73cd-50f73dc 584->588 589 50f73cb 584->589 585->581 597 50f74a7-50f7561 CreateProcessA 586->597 598 50f7470-50f747a 586->598 587->586 591 50f7414-50f7416 587->591 588->588 590 50f73de 588->590 589->588 590->585 592 50f7439-50f743c 591->592 593 50f7418-50f7422 591->593 592->586 595 50f7426-50f7435 593->595 596 50f7424 593->596 595->595 600 50f7437 595->600 596->595 609 50f756a-50f75f0 597->609 610 50f7563-50f7569 597->610 598->597 599 50f747c-50f747e 598->599 601 50f74a1-50f74a4 599->601 602 50f7480-50f748a 599->602 600->592 601->597 604 50f748e-50f749d 602->604 605 50f748c 602->605 604->604 606 50f749f 604->606 605->604 606->601 620 50f75f2-50f75f6 609->620 621 50f7600-50f7604 609->621 610->609 620->621 622 50f75f8 620->622 623 50f7606-50f760a 621->623 624 50f7614-50f7618 621->624 622->621 623->624 627 50f760c 623->627 625 50f761a-50f761e 624->625 626 50f7628-50f762c 624->626 625->626 628 50f7620 625->628 629 50f763e-50f7645 626->629 630 50f762e-50f7634 626->630 627->624 628->626 631 50f765c 629->631 632 50f7647-50f7656 629->632 630->629 634 50f765d 631->634 632->631 634->634
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 050F754E
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 742fca29d44f60cd6c9742a28a4cf6ed97bdd9bc0f174a27762b20dd00ebcadd
                  • Instruction ID: 9bf39e8ca6a9962318e7cfde42ce315ed1e760a67dc9e741081f1914fa02391d
                  • Opcode Fuzzy Hash: 742fca29d44f60cd6c9742a28a4cf6ed97bdd9bc0f174a27762b20dd00ebcadd
                  • Instruction Fuzzy Hash: C7915971D002199FDF20CFA8D845BAEBBF2FF48314F1481A9E949A7640DB749985CF92
                  Function 02E7ACE8 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 635 2e7ace8-2e7acf7 636 2e7ad23-2e7ad27 635->636 637 2e7acf9-2e7ad06 call 2e7a00c 635->637 639 2e7ad3b-2e7ad7c 636->639 640 2e7ad29-2e7ad33 636->640 642 2e7ad1c 637->642 643 2e7ad08 637->643 646 2e7ad7e-2e7ad86 639->646 647 2e7ad89-2e7ad97 639->647 640->639 642->636 692 2e7ad0e call 2e7af80 643->692 693 2e7ad0e call 2e7af70 643->693 646->647 648 2e7adbb-2e7adbd 647->648 649 2e7ad99-2e7ad9e 647->649 654 2e7adc0-2e7adc7 648->654 651 2e7ada0-2e7ada7 call 2e7a018 649->651 652 2e7ada9 649->652 650 2e7ad14-2e7ad16 650->642 653 2e7ae58-2e7aed4 650->653 656 2e7adab-2e7adb9 651->656 652->656 685 2e7aed6-2e7aefe 653->685 686 2e7af00-2e7af18 653->686 657 2e7add4-2e7addb 654->657 658 2e7adc9-2e7add1 654->658 656->654 660 2e7addd-2e7ade5 657->660 661 2e7ade8-2e7adf1 call 2e7a028 657->661 658->657 660->661 666 2e7adf3-2e7adfb 661->666 667 2e7adfe-2e7ae03 661->667 666->667 668 2e7ae05-2e7ae0c 667->668 669 2e7ae21-2e7ae28 call 2e7b280 667->669 668->669 671 2e7ae0e-2e7ae1e call 2e7a038 call 2e7a048 668->671 674 2e7ae2b-2e7ae2e 669->674 671->669 676 2e7ae51-2e7ae57 674->676 677 2e7ae30-2e7ae4e 674->677 677->676 685->686 687 2e7af20-2e7af4b GetModuleHandleW 686->687 688 2e7af1a-2e7af1d 686->688 689 2e7af54-2e7af68 687->689 690 2e7af4d-2e7af53 687->690 688->687 690->689 692->650 693->650
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02E7AF3E
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 85f35019b219ddc1389b5bd5afdca6ef59583acb2ed8937456623098cb4d8026
                  • Instruction ID: 03b1336fd4995a157ccc4fe9085d25442ffc2616de82033d463465e529f6d8b3
                  • Opcode Fuzzy Hash: 85f35019b219ddc1389b5bd5afdca6ef59583acb2ed8937456623098cb4d8026
                  • Instruction Fuzzy Hash: DF8137B0A40B058FD724DF29D54479ABBF1FF49308F009A2ED18A97B50DB35E94ACB91
                  Function 02E758ED Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 695 2e758ed-2e759b9 CreateActCtxA 697 2e759c2-2e75a1c 695->697 698 2e759bb-2e759c1 695->698 705 2e75a1e-2e75a21 697->705 706 2e75a2b-2e75a2f 697->706 698->697 705->706 707 2e75a31-2e75a3d 706->707 708 2e75a40-2e75a70 706->708 707->708 712 2e75a22-2e75a29 708->712 713 2e75a72-2e75af4 708->713 712->706
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 02E759A9
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: 4cfc4c59879a9835ede948be00743b574132e322d8247a54f27c0ec86dd4f1fc
                  • Instruction ID: c6a206fd2b6853a0a5089878a94db062ba002c10022dc5a2af1c0515a8a794d1
                  • Opcode Fuzzy Hash: 4cfc4c59879a9835ede948be00743b574132e322d8247a54f27c0ec86dd4f1fc
                  • Instruction Fuzzy Hash: 5941E6B0C00719CFDB14CFA9C8847CEBBB5BF44314F64816AD818AB255DB755946CF50
                  Function 02E744B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 716 2e744b0-2e759b9 CreateActCtxA 719 2e759c2-2e75a1c 716->719 720 2e759bb-2e759c1 716->720 727 2e75a1e-2e75a21 719->727 728 2e75a2b-2e75a2f 719->728 720->719 727->728 729 2e75a31-2e75a3d 728->729 730 2e75a40-2e75a70 728->730 729->730 734 2e75a22-2e75a29 730->734 735 2e75a72-2e75af4 730->735 734->728
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 02E759A9
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: b9b4e3ee6e38c4eb74b428291cca29c906ce09500b92bd49119d045c6ab2e531
                  • Instruction ID: aceb732ae417c930297d0bbbb09d4160a3569c181da851942bb8178f3a1c63e9
                  • Opcode Fuzzy Hash: b9b4e3ee6e38c4eb74b428291cca29c906ce09500b92bd49119d045c6ab2e531
                  • Instruction Fuzzy Hash: 6641B0B0C0071DCBDB24DFA9C984ADEBBB5BF48304F64806AD818AB255DB756946CF90
                  Function 050F7088 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 738 50f7088-50f70de 741 50f70ee-50f712d WriteProcessMemory 738->741 742 50f70e0-50f70ec 738->742 744 50f712f-50f7135 741->744 745 50f7136-50f7166 741->745 742->741 744->745
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 050F7120
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: f93a53d767d8b4ccd3b25d6b7b26a3bd07f8d467643e5ac35c478f93851343e7
                  • Instruction ID: 9ed945c8fc914a46b32166c0aa9e646fbad344fb12da49c20e4b1aeecc5ed5a7
                  • Opcode Fuzzy Hash: f93a53d767d8b4ccd3b25d6b7b26a3bd07f8d467643e5ac35c478f93851343e7
                  • Instruction Fuzzy Hash: 372157B1900359DFCB10CFA9D885BDEBBF5FF48310F10842AE959A7241C7789944CBA5
                  Function 050F7090 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 749 50f7090-50f70de 751 50f70ee-50f712d WriteProcessMemory 749->751 752 50f70e0-50f70ec 749->752 754 50f712f-50f7135 751->754 755 50f7136-50f7166 751->755 752->751 754->755
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 050F7120
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 0b0cad5bfdbc0d2d296ee310552953a1457654d7f235a24059d3b081c1aa3f1d
                  • Instruction ID: 1c8675e051b70008231dd97db289dce2967b98124f166b202dd6c19d5e066fac
                  • Opcode Fuzzy Hash: 0b0cad5bfdbc0d2d296ee310552953a1457654d7f235a24059d3b081c1aa3f1d
                  • Instruction Fuzzy Hash: 902155B19003199FCB10CFA9C884BDEBBF5FF48310F10842AE959A7240C7789944CBA5
                  Function 050F7178 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 050F7200
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 3a50b46dc4f3fae9a008829dd8dd079c215652d4d2ae85d61a1b28f3924ce8ad
                  • Instruction ID: 0911381215fe6f032b63563277cb3bac837f40ba8bd7bc75dd52064ce3964689
                  • Opcode Fuzzy Hash: 3a50b46dc4f3fae9a008829dd8dd079c215652d4d2ae85d61a1b28f3924ce8ad
                  • Instruction Fuzzy Hash: 9B2148B1C002599FCB10CFAAC885BDEFBF5FF48310F50842AE559A7251C7389551CBA5
                  Function 050F6EF2 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050F6F76
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: b070c451f90ccfb98e2ab39c9a8a0cc22d99e432b886a351a40bc2a440e386a6
                  • Instruction ID: f7fde86f9fa71f917ee068980c04651d343de78767bd428ddbfc3094d6c66096
                  • Opcode Fuzzy Hash: b070c451f90ccfb98e2ab39c9a8a0cc22d99e432b886a351a40bc2a440e386a6
                  • Instruction Fuzzy Hash: 4F2157B19002089FDB10DFAAC4857EEBBF4EB48320F14842AD559A7240C7789944CFA4
                  Function 050F7180 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 050F7200
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: e08d4817864836942d7a41433ef87b233055a0f95837d1a658ca14b6d134f375
                  • Instruction ID: e748171dfc57b1f6db8d47e7991a663190a09500618073e6085a3c7fecf8dc34
                  • Opcode Fuzzy Hash: e08d4817864836942d7a41433ef87b233055a0f95837d1a658ca14b6d134f375
                  • Instruction Fuzzy Hash: A52128B18002599FCB10DFAAC885ADEFBF5FF48310F50842AE559A7250C7749544CBA5
                  Function 050F6EF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050F6F76
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: ceb5ecd75ff15f971122100c6ae917e1b26b351b35ff4fa170e7a741988bc831
                  • Instruction ID: 6df6487e9a2e91d4cbdd9b1ac22c9f4f5f56fbbddcf457b881c2180641aa9653
                  • Opcode Fuzzy Hash: ceb5ecd75ff15f971122100c6ae917e1b26b351b35ff4fa170e7a741988bc831
                  • Instruction Fuzzy Hash: E92138B19002099FDB10DFAAC4857EEBBF4EF48364F14842AD559A7241C7789945CFA4
                  Function 02E7D5C9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E7D657
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 6f0814582795e6aba4888b2e5bdcb541d2faa15d84f98690205a637287d440af
                  • Instruction ID: 37e09d30522bef81b3e6b6cc92ddb2afdd9a80a6af79b6c1efaaa84ef590e472
                  • Opcode Fuzzy Hash: 6f0814582795e6aba4888b2e5bdcb541d2faa15d84f98690205a637287d440af
                  • Instruction Fuzzy Hash: B321E0B59002189FDB10CFAAD984AEEBBF4EB48324F14841AE958A7250D378A950CF64
                  Function 02E7D5D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E7D657
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 5983605c7b549ad30e208039f8bad7f467952d9964df5dadd9b07db9fdcdc5af
                  • Instruction ID: 0714343f07fa2a6a8a43366fee533033e946411938e4f0d7e6aef9e23873132c
                  • Opcode Fuzzy Hash: 5983605c7b549ad30e208039f8bad7f467952d9964df5dadd9b07db9fdcdc5af
                  • Instruction Fuzzy Hash: FF21E2B59002189FDB10CFAAD984ADEBBF8FB48320F14801AE958A3310D374A950CFA4
                  Function 02E7A070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E7AFB9,00000800,00000000,00000000), ref: 02E7B1CA
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 29bbe13b8defc5d155eda4f399522289c30b60fb946a77024b811c58f2188b33
                  • Instruction ID: a9720a8eee1237b1eb9f0421f985bbe88a144370c3278189af5529720db14061
                  • Opcode Fuzzy Hash: 29bbe13b8defc5d155eda4f399522289c30b60fb946a77024b811c58f2188b33
                  • Instruction Fuzzy Hash: DB1126B69003099FDB10CF9AD848ADEFBF4EB48314F10842EE459A7210C375A945CFA4
                  Function 02E7B158 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E7AFB9,00000800,00000000,00000000), ref: 02E7B1CA
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 92110bb13208631357339ab2693fc23efeec2c9defc60b8590dd8edc57582751
                  • Instruction ID: ef72456a980da658cd2dd39d79dba33c03d382097e2f16b46953d140720d30ea
                  • Opcode Fuzzy Hash: 92110bb13208631357339ab2693fc23efeec2c9defc60b8590dd8edc57582751
                  • Instruction Fuzzy Hash: 301123B6D002498FDB10CFAAC889ADEFBF4EB88314F10C42ED459A7610C375A546CFA5
                  Function 050F6FCA Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 050F703E
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: aa38d62563d8a72114053d55ca9bd9f29c3ac5d9286d4187c404203ee5ff26d0
                  • Instruction ID: 9c528fe81f2971cccb239f157df431ec3e476c518cf8d45f097e580d4ff9330c
                  • Opcode Fuzzy Hash: aa38d62563d8a72114053d55ca9bd9f29c3ac5d9286d4187c404203ee5ff26d0
                  • Instruction Fuzzy Hash: 951156B28002489FCB10DFAAC844BEEBFF5EF88324F14841AE559A7250C735A944CFA5
                  Function 050F6FD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 050F703E
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: c6ef54b7d8e6cb0f7991828bf53d56078be0f88e9812a47dc2d577888367f117
                  • Instruction ID: 3255993c4fe69e1164dacb4383d0ef0a83134109ddb22ad321a735cf9302de3c
                  • Opcode Fuzzy Hash: c6ef54b7d8e6cb0f7991828bf53d56078be0f88e9812a47dc2d577888367f117
                  • Instruction Fuzzy Hash: CB1167B1800248CFCB10DFAAC844BDEBFF5EF88320F108419E559A7250C735A944CFA5
                  Function 050F6A09 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 3fa07bff18f3999d9b7d8e3f49a7e1fbb212b9b472a2b7d8d98137fae6d3a826
                  • Instruction ID: cdaaaa71105905089044999b70f94bf205d2e9f66fed104cd3a9dabd195438ff
                  • Opcode Fuzzy Hash: 3fa07bff18f3999d9b7d8e3f49a7e1fbb212b9b472a2b7d8d98137fae6d3a826
                  • Instruction Fuzzy Hash: 2A116AB1D002488FCB10DFAAD4457DFFBF4EB88324F20842AD559A7250CB35A544CFA5
                  Function 050F6A10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 46ede37271afca2e3237822d8f91e45028625e90a795df6d97cb25e50fa80307
                  • Instruction ID: 896aaa8e8a70bd4c415030d1061ee5503b88f2499552fbf0322aed8c3552d360
                  • Opcode Fuzzy Hash: 46ede37271afca2e3237822d8f91e45028625e90a795df6d97cb25e50fa80307
                  • Instruction Fuzzy Hash: 311136B1D002488FCB20DFAAD4457DEFBF4EB88324F20842AD559A7250CB75A944CFA4
                  Function 02E7AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02E7AF3E
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2198355895.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_2e70000_XClient.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 5ca7e95c1c6784ee9727cdc185d47fb3ec2f6c3699e330fe240b6d9fd7278b16
                  • Instruction ID: 45584d6ca88588b521ff88754e873ed8e937d2ea89c08096d35f188c4328a669
                  • Opcode Fuzzy Hash: 5ca7e95c1c6784ee9727cdc185d47fb3ec2f6c3699e330fe240b6d9fd7278b16
                  • Instruction Fuzzy Hash: 051110B6C002498FCB14DF9AD444ADEFBF4AB88328F10C46AD468A7310C379A545CFA1
                  Function 050F9038 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 050FAD75
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 3810d1f4669b37e51839203b0ab312ef57408ba31727e886b2b3efbfcd6ccbd8
                  • Instruction ID: c3332fd89da0f63954e7e79fa6c37a7e081c7ccec710c7f649a19d7d7d8edf73
                  • Opcode Fuzzy Hash: 3810d1f4669b37e51839203b0ab312ef57408ba31727e886b2b3efbfcd6ccbd8
                  • Instruction Fuzzy Hash: 061103B5900749DFDB10DF9AD888BDEBBF8FB48320F10841AE959A7611C375A944CFA1
                  Function 050FAD11 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 050FAD75
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2220126164.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_50f0000_XClient.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: f521b666e1304021d2aba4e35c285ef9a77c414cc094f0fe06b99e84357d11e2
                  • Instruction ID: ab993970a47a132417852c7af55d6b1ad30232307ce2ddbbd7610dc5e76763ed
                  • Opcode Fuzzy Hash: f521b666e1304021d2aba4e35c285ef9a77c414cc094f0fe06b99e84357d11e2
                  • Instruction Fuzzy Hash: 9E1103B58003489FCB10DF9AD985BDEFBF8FB48324F10841AE559A7610C375A544CFA5
                  Function 056F2034 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: (bq
                  • API String ID: 0-149360118
                  • Opcode ID: 93890bda072d8d84cbd9794e8cd999aa07ddecbfdf9be431756c8718d842e2ca
                  • Instruction ID: 52590f7f0f6802d56ffd3842f35db53acac67d5bc54153e0068aa2122505ae5b
                  • Opcode Fuzzy Hash: 93890bda072d8d84cbd9794e8cd999aa07ddecbfdf9be431756c8718d842e2ca
                  • Instruction Fuzzy Hash: 2F91FD71E01208DFCB18DFA9D848AAEBBF2FF85310F10886AE556A7750DB349805CB91
                  Function 056FB450 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: (bq
                  • API String ID: 0-149360118
                  • Opcode ID: 3726260e18063d46532c2f22d05f5db9eedfd41d899097c29a9ebe4b15c46004
                  • Instruction ID: d7be2ee96701ddd691bcc266e93fab95fa7e82869f132eca627049ee35eb6d53
                  • Opcode Fuzzy Hash: 3726260e18063d46532c2f22d05f5db9eedfd41d899097c29a9ebe4b15c46004
                  • Instruction Fuzzy Hash: F041AC31B086204FCB59AB39D41467E36E7BFC9710724456EDA06CB7A8DE34CC02C795
                  Function 056FDC68 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: Hbq
                  • API String ID: 0-1245868
                  • Opcode ID: 650e7c3a5c1df1eae4d688876965928af2005ae034b7500bce585925ca1f0b9f
                  • Instruction ID: 9060548e0b836630840e137a8fddf66aeda18996dc0d0608970d835836092bda
                  • Opcode Fuzzy Hash: 650e7c3a5c1df1eae4d688876965928af2005ae034b7500bce585925ca1f0b9f
                  • Instruction Fuzzy Hash: 2D31CE71B041509FC744AB39845166E7BFAFB88714B18846DE90AEB394CF39EC06C7A5
                  Function 056F27B8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: 3<m^
                  • API String ID: 0-2376767559
                  • Opcode ID: cd806c956c280c7bc4a732065e812692e3e20e16f59af590a2003223876bf5bb
                  • Instruction ID: 6d3d530d97bba2c4c5e02611323913364d2b049409331618d20615c967028dcb
                  • Opcode Fuzzy Hash: cd806c956c280c7bc4a732065e812692e3e20e16f59af590a2003223876bf5bb
                  • Instruction Fuzzy Hash: 1B21E175A002048FC700DF79C94899BBBEAEF85204B14886AD61ADB350EF30E809CB91
                  Function 056F27A8 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: 3<m^
                  • API String ID: 0-2376767559
                  • Opcode ID: 9029b8b1f0ce1d0732ace9b25810db96a4314d76084324c354025fe14fb31167
                  • Instruction ID: a441d776a3ae947d86d34efbfbd221a01ecfa3628c377eb169808fbc5f8c5ad1
                  • Opcode Fuzzy Hash: 9029b8b1f0ce1d0732ace9b25810db96a4314d76084324c354025fe14fb31167
                  • Instruction Fuzzy Hash: 0211B475B002058FCB00DF69D5459ABB7F6EF85244B008869D61ADB361EF30ED09CF91
                  Function 056F8ED0 Relevance: .7, Instructions: 725COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a44e04369b0e22ad6081799aa16b60c385931d8d44cc177cc1069956a36a4cf4
                  • Instruction ID: ab9d3278c177d3eb39b6a18b22145baae9d9bad4f1028952934c06ebd3ebab76
                  • Opcode Fuzzy Hash: a44e04369b0e22ad6081799aa16b60c385931d8d44cc177cc1069956a36a4cf4
                  • Instruction Fuzzy Hash: 6C723131D10609CFDB14EF68C858AADB7B1FF45304F44869AD54AA7265EF30AAC9CF81
                  Function 056F5E40 Relevance: .6, Instructions: 551COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b72f6f84b8e0c4056ae7c4beef0e7d4bb05cfe21d577c4c5dc0dccbd9849cf94
                  • Instruction ID: 4195de202bcfa559c8079db28061b62ee47283552bc00a5f8428786afd311baf
                  • Opcode Fuzzy Hash: b72f6f84b8e0c4056ae7c4beef0e7d4bb05cfe21d577c4c5dc0dccbd9849cf94
                  • Instruction Fuzzy Hash: 0642C631E10619CBCB25DF68C8946EDF7B1BF89304F1186A9D55AB7361EB30AA85CF40
                  Function 056FAB68 Relevance: .5, Instructions: 500COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1dc56ae90c27e94d938c7f34048a4dd044eb275e889c15029863503a63ecf61e
                  • Instruction ID: 773eaa707d742bce6e88e5ef74163e80ebf4e1c5d9067d28cd703d9f161d44f2
                  • Opcode Fuzzy Hash: 1dc56ae90c27e94d938c7f34048a4dd044eb275e889c15029863503a63ecf61e
                  • Instruction Fuzzy Hash: 80221834A10215CFCB14DF69C898BADB7F2FF89304F1485A9E50AAB365DB31AD45CB50
                  Function 056FEF20 Relevance: .4, Instructions: 370COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7b74952bc8c0da91d8264b31fb4163eef40d81ade23cc37b0fea879dc4ae4f51
                  • Instruction ID: 9e550e2a424a63803a5e3c668ce580e27f1ab5dae00a97d1da477a734c63738d
                  • Opcode Fuzzy Hash: 7b74952bc8c0da91d8264b31fb4163eef40d81ade23cc37b0fea879dc4ae4f51
                  • Instruction Fuzzy Hash: 47F1A074A0060ADFCB14CFA9D9849AEFBF2FF48310B148669E915AB764D731ED41CB90
                  Function 056FD3C1 Relevance: .4, Instructions: 352COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cc624c987adc95c13f8a1ae4205461b29c70366f86f5191b0f22b745a1c99e11
                  • Instruction ID: 94b0928a08fad36b4da8128dee8701cce1042d8ac537d757bf7734f3538abef2
                  • Opcode Fuzzy Hash: cc624c987adc95c13f8a1ae4205461b29c70366f86f5191b0f22b745a1c99e11
                  • Instruction Fuzzy Hash: 1BE1E534B11204CFDB689F74C458A697BB2FF89306F1154AEEA0ADB7A4DB31B841CB41
                  Function 056FF350 Relevance: .3, Instructions: 341COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 153804e927dac47fca252efe2765aa8c1cc57f042c059f514fc23acd20af1b18
                  • Instruction ID: 2bd35907964ec378c7aa2908bd1a21d2a33ce112b4d93ae92599b9fdd82c876f
                  • Opcode Fuzzy Hash: 153804e927dac47fca252efe2765aa8c1cc57f042c059f514fc23acd20af1b18
                  • Instruction Fuzzy Hash: 98C1D131A006058FC711DF69C884A6AFBF6FF84310F14856AD649CB765DB31E98ACBA0
                  Function 056F5E31 Relevance: .3, Instructions: 332COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 20cabcc29a427f3fba337286cf7c370fd89c0b962b06e19df87f10d2b0786d7d
                  • Instruction ID: 65a69bfe397ec800d51fd5f8ca6b588955e91602d2cba902a07dd946ae1d0e04
                  • Opcode Fuzzy Hash: 20cabcc29a427f3fba337286cf7c370fd89c0b962b06e19df87f10d2b0786d7d
                  • Instruction Fuzzy Hash: 73E1E731E006198FCB25DF68C994AEDB7B2BF49300F1586A9D55ABB351EB30AD85CF40
                  Function 056FA7A0 Relevance: .3, Instructions: 268COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b875556d93ae5607ec325f891f6520b73888c4c23ed8f23a0ca5fa96b55baaca
                  • Instruction ID: bde916ed9f30ce8b574ad38248e8953e400bdd805cd89edf246bbb477cc213c1
                  • Opcode Fuzzy Hash: b875556d93ae5607ec325f891f6520b73888c4c23ed8f23a0ca5fa96b55baaca
                  • Instruction Fuzzy Hash: 53C10830E10619CFCB14DF69C984A9DB7B2FF89304F1586A9D54AAB321EB30AD85CF50
                  Function 056FA792 Relevance: .2, Instructions: 213COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7bb893928a5ecca3ca6832a9c9fbc481790130794163b1dab53c5b34361853bb
                  • Instruction ID: 0350b3d13ffac83833b230903eaec7e69ab67937763696631137df31fc81fcdc
                  • Opcode Fuzzy Hash: 7bb893928a5ecca3ca6832a9c9fbc481790130794163b1dab53c5b34361853bb
                  • Instruction Fuzzy Hash: 01A1E634E10619CFCB14DF68C984A9DB7B2FF89304F1586A9D549AB321EB70AE85CF50
                  Function 056F8860 Relevance: .2, Instructions: 197COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5858da552edd5db9ddba9005cbf9c9dc6368368b506178742b2190d5df664b63
                  • Instruction ID: e6f3b33a5f27a01fcbbfab84600bc478d9b443db00283831249985963760fd51
                  • Opcode Fuzzy Hash: 5858da552edd5db9ddba9005cbf9c9dc6368368b506178742b2190d5df664b63
                  • Instruction Fuzzy Hash: C991F871D0060ADFCB41DFA8C880999FBF5FF49310B14879AE919AB255EB70E985CB90
                  Function 056F7BF0 Relevance: .2, Instructions: 176COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1791a6afdd940b22059668caffa3b6547cf8b119c41efa81f90688560ab05082
                  • Instruction ID: 34c4ddb457d870977fdcce79d46c07759b2fe5ae89deddfe1606b94a3c91c947
                  • Opcode Fuzzy Hash: 1791a6afdd940b22059668caffa3b6547cf8b119c41efa81f90688560ab05082
                  • Instruction Fuzzy Hash: A271BCB9700A00CFC718DF29C588959BBF2FF8921471589A9E64ACB772DB72EC45CB50
                  Function 056F7BE1 Relevance: .2, Instructions: 174COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0ebdaa8afa938b621d50ad502a43e64172a5873ebdcacdf3fba4e24833e02b98
                  • Instruction ID: eba4f6bc1604d3334f9c651ead814c8cdef8d88c782c74ea7f0f957b6c187f61
                  • Opcode Fuzzy Hash: 0ebdaa8afa938b621d50ad502a43e64172a5873ebdcacdf3fba4e24833e02b98
                  • Instruction Fuzzy Hash: 4371DFB5700A008FC718DF29C588A59BBF2FF89614B1589A9E64ACB372DB71EC45CB50
                  Function 056F7A00 Relevance: .2, Instructions: 172COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7caa43367564792637d24e2b5ebb908a28a77d38475dcdd11fdaa76f38b78172
                  • Instruction ID: 1c1b43f48581d4abd6597576fba50b7da72dceab9831ad1765b4cfb8a994d142
                  • Opcode Fuzzy Hash: 7caa43367564792637d24e2b5ebb908a28a77d38475dcdd11fdaa76f38b78172
                  • Instruction Fuzzy Hash: 83719074A002068FCB04CF68C584999FBF1FF49314B1986A9E90ADB752E734ED85CF94
                  Function 056FAB58 Relevance: .2, Instructions: 166COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 44e1c06bd14fffa5725dd3799a12cd907610c1b0ae2502533ba55f5e63081502
                  • Instruction ID: 8553b772ac388eeaaba47fb2ff2870aac1e231d4305c05b81af3cef56849aea7
                  • Opcode Fuzzy Hash: 44e1c06bd14fffa5725dd3799a12cd907610c1b0ae2502533ba55f5e63081502
                  • Instruction Fuzzy Hash: 09516B30A102018FDB14DF69C898B9D77F2FF89314F04867CD51A9B3A5DB71A809CB50
                  Function 056FE930 Relevance: .2, Instructions: 163COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 29a3a22e1c3c92dfc0db3b7dcf65c63d9ca402748de09301d877c47bb762446c
                  • Instruction ID: 5843649539aedc6f06bde1ec7e55ce5d64aa6cb4a0a28a2e32d32939049bc2ac
                  • Opcode Fuzzy Hash: 29a3a22e1c3c92dfc0db3b7dcf65c63d9ca402748de09301d877c47bb762446c
                  • Instruction Fuzzy Hash: 69617F30E10619CFDF00DFA8C8599AEBBB6FF85300F10852DE546A7364EB70A995CB81
                  Function 056FE940 Relevance: .2, Instructions: 160COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab86c0252dd20037067fa77c40d24da3968d2500688946d09e021799fe701d6f
                  • Instruction ID: be3e7e93838dbf031a9f4e0246bf805f689a641aa178e939f4171378b396305e
                  • Opcode Fuzzy Hash: ab86c0252dd20037067fa77c40d24da3968d2500688946d09e021799fe701d6f
                  • Instruction Fuzzy Hash: 3C615F31E10619CFDF10DFA8C8589AEBBB6FF85300F10852DE546A7364EB70A995CB81
                  Function 056F1428 Relevance: .2, Instructions: 154COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aa39c996352caf97be24cc23c46654bcad5fd6f9d221351c8d4f5298097bff00
                  • Instruction ID: 3ed3bb1aa9e4ed361ceca6f939bfe48f382d9003b8ffd126f3e0708b78a6df82
                  • Opcode Fuzzy Hash: aa39c996352caf97be24cc23c46654bcad5fd6f9d221351c8d4f5298097bff00
                  • Instruction Fuzzy Hash: 1D518C74E002499FCB14DFA9C858AAFBBF9FF89300F10842AE515E3350EB749901CBA0
                  Function 056F45D0 Relevance: .2, Instructions: 152COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b79925a8a8e4c963a54b1bfd286e134f0cb966b0f2493ecd26099c10b46564bb
                  • Instruction ID: 2e57401f12770d65a2954e9e25e9460b3a62086abfe8f3e0d27b331fa23617ae
                  • Opcode Fuzzy Hash: b79925a8a8e4c963a54b1bfd286e134f0cb966b0f2493ecd26099c10b46564bb
                  • Instruction Fuzzy Hash: 89513075A0020ADFCF50DF69D584A9AFBF1FF48310B14865AE915AB311E730E985CF80
                  Function 056F8850 Relevance: .1, Instructions: 149COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e5448c2f3a64b3c492e3ca454a436d37d8db155770f9685b415b0ada9810869
                  • Instruction ID: 7960204fd37e824f12d4f966410367493f27e977314cbe745aae6dff0b914ba5
                  • Opcode Fuzzy Hash: 4e5448c2f3a64b3c492e3ca454a436d37d8db155770f9685b415b0ada9810869
                  • Instruction Fuzzy Hash: F0510A71D1070ACFCB41EFA8C880999FBB5FF49310B149796E919EB255EB70E985CB80
                  Function 056F6AC8 Relevance: .1, Instructions: 105COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4a328609cf10eb40b9c0753ef03a3854af1a62566a131e8a625d876c5ac5f165
                  • Instruction ID: a84e1f8d658e6510ab5fc7814e0707d6d504a932215ebb47541349653465c531
                  • Opcode Fuzzy Hash: 4a328609cf10eb40b9c0753ef03a3854af1a62566a131e8a625d876c5ac5f165
                  • Instruction Fuzzy Hash: 48415E30A00709CFCB04EF78C45499DFBB2FF89304F018969E256AB365EB71A986CB41
                  Function 056F6AD8 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bbbb292efb2b05793f3d4dbeadcaed529c57d69cd133d98385751438e90e7c16
                  • Instruction ID: 8bce396c7bfd085f0e062ad80572d1197d5b941a3f8c53a5e74227d529502aca
                  • Opcode Fuzzy Hash: bbbb292efb2b05793f3d4dbeadcaed529c57d69cd133d98385751438e90e7c16
                  • Instruction Fuzzy Hash: C9411E30A10719CFCB14EF78C48499EFBB6FF89304F018569E5166B365EB71A985CB81
                  Function 056F79EF Relevance: .1, Instructions: 99COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a61acd39de9270bf3d31d3899d8bebda6b97c9454889fba4b18cdf12dcf62e22
                  • Instruction ID: d4e4c064bd2f1033191331c0a596e1671709ff36dca5799b6c3725c5c26e15dc
                  • Opcode Fuzzy Hash: a61acd39de9270bf3d31d3899d8bebda6b97c9454889fba4b18cdf12dcf62e22
                  • Instruction Fuzzy Hash: 3F41FA74A002069FC715CF28C584A99FBF1FF49310B1986A9E90ADB762DB34ED46CF90
                  Function 056F1804 Relevance: .1, Instructions: 99COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d7f5177ea7caa0fb6c45bab3b40f3e1c18f11c763b33f4f26954cc4d6328f9d8
                  • Instruction ID: 10fa3f1e229e35df7136ceee28b7e6f71ec5b4fe4ca194949d49ee584f0d69d3
                  • Opcode Fuzzy Hash: d7f5177ea7caa0fb6c45bab3b40f3e1c18f11c763b33f4f26954cc4d6328f9d8
                  • Instruction Fuzzy Hash: B241E2B1D00609DBDB24CFAAC984ADEFBB5BF48304F64812AD508BB251D7756A46CF90
                  Function 056F28B5 Relevance: .1, Instructions: 96COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 95af9f687c7659e3de0fb3fbd6a44a24348f58c63959a1ba7dd0d98c865f8804
                  • Instruction ID: d2eb74b2c1fe3eaab278374b77a79308330a79d5fff8250ec65ed1dad7018970
                  • Opcode Fuzzy Hash: 95af9f687c7659e3de0fb3fbd6a44a24348f58c63959a1ba7dd0d98c865f8804
                  • Instruction Fuzzy Hash: 4541E0B5D01209CFDB24CFA9C9846CDFBB1BF48304F64842AD548BB255D7756A8ACF90
                  Function 056F141C Relevance: .1, Instructions: 95COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c6a8d007847632c7c8429b39b999e3fe2a76990c6e6943120ac272591c2a2a2f
                  • Instruction ID: fc15c5132119172ec6c1aadfb41e10ac94f3f659e710245e9f57980971e9a33c
                  • Opcode Fuzzy Hash: c6a8d007847632c7c8429b39b999e3fe2a76990c6e6943120ac272591c2a2a2f
                  • Instruction Fuzzy Hash: CF41AFB4D00358DBDB14CF9AD998A9EFBB1BF48710F60812AE418BB254D7749845CF91
                  Function 056F4758 Relevance: .1, Instructions: 94COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 03b5feb56b547257e856f5d886ebabbd6518a0e8bc3d2748d2bb2fcf33e44cb1
                  • Instruction ID: c4a6a56650482fe1cf11841b93cbbd101d19d328a937ffab885280d9bef8e054
                  • Opcode Fuzzy Hash: 03b5feb56b547257e856f5d886ebabbd6518a0e8bc3d2748d2bb2fcf33e44cb1
                  • Instruction Fuzzy Hash: 2A411A75A0024ADFCB40DF68D88499EFBB1FF49310B14C69AE918AB311E730E985CF90
                  Function 056F25D5 Relevance: .1, Instructions: 93COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 992269e9e6c83f373dd976905f8a05e159c07b3ad967965a55b22f88e3a0ecfa
                  • Instruction ID: ee57d700c8a12550647326922944938f6a3a4453a4618089ba37e041805d9f69
                  • Opcode Fuzzy Hash: 992269e9e6c83f373dd976905f8a05e159c07b3ad967965a55b22f88e3a0ecfa
                  • Instruction Fuzzy Hash: 4041CCB4D003589FCB14CFA9C984ACEFBB1BF48304F20822AE418AB250D7749846CF81
                  Function 056FEEF0 Relevance: .1, Instructions: 93COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 38575362159c0b402fd248ce1ab9e0e93b5a5c04911bd4ae4517b16a8e61a4a1
                  • Instruction ID: a5e523bb170322013b84f33df858771382f6156af50a3274c7ffddb778e28cd7
                  • Opcode Fuzzy Hash: 38575362159c0b402fd248ce1ab9e0e93b5a5c04911bd4ae4517b16a8e61a4a1
                  • Instruction Fuzzy Hash: 7F3148B0D012199FCB40DFA9D9856DEBBB6FB48310F10862AE815E73A1D735A905CB50
                  Function 056F4768 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f6cb193110947fd6515edffd6274d8c8a3c06a4510e7c8d2bcb39367123d75a8
                  • Instruction ID: 15c09ec1d59753e9d5fb0ea9707e83692e5cbf298eb8b26aa2b430868f0d8d0d
                  • Opcode Fuzzy Hash: f6cb193110947fd6515edffd6274d8c8a3c06a4510e7c8d2bcb39367123d75a8
                  • Instruction Fuzzy Hash: 8541EA75A0020ADFCB44DF69D88499EFBB5FF49310B14C65AE919AB311E730E985CF90
                  Function 056F69D0 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5b24056819417c998832d0f2e7e563f27da26e0fbbfc849dadfba8b5a578f2e6
                  • Instruction ID: e2ef96be9d8d74512d38b24feab2424bb96b082aba032f603ee429c0360d5ba7
                  • Opcode Fuzzy Hash: 5b24056819417c998832d0f2e7e563f27da26e0fbbfc849dadfba8b5a578f2e6
                  • Instruction Fuzzy Hash: 8B317E31B00215DFCF08EBA4D8448DDF7B6FF88211B158669E506AB360EB31AD46CBC0
                  Function 056F4044 Relevance: .1, Instructions: 89COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f9bace38a85e8e9fe911a105c7267a7c32bc154bc36f0c12d29fd70253e84e67
                  • Instruction ID: 4e9674adf01a78ecc5f22ee8361d3bece26267e33a683010d558f0ad9d01e521
                  • Opcode Fuzzy Hash: f9bace38a85e8e9fe911a105c7267a7c32bc154bc36f0c12d29fd70253e84e67
                  • Instruction Fuzzy Hash: 6E218E327141018FD7049B2CC8C8A697BE5FF85720B1984B5E60ACB366EE35DC04CB90
                  Function 056F2A38 Relevance: .1, Instructions: 85COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b4c3fdb8e8ec575a9aaba9938a29c2e959e2a6a6823343e8d3af0f0208f4b54d
                  • Instruction ID: 5887fc512dab3c9ca39dbb80e29c52e7b86ed160e2824b4a371d71a67188f9b4
                  • Opcode Fuzzy Hash: b4c3fdb8e8ec575a9aaba9938a29c2e959e2a6a6823343e8d3af0f0208f4b54d
                  • Instruction Fuzzy Hash: FD219175F00145ABCB50DFA9CD44ABFBBFAEFC5340F10812AE615E3250EA709A01CB91
                  Function 056F2448 Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4aec525af817698b99b9d884de1b8b1140b8f9b40958506f48c2a25272f16727
                  • Instruction ID: 018acbc17c4ad4908c0a9900ca585db1fac8351c09779ddc5461847b5786a32d
                  • Opcode Fuzzy Hash: 4aec525af817698b99b9d884de1b8b1140b8f9b40958506f48c2a25272f16727
                  • Instruction Fuzzy Hash: FF21A475E002199BDF04DFA8C9906EEBBF6FF89204F54452AD505F7350EB349A05CBA2
                  Function 056F44F2 Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a66483bcba8ffb05b9bfc26e4bcc220236dfddf38266a0f49b3a4d52936351a6
                  • Instruction ID: 20c65d8380227c39efb65c403e593cde708b756fcb17bd3294f20c3b421fbd29
                  • Opcode Fuzzy Hash: a66483bcba8ffb05b9bfc26e4bcc220236dfddf38266a0f49b3a4d52936351a6
                  • Instruction Fuzzy Hash: 3C213031A047098FCF04EFB8C84599EBBB5FF85300F4196A9E5456B621EB70E689CB41
                  Function 0146D3D8 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2197664618.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_146d000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 188726264d1539a636d32131ca2a55398ca4ae7121dfd17b5b86599d336b67c7
                  • Instruction ID: 0d2415e5136f36810c9d260bfadd52768b06a3a318d81cfc6f2424f50772ea86
                  • Opcode Fuzzy Hash: 188726264d1539a636d32131ca2a55398ca4ae7121dfd17b5b86599d336b67c7
                  • Instruction Fuzzy Hash: 0E214871A00244DFDB05DF48C9C0B57BF69FB98318F20C17AD9494B36AC336E846CAA2
                  Function 0147D1D4 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2197825884.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_147d000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1198831b33cde2e857957c9bd2372b7f07740d68e811c5503a76149d4f223601
                  • Instruction ID: b6e99b2b51668e782b880f0c1da1a1a1c5423acf929c60b9e6b61a224e6f8e1f
                  • Opcode Fuzzy Hash: 1198831b33cde2e857957c9bd2372b7f07740d68e811c5503a76149d4f223601
                  • Instruction Fuzzy Hash: 00210771A14200DFDB05DF98D9C0B66BBA5FF84324F24C56ED9494B366C336D447CA61
                  Function 0147D01C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2197825884.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_147d000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aacb61806b1f1a46ad4312b4198dec8e521bf6c7ce9860aca8f36eb4a3573d49
                  • Instruction ID: 305fad05e8d2f510605d004ce62b7cc197801c666c653d48cb3e873a3b3983c0
                  • Opcode Fuzzy Hash: aacb61806b1f1a46ad4312b4198dec8e521bf6c7ce9860aca8f36eb4a3573d49
                  • Instruction Fuzzy Hash: 852125B1904280DFCB16DF58D984B56BFA5EF84318F20C56ED90A4B366C336D447CA61
                  Function 056F9A10 Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 27dbdd43a5d642a1ad474dac7f5acf662c751e1bc3f628e27bcbfa379607f376
                  • Instruction ID: d7c527d221133a7ca04dc6d344d089fcd02a511593fbf8998c04791627a59d55
                  • Opcode Fuzzy Hash: 27dbdd43a5d642a1ad474dac7f5acf662c751e1bc3f628e27bcbfa379607f376
                  • Instruction Fuzzy Hash: 3F213331D10619DFCB10EF6CD94099AFBF5FF89310B50C26AE958A7204FB31A994CB91
                  Function 056F365A Relevance: .1, Instructions: 67COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f56b2fa2fe65433194dab290ae152f6b95b7792a60b3fbc90e7effcdf652f6a
                  • Instruction ID: 360402609e0d48dc98319512ddfa9464d39b095e05f0cea227bf1a2d93d3ed86
                  • Opcode Fuzzy Hash: 2f56b2fa2fe65433194dab290ae152f6b95b7792a60b3fbc90e7effcdf652f6a
                  • Instruction Fuzzy Hash: 2C219A75E02219EBCF149FA0E5985EEBB72FF44310F208858E59173794CB309864CF84
                  Function 056F4500 Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ddb549f778df419ccc2ff175dc731782ede3566b810eb5969bc2e8cd71c3dfbe
                  • Instruction ID: efef46f482a7d3f08e0c15f5f822aa37dc71e1853d487532babc383851e13959
                  • Opcode Fuzzy Hash: ddb549f778df419ccc2ff175dc731782ede3566b810eb5969bc2e8cd71c3dfbe
                  • Instruction Fuzzy Hash: EB211031A00B098FCF04EFB8C89499EB7B5FF89300F5196A9E5456B225EB70E589CB41
                  Function 056FB372 Relevance: .1, Instructions: 65COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fee4232247d6ab5ed987c704ed92c0af869daa5a0359048405ed0264d2599966
                  • Instruction ID: 512d824c060d84d3b06ecedb12a9ebfbad1e91701e8d039fafbdd7d1f9e862e5
                  • Opcode Fuzzy Hash: fee4232247d6ab5ed987c704ed92c0af869daa5a0359048405ed0264d2599966
                  • Instruction Fuzzy Hash: C9119E35B016508FCB19DF28D89966E7BE6FF89601B28496DD116CB765DF31DC06CB00
                  Function 056F6F40 Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 804e9755ef5f755427d67de2a4f0a7b413086b7b82b8625f0d20cb6f96c91546
                  • Instruction ID: bb392701aa1d1a270ee88f5df341f17b75cb0b1ef9ed0bf32aa8efcf5066c789
                  • Opcode Fuzzy Hash: 804e9755ef5f755427d67de2a4f0a7b413086b7b82b8625f0d20cb6f96c91546
                  • Instruction Fuzzy Hash: 8F215E31E05219EFCF14DF6AD8848EDB7B6FB48350B00856AEA15AB350D730E945CFA0
                  Function 056F6F30 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 733371cd932f6ff13f40b445bde17c3bfd65c0f24fedcd5d98835ed7d337ff61
                  • Instruction ID: 436b41dae8cc0f9192685558d1f32b7db8d4cb4edf0e4597a610dc36f94820f0
                  • Opcode Fuzzy Hash: 733371cd932f6ff13f40b445bde17c3bfd65c0f24fedcd5d98835ed7d337ff61
                  • Instruction Fuzzy Hash: 53119331E01219EFCF14DE65D8849DEBBB6FB48350F04856AEA02A7350D730A845CFE0
                  Function 0147D006 Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2197825884.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_147d000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b96c3d8d28fe2b6f5c3fafba7cec694e4447a0cab58f64c060e179e99aec9a10
                  • Instruction ID: 5bdf06acd6d7ee79e886642930ae8d0e3cd07070ecdd6f493181d98ef05e3b62
                  • Opcode Fuzzy Hash: b96c3d8d28fe2b6f5c3fafba7cec694e4447a0cab58f64c060e179e99aec9a10
                  • Instruction Fuzzy Hash: C3216D755093C08FDB03CF24D994756BF71EF46218F28C5DAD8498B6A7C33A980ACB62
                  Function 056FDC58 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 037c832f4d213bd572ee217480c632bf4a0e6a00b8ba2a02d7dee42669d8c357
                  • Instruction ID: 37fdc17b4fae11d79efe2a6af047210bc55137eeb81c11b2153a43134dca6d71
                  • Opcode Fuzzy Hash: 037c832f4d213bd572ee217480c632bf4a0e6a00b8ba2a02d7dee42669d8c357
                  • Instruction Fuzzy Hash: 6B110272F001105BC7148B19804166DB7BAFB88B19B04806DED09E7340CF34FD06D794
                  Function 056F59A0 Relevance: .1, Instructions: 58COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a744e785880b0186d5489e3010ea544b7022e16268de6968a1e7fb07929bc3e4
                  • Instruction ID: cd2b175b954921e5475d31f16018c19e9db3f6bb7e65d6874bb3c4ecc3cb2cfd
                  • Opcode Fuzzy Hash: a744e785880b0186d5489e3010ea544b7022e16268de6968a1e7fb07929bc3e4
                  • Instruction Fuzzy Hash: 5811ED32B542008FD7148A2CC9C5BA93BE6FF89710F1980B5E60ACB366EE35DC058790
                  Function 0146D3D3 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2197664618.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_146d000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction ID: 93b95ed2d570e15665a5c53231f17a3febac1ab786e8f824732bb88a53edc4f1
                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction Fuzzy Hash: B011D272904240CFDB02CF44D5C4B56BF71FB94314F24C2AAD9490B266C33AD456CB92
                  Function 056F23B0 Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35a112bed3d0bf61293a198b5518ff88c67080c41bb97fd1f3e4d45522d00cbd
                  • Instruction ID: 3f10b1520da97a314aaa9705e73e121bff3a6a90bf67feb0a9d11f98c7cfd664
                  • Opcode Fuzzy Hash: 35a112bed3d0bf61293a198b5518ff88c67080c41bb97fd1f3e4d45522d00cbd
                  • Instruction Fuzzy Hash: 86014275F042148BDB08DAB988196BEBBE6DF80224F50886AEA09C3784ED30C942C354
                  Function 0147D1CF Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2197825884.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_147d000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction ID: 82e88b3860d4732665583b6dd201993b1bc983a0900b546a761bfe875c56c223
                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                  • Instruction Fuzzy Hash: 4011BB75904280DFDB12CF54C5C4B56BFA1FF84224F28C6AADC494B3A6C33AD40ACB61
                  Function 056F2044 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7542b0bee99c9776c0ce6c7fe75a68e773ead792d3ec1af23ce2c843d2c1d0ee
                  • Instruction ID: 19b33045548960cfc95b6e944e4706e3339dff0e04f253ea65934618c00002af
                  • Opcode Fuzzy Hash: 7542b0bee99c9776c0ce6c7fe75a68e773ead792d3ec1af23ce2c843d2c1d0ee
                  • Instruction Fuzzy Hash: 331104B5D046188FCB10DF9AD844B9EFBF4FB48320F10841AD559A7310D374A545CFA5
                  Function 056F2D58 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2ab8aa66f8956cfa17f99621eb76438575a7f7fd31f886caac83bceb4ace4abd
                  • Instruction ID: b2eb16c87a7f562b38009ccc39cf8a3e7edfe522111efa85e9fb7d37b61de6d1
                  • Opcode Fuzzy Hash: 2ab8aa66f8956cfa17f99621eb76438575a7f7fd31f886caac83bceb4ace4abd
                  • Instruction Fuzzy Hash: 1D11F0B5C006489FCB10DFAAD948A9EFBF4EB48320F14841AD958A7310D778A945CFA5
                  Function 056F1BE0 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dc99dc44001a213e4cb931a8945291d32c8020eeca5aacc8c35fbaa4cdfb5719
                  • Instruction ID: ba3ba294f61e019d1e1117e3d7846cc4aab901a83206ea8302df61b6564cc5e7
                  • Opcode Fuzzy Hash: dc99dc44001a213e4cb931a8945291d32c8020eeca5aacc8c35fbaa4cdfb5719
                  • Instruction Fuzzy Hash: 201104B5D046088FDB10DF9AD848B9EFBF5FB48320F10841AD959A7310D774A945CFA5
                  Function 056F4660 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c74a6fc36fa89a5ba4857f3543beaf75ce1b4c4b0f0318cef2d31a455d1e8252
                  • Instruction ID: 5b5dd610bce524d79897ee6a43e2a4201cd29c12765c5fe4c053084a11b21beb
                  • Opcode Fuzzy Hash: c74a6fc36fa89a5ba4857f3543beaf75ce1b4c4b0f0318cef2d31a455d1e8252
                  • Instruction Fuzzy Hash: 65010C36A00609DFCB00EF68C54599ABBF4EF88314F1585AAE94DD7720EB70EE44CB90
                  Function 056F41E8 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e0311fd9fad5e12419fe6e6f65f868deeb75e6a25809daf42d715caedd9e8a39
                  • Instruction ID: 2248fe221f385d5e9b05b13397382b3ee391cf3096eb47729ca6c60f1d7f2f4f
                  • Opcode Fuzzy Hash: e0311fd9fad5e12419fe6e6f65f868deeb75e6a25809daf42d715caedd9e8a39
                  • Instruction Fuzzy Hash: 791122B59006488FCB20DF9AD585BDEFBF4FB48320F20842ADA59A3710C775A944CFA5
                  Function 056FB3B7 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 50d8e63f7e1d5bf6c72be23e5cda81f1431f4bec50dda83fc5ee1260b8ae73cf
                  • Instruction ID: 09e0854451f8b4fbed76f39ea1b77cc325b7b57c723c0a078deb4502a27a0945
                  • Opcode Fuzzy Hash: 50d8e63f7e1d5bf6c72be23e5cda81f1431f4bec50dda83fc5ee1260b8ae73cf
                  • Instruction Fuzzy Hash: 9A018C357012118FD7189F29D889A6E7BE6FF88214B184A6DE51ACB3A4CF31DC06CB10
                  Function 056FDEA0 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b177a7dc42b47a5eb7d6ee1592c9a8344fcd1725d296dc4826f233933643a424
                  • Instruction ID: dd865aafbd77fa5a441fe7c71ad323e883244210df402794f25064c0c852d3ef
                  • Opcode Fuzzy Hash: b177a7dc42b47a5eb7d6ee1592c9a8344fcd1725d296dc4826f233933643a424
                  • Instruction Fuzzy Hash: 8301A231F006258F86649A1CE85483ABBB7ABD8B113108529EB06CB798CF71FC46C7D0
                  Function 056F3E18 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4929935c9da5abbca9fc47ed7b4030cbe6d4d41eca2e70fad16e946d1b573147
                  • Instruction ID: aacd3fa5d58a05d42894f4d3719bbda180ad46cdb7ecfbb601c4a9617b0c1f1d
                  • Opcode Fuzzy Hash: 4929935c9da5abbca9fc47ed7b4030cbe6d4d41eca2e70fad16e946d1b573147
                  • Instruction Fuzzy Hash: A91133B19002188FCB20DF9AD588BDEFBF4EB48320F20841AE959A7710C774A945CFA4
                  Function 056FDE90 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b2a1976b4da05df4d689a60b3326518d1df896d415eff8532e512edbe75b19cf
                  • Instruction ID: 1123e2671f32327abf88c623f9d6b9cc11074f8750fb5f41c7f067135b62b39c
                  • Opcode Fuzzy Hash: b2a1976b4da05df4d689a60b3326518d1df896d415eff8532e512edbe75b19cf
                  • Instruction Fuzzy Hash: E901D436B086208FC721CB18E840879BBB2EB94711305416AE709CBB55CB31FC02C7C0
                  Function 056F32B0 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fa925427f80e433ca316c8ef11762db5c738797324b3ff1bcf38aac4cc604d58
                  • Instruction ID: 8ac62342875d152ed62359ea8211a40eafb613facc32af735727153007fa30ae
                  • Opcode Fuzzy Hash: fa925427f80e433ca316c8ef11762db5c738797324b3ff1bcf38aac4cc604d58
                  • Instruction Fuzzy Hash: B6F0C87AF001195BCF05EAA8DDA5ABE7BBAEB89510F00042CE705A7340DE355A02DBD9
                  Function 0146D759 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2197664618.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_146d000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6772d191a4b2db3c3cbf86ee77333434f642e86ba529981e22dfa00a2d674fec
                  • Instruction ID: e2b7d57aa826ab86905de093aace7bc76fcd306e08239f47fdc4cd1c4e7e85ea
                  • Opcode Fuzzy Hash: 6772d191a4b2db3c3cbf86ee77333434f642e86ba529981e22dfa00a2d674fec
                  • Instruction Fuzzy Hash: F401F771A093809AE7108A69DD84767BF9CEF41329F18C82BED494A2A6C23DD841C673
                  Function 056FB3C8 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b1c2d8f4a95349c942e6e961618999634006761037f872d29f275622866c0b1e
                  • Instruction ID: 8f9c43a913b178ea2d33d358d964400a875da79bdb4e2800a715909eed8de3bc
                  • Opcode Fuzzy Hash: b1c2d8f4a95349c942e6e961618999634006761037f872d29f275622866c0b1e
                  • Instruction Fuzzy Hash: E0017C347002118FC718DB29D88892ABBEAFF88614B18896DE51ACB764CF71EC06CB50
                  Function 056FDF1F Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f782455be82d3b4c3ff32b575018679c289b379340bec278204aea10aa09ae6a
                  • Instruction ID: 2da538af8961264f8f897dfe84bba1b9a04a0f5cf7aa7411c7d6b7b3773c43b0
                  • Opcode Fuzzy Hash: f782455be82d3b4c3ff32b575018679c289b379340bec278204aea10aa09ae6a
                  • Instruction Fuzzy Hash: 0101D432B046148FC722DB24E505979BBB1FB9571170585AADA5ACBB94C730BC16C782
                  Function 056F6D10 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab3690f1e1a6dbd99d04c571d29ec81a4aca048ebf2aaaf46a69934601dfd86b
                  • Instruction ID: 386d1b987529d4c89f40a7a10f826f194906cd7e2b076b22e0bd2d3378d00f08
                  • Opcode Fuzzy Hash: ab3690f1e1a6dbd99d04c571d29ec81a4aca048ebf2aaaf46a69934601dfd86b
                  • Instruction Fuzzy Hash: 63012930A00B158FC729EF39C45445AB7B6FF86300F55C56EDA469B660EB31E982CF80
                  Function 056F7159 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f40b362b63c0bc1ca0a36e036c21a9eca369615e6e732ee50aa6eebd7d8bb207
                  • Instruction ID: 37dc625f404805f3a341c919078e11e83a909a05f5121b6a87cf4114da224811
                  • Opcode Fuzzy Hash: f40b362b63c0bc1ca0a36e036c21a9eca369615e6e732ee50aa6eebd7d8bb207
                  • Instruction Fuzzy Hash: 60F0A9312406048FC6249A29D944A5EBBBAFB88321B144529E90697365CF31E84ADB90
                  Function 056F4024 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2527c209fda60fa7928d14c89d232441704c5e815e4496f83076de89baff9b83
                  • Instruction ID: e96c70a035e6c2de57be030b67a949c854910b7128ae5fdb538d1a48d682d3a1
                  • Opcode Fuzzy Hash: 2527c209fda60fa7928d14c89d232441704c5e815e4496f83076de89baff9b83
                  • Instruction Fuzzy Hash: 71F0E932B082158BCA24DA2EA844A3F77EBAFD4A51715402DAB07C7B54FFE0DC42C794
                  Function 056F32C0 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 029eb14ce52d70e0cae3ebb314483876887b8bbd27f0f18373709a1da6664455
                  • Instruction ID: 223d500a9d532145aa547f628178b8457b59f486107d5543b98ae702955e9517
                  • Opcode Fuzzy Hash: 029eb14ce52d70e0cae3ebb314483876887b8bbd27f0f18373709a1da6664455
                  • Instruction Fuzzy Hash: 2EF03679F001199B8F15E6A89C659BEBBBAABC9550B10002DE705A7340DA354E11CBDD
                  Function 056F46B8 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bb64fa89fa8060cfd77aeae6e79e1de8b57195759bb2fe12e2693a667a6f0546
                  • Instruction ID: 52d54d26815085c67d78b11d61538ecd1b1a6d879b5ab1b1aee62bce61629da9
                  • Opcode Fuzzy Hash: bb64fa89fa8060cfd77aeae6e79e1de8b57195759bb2fe12e2693a667a6f0546
                  • Instruction Fuzzy Hash: 5301C875D006099FCB40EFA8C545A9EBBF4EF49200F1581AAE959E7321EB70AA44CB81
                  Function 056F70D8 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9b7bf7db83a93df971aca3ce8c3ae24edfd3b298b5a5fe1909d4b2a24b5f8e8c
                  • Instruction ID: e17949f22019db81a77113186e15c05b5d61fef0096c939ead68825c08da122c
                  • Opcode Fuzzy Hash: 9b7bf7db83a93df971aca3ce8c3ae24edfd3b298b5a5fe1909d4b2a24b5f8e8c
                  • Instruction Fuzzy Hash: 5301D136B007108FC715AB74D8056AD7771FFC2211F0A496EC65A57310DF30A986CBC6
                  Function 056F5382 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5489681096beefa842c3043706b9bfe097062f259ee51db7e469f6e7bfff8d61
                  • Instruction ID: f36eed748932a065d57ef678544c2a107f49291a1431be3edbc440f3b4857bfa
                  • Opcode Fuzzy Hash: 5489681096beefa842c3043706b9bfe097062f259ee51db7e469f6e7bfff8d61
                  • Instruction Fuzzy Hash: 42F0E93770421887CA249A2AE504F3E77FAAF81951B19002DEB03C7B50EFE0EC42D790
                  Function 056F52E8 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a00d2032da9a9e5ff56deb0ecb6fa4c6018b2f3863f7358d111ef365af47c8cd
                  • Instruction ID: 014949251bf92a166c898604a93e0d63c0382d018f45df38a60848070d88ab55
                  • Opcode Fuzzy Hash: a00d2032da9a9e5ff56deb0ecb6fa4c6018b2f3863f7358d111ef365af47c8cd
                  • Instruction Fuzzy Hash: 11F09632B085108BCF1AAB3CA02853E77A2AFD4502719407EDA07CB7A1EE65CC42C399
                  Function 056F6D09 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3969614b5367ec2229489bf4d864219f10873d8222e25a63351811b069d981ac
                  • Instruction ID: ec334f3b389f121723a162a86e20d0832fd7eb66dcfb675cad9efad71effaef8
                  • Opcode Fuzzy Hash: 3969614b5367ec2229489bf4d864219f10873d8222e25a63351811b069d981ac
                  • Instruction Fuzzy Hash: B9017C31A00B15CFC728EF24C05056A77B2FF82300F45856EDA468B760EB31D842CB40
                  Function 056F7538 Relevance: .0, Instructions: 37COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a66d7f18bc70df6c1e02f735048492d0ac4a799ee415eb5fc6ff398bf9a06e44
                  • Instruction ID: 49b10310c1a3d70e8cb59b9e50d35d68b03deb6d6c12d88ae6301fcd7a984e10
                  • Opcode Fuzzy Hash: a66d7f18bc70df6c1e02f735048492d0ac4a799ee415eb5fc6ff398bf9a06e44
                  • Instruction Fuzzy Hash: 84F054727446154FCA149B6AF88485ABBEAEFC42653144A3EE61AC7334DF71EC098790
                  Function 056F70E8 Relevance: .0, Instructions: 37COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c0f2a9b70208d4481b4f5855521309dc56c115077e931be4b4f8de9b56f4c39
                  • Instruction ID: 4fa64f2d8c775da05c1a40720b54a91fe91ee2fabcf41980c683432b68efac08
                  • Opcode Fuzzy Hash: 9c0f2a9b70208d4481b4f5855521309dc56c115077e931be4b4f8de9b56f4c39
                  • Instruction Fuzzy Hash: A6F04F31B007148BCB15BA78D8044AEB775FFD2211F05496EDA5A57300EF30A985CBD6
                  Function 0146D758 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2197664618.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_146d000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c1a5657f37d7050f4499f3d800f299e3f87728312c259303ae734d6e5d6eec0
                  • Instruction ID: 970e5552e0a5c3a9e1aff4b50f6ac3567907dfb7f2b32537be44a3a13a288640
                  • Opcode Fuzzy Hash: 4c1a5657f37d7050f4499f3d800f299e3f87728312c259303ae734d6e5d6eec0
                  • Instruction Fuzzy Hash: 02F0C2715053849EE7108E1ADCC4B63FFACEF50629F18C45BED484A396C279A840CAB2
                  Function 056F52F8 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f8d0d0e0d2311b1c1c2e41ef00e0d0805c48ec4963d1120fac99cf6321c64cdc
                  • Instruction ID: 7cce61686c6f6e1ef294179d22b3a6e38772bec451d66e97b1221bb8c3eb02c0
                  • Opcode Fuzzy Hash: f8d0d0e0d2311b1c1c2e41ef00e0d0805c48ec4963d1120fac99cf6321c64cdc
                  • Instruction Fuzzy Hash: 5DF08232B0451087CF59AB3DA01853E7696AFC4512714503DD707CBB90EFB5CC42C399
                  Function 056F7999 Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9aeab31c88873e3b9b8e96c6dc596c73d9d2c73fc5b1955f609e1e8369b2e0b9
                  • Instruction ID: e6b300f239dcdeca697365ee36fa07985158c7fff0971eedc2a0a813c9e65ba4
                  • Opcode Fuzzy Hash: 9aeab31c88873e3b9b8e96c6dc596c73d9d2c73fc5b1955f609e1e8369b2e0b9
                  • Instruction Fuzzy Hash: DCF0F4352406248FC705DB2CDA89A49BBF5FF09B15B1585A9E60ACB372CF62FC45CB80
                  Function 056F46C8 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                  • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                  • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                  • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                  Function 056F7528 Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 825356973c056008d61219380b1a5aaccc814f69817c35c6945b52be0ba32bb6
                  • Instruction ID: be5208837e2e8921bc0ec32abb07a6edb7153c2025f45b2d1a3a86f2c45f4349
                  • Opcode Fuzzy Hash: 825356973c056008d61219380b1a5aaccc814f69817c35c6945b52be0ba32bb6
                  • Instruction Fuzzy Hash: 8BF0E2713443410FCB119F68E89560D7BAAEB84215B04497EE606CB3B1CF70EC4A8780
                  Function 056F79A8 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4ff88b1f420a6a545a19068c9b466dab3c6529ec1ca55831422bc3685c7f5296
                  • Instruction ID: 9744afb5cbb8b9e676c11a0349152f0d98d65cb8aa50497944c2a699adb44e1b
                  • Opcode Fuzzy Hash: 4ff88b1f420a6a545a19068c9b466dab3c6529ec1ca55831422bc3685c7f5296
                  • Instruction Fuzzy Hash: E9F0DF34240610CFC718DB2CD598D59BBE6FF49B1971185A9E50ACB772CB72EC40CB80
                  Function 056F2750 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ec8dfb1f4697abe3b8c4bbc099ee2ae8a015303f44a292142828e756f25495f2
                  • Instruction ID: dab1d1c6b72a6adb9f20c7ff32e00ed2441a78e907eb8ba66ed1202cf9b7712b
                  • Opcode Fuzzy Hash: ec8dfb1f4697abe3b8c4bbc099ee2ae8a015303f44a292142828e756f25495f2
                  • Instruction Fuzzy Hash: A4E06DB0D00108EFC700EFA4DA42A9CBBB9F744204F108165A805A3310DA3A7F04EB52
                  Function 056F52B0 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 94e2a005f0066cbb37e9305b5d1e3a790a813d4a844c32c360cc5359d950abf9
                  • Instruction ID: e276e82cfb5a96d0affafb4db4f4ed1a1a5f81b47997125fac6a88e512a6eda2
                  • Opcode Fuzzy Hash: 94e2a005f0066cbb37e9305b5d1e3a790a813d4a844c32c360cc5359d950abf9
                  • Instruction Fuzzy Hash: 6EE026313016085FC328CA2CD841B46B7E9EB49310B148A69F109C3360CB10FD064380
                  Function 056F379E Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8f1dae63ec9fe7a3645c8122cffffeee44c160a761f4da0242d315835b242301
                  • Instruction ID: d2737810fbd1c5b16e82cb645c4fc85f08f21c8cf06c83992df023f66410af41
                  • Opcode Fuzzy Hash: 8f1dae63ec9fe7a3645c8122cffffeee44c160a761f4da0242d315835b242301
                  • Instruction Fuzzy Hash: 0DE0DFB6E5010CDBCF149F85E6047FDBB71FB45206F200816E212B1B40C7300944CB90
                  Function 056F2760 Relevance: .0, Instructions: 19COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9f95496250cf51e519c7a541aca6625760641d10267f31e1eb6542711889ada5
                  • Instruction ID: b043efd4ef7884fcb7e2c95b7d0b718f468f5630a25396948d1fd605d58a3c96
                  • Opcode Fuzzy Hash: 9f95496250cf51e519c7a541aca6625760641d10267f31e1eb6542711889ada5
                  • Instruction Fuzzy Hash: 0DE0BFB0D01109EFDB00EFE4E54145DBBB9EB44214B108669E80AB3314DA3A6F149F52
                  Function 056F52C0 Relevance: .0, Instructions: 19COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0f389ebc036ea754b82807e579e841f8223d540031c8937dfea0004bd67a3eb9
                  • Instruction ID: c3068c70255936d341a2bf48b1f37e88ef1aa473cb706115b90ae64cdc46f300
                  • Opcode Fuzzy Hash: 0f389ebc036ea754b82807e579e841f8223d540031c8937dfea0004bd67a3eb9
                  • Instruction Fuzzy Hash: D0D05E30714B149FC728DA1CE840C5AB3EAEF8831032586BAF10AC7760DA60FC058784
                  Function 056F3C60 Relevance: .0, Instructions: 12COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001C.00000002.2221968287.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_28_2_56f0000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f941e070c8acbeb3827dc6537065e974d1887956886b0c56ec18561f67b6ac94
                  • Instruction ID: 893426650799441304e1ae6efef21b5fd2561115317d6883cba8bb601fc91af9
                  • Opcode Fuzzy Hash: f941e070c8acbeb3827dc6537065e974d1887956886b0c56ec18561f67b6ac94
                  • Instruction Fuzzy Hash: 1CB09B2171413513D608319D64215BD728D4BC5565F80016B960D977418CC69C4207EE

                  Executed Functions

                  Function 02851958 Relevance: 4.2, Strings: 3, Instructions: 456COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q$$^q
                  • API String ID: 0-831282457
                  • Opcode ID: fce57db40696de04239624410d3366109e4a2d37ad8862a715c2e3a767af48e8
                  • Instruction ID: 8039ae550c5a7498630e476c50ae73fe91fe17d085a140f902a036b5bcdbbe49
                  • Opcode Fuzzy Hash: fce57db40696de04239624410d3366109e4a2d37ad8862a715c2e3a767af48e8
                  • Instruction Fuzzy Hash: 77F18538B402049FDB19AB75D858B6E7BA3FBC4714F148869E50ADB3E4DF719C028B91
                  Function 02851948 Relevance: 2.8, Strings: 2, Instructions: 344COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q
                  • API String ID: 0-355816377
                  • Opcode ID: 8d0d38c78725f212d343f7de9b1d892e9558d9a2295e9c028a3e06ddf1b127d9
                  • Instruction ID: b10b2138f29d758fdf39fc08a1db3a4143cce471eb5a228223295d2ef7364480
                  • Opcode Fuzzy Hash: 8d0d38c78725f212d343f7de9b1d892e9558d9a2295e9c028a3e06ddf1b127d9
                  • Instruction Fuzzy Hash: 84D16038B402158FDB09AB75D458B6E7BA6FBC4314F108969D80ADB3E4DF719C428B81
                  Function 02851A88 Relevance: 2.8, Strings: 2, Instructions: 275COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: $^q$$^q
                  • API String ID: 0-355816377
                  • Opcode ID: 436f392df184fee807747a19928fc3181b384ec45a51148c02a4fb051a28184f
                  • Instruction ID: 2908b81702d99bffb889b4f23e1d0f703ec77028045b760e80b8985bf88c1700
                  • Opcode Fuzzy Hash: 436f392df184fee807747a19928fc3181b384ec45a51148c02a4fb051a28184f
                  • Instruction Fuzzy Hash: 43A18F38B402149FDB19AB79D45876E76E3AFC8714F148868D90ADB3E4DF719C028B92
                  Function 02850F60 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: LR^q
                  • API String ID: 0-2625958711
                  • Opcode ID: 4637d67b39b1636895711c59302f128cbdb0eacdf2b73d99c25f0166ccd0232c
                  • Instruction ID: d920e910ecc473f51a5425dd9a94c0200295efd4841e5c42c4660587acf25e5b
                  • Opcode Fuzzy Hash: 4637d67b39b1636895711c59302f128cbdb0eacdf2b73d99c25f0166ccd0232c
                  • Instruction Fuzzy Hash: E021C134F002658FCB59AB78895467E7BF2AFC9304B1884A9D44ADB395EF708D03C792
                  Function 02850F70 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: LR^q
                  • API String ID: 0-2625958711
                  • Opcode ID: 19d7e8f8dfbc271384daf277c2868b087b0aa098c6766536ba96478d63d3c92e
                  • Instruction ID: d727a657ebc30075e2cc48aa35fe5bb598d14719b6104439cfa1d436f772469e
                  • Opcode Fuzzy Hash: 19d7e8f8dfbc271384daf277c2868b087b0aa098c6766536ba96478d63d3c92e
                  • Instruction Fuzzy Hash: 6D21E134B002568FCB49EB79895463F7BF6AFC9304B1884A9D549DB399EE308C02C796
                  Function 02850921 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID: Hbq
                  • API String ID: 0-1245868
                  • Opcode ID: 47d47ce9baf23053355650c42c720938c8b41323f64d636073f73a79311fa7a5
                  • Instruction ID: 1eaa6467359d9a16e966c050228150774e09839907c9b6199d0d6dcc3df03d55
                  • Opcode Fuzzy Hash: 47d47ce9baf23053355650c42c720938c8b41323f64d636073f73a79311fa7a5
                  • Instruction Fuzzy Hash: 5F21F334E442188FCB04EBB894553AE7FF5EB88314F5585B9C909E7385EB349D06CB81
                  Function 028515AF Relevance: .4, Instructions: 399COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 64f09917b628f77d70244afb3ddbfd2e55d5fd187a86b785d01a7182c2a24513
                  • Instruction ID: 3a54161d414f6dee4a5fe79bc145a825c4f484737bfbd8520acbd5704dfaf845
                  • Opcode Fuzzy Hash: 64f09917b628f77d70244afb3ddbfd2e55d5fd187a86b785d01a7182c2a24513
                  • Instruction Fuzzy Hash: 85319174D063999FCB02EF78E86559DBFB1EE82304B0545E6C045DB2A2E6301E89CB91
                  Function 02850E52 Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 11fee938b81e8efc3b07be4619394490b06f5905340a66a8b8545931ef5273d0
                  • Instruction ID: c2ab6b5a3139452e5556149d0cf74e8fdad2485ec42268700f872a15787892bc
                  • Opcode Fuzzy Hash: 11fee938b81e8efc3b07be4619394490b06f5905340a66a8b8545931ef5273d0
                  • Instruction Fuzzy Hash: 42216D71F402049FCB48ABBD589826EABEBEFC9350B208869D45ED7394DD358C068B61
                  Function 02850D3C Relevance: .1, Instructions: 71COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c6d349267390f71390023f3b5a73a744aeb495f5d87b34cac7832a2d63b21db4
                  • Instruction ID: 822557d2203f6a08a3e7cb09788ef9f7d5c1233da4199499e611ed2f2e1c5b4f
                  • Opcode Fuzzy Hash: c6d349267390f71390023f3b5a73a744aeb495f5d87b34cac7832a2d63b21db4
                  • Instruction Fuzzy Hash: 9A216D74900309DFCF05EBB8D5846AEBBB2FF84304F108A69D005A7358DB71AA46CF51
                  Function 02850D40 Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0ca44839dabd770889ada16745d27e88a050cb61a4dfa83f66b1087c0c422c09
                  • Instruction ID: 81b91b697c10e942999b2ef496d06a7c3d2dd60b22086be4bf15ea8677ec815d
                  • Opcode Fuzzy Hash: 0ca44839dabd770889ada16745d27e88a050cb61a4dfa83f66b1087c0c422c09
                  • Instruction Fuzzy Hash: A7215C74900309DFCF05EBB8D9446AEBBB6FF88304F108A69D005A7358DB71AA46CF91
                  Function 02850838 Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3122e7dc4617418adc74f65d8a810c7dfcf6fa059c56fec9ef7d4a0f02a01f2c
                  • Instruction ID: baf7942e2654984a9f0489e1e2ecf9f3be202d7495727c2f684e757fb7f24d60
                  • Opcode Fuzzy Hash: 3122e7dc4617418adc74f65d8a810c7dfcf6fa059c56fec9ef7d4a0f02a01f2c
                  • Instruction Fuzzy Hash: E91199745452059FCB06FB68F988A557BA5FB4430CB109A65D0048B27ED770BD8B8B81
                  Function 02850848 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f0211edbb64848c7bd1d4497f1de4299372f978b70a01c19bd87222f4d85115e
                  • Instruction ID: c529282f0f54c2e815a4e0e0a92598240290fe661941228545da1106c359ceb5
                  • Opcode Fuzzy Hash: f0211edbb64848c7bd1d4497f1de4299372f978b70a01c19bd87222f4d85115e
                  • Instruction Fuzzy Hash: 751158345512069FCF06FF68FA88A55B7A5F74430CB109A6590048B27DD770B98B8B81
                  Function 02851878 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000001F.00000002.2215268245.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_31_2_2850000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bd510291ad6020f2134e587aee7a0f85d5d606e180f942b6d9ccd8779d7e279f
                  • Instruction ID: 5cc7d96aee54e1b2e9b397e8f7a4a9950e2ae587d8f24c332c5e9beea2946f92
                  • Opcode Fuzzy Hash: bd510291ad6020f2134e587aee7a0f85d5d606e180f942b6d9ccd8779d7e279f
                  • Instruction Fuzzy Hash: D511E830D00209EFCF41EFA9E9555ADBBB2FB84304F008AA9C515A7394EB706E55CF80

                  Execution Graph

                  Execution Coverage:11.6%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:188
                  Total number of Limit Nodes:11
                  execution_graph 21331 10b4668 21332 10b4672 21331->21332 21336 10b4759 21331->21336 21341 10b3e28 21332->21341 21334 10b468d 21337 10b477d 21336->21337 21345 10b4858 21337->21345 21349 10b4868 21337->21349 21342 10b3e33 21341->21342 21344 10b6f8d 21342->21344 21357 10b5c24 21342->21357 21344->21334 21347 10b4868 21345->21347 21346 10b496c 21346->21346 21347->21346 21353 10b44b0 21347->21353 21351 10b488f 21349->21351 21350 10b496c 21350->21350 21351->21350 21352 10b44b0 CreateActCtxA 21351->21352 21352->21350 21354 10b58f8 CreateActCtxA 21353->21354 21356 10b59bb 21354->21356 21356->21356 21358 10b5c2f 21357->21358 21361 10b5c44 21358->21361 21360 10b702d 21360->21344 21362 10b5c4f 21361->21362 21365 10b5c74 21362->21365 21364 10b7102 21364->21360 21366 10b5c7f 21365->21366 21369 10b5ca4 21366->21369 21368 10b7205 21368->21364 21370 10b5caf 21369->21370 21372 10b850b 21370->21372 21375 10babba 21370->21375 21371 10b8549 21371->21368 21372->21371 21379 10bccbc 21372->21379 21384 10babe0 21375->21384 21388 10babf0 21375->21388 21376 10babce 21376->21372 21380 10bccd9 21379->21380 21381 10bccfd 21380->21381 21411 10bce58 21380->21411 21415 10bce68 21380->21415 21381->21371 21385 10babf0 21384->21385 21391 10bace8 21385->21391 21386 10babff 21386->21376 21390 10bace8 2 API calls 21388->21390 21389 10babff 21389->21376 21390->21389 21392 10bacf9 21391->21392 21393 10bad1c 21391->21393 21392->21393 21399 10baf70 21392->21399 21403 10baf80 21392->21403 21393->21386 21394 10bad14 21394->21393 21395 10baf20 GetModuleHandleW 21394->21395 21396 10baf4d 21395->21396 21396->21386 21400 10baf94 21399->21400 21401 10bafb9 21400->21401 21407 10ba070 21400->21407 21401->21394 21404 10baf94 21403->21404 21405 10ba070 LoadLibraryExW 21404->21405 21406 10bafb9 21404->21406 21405->21406 21406->21394 21408 10bb160 LoadLibraryExW 21407->21408 21410 10bb1d9 21408->21410 21410->21401 21412 10bce75 21411->21412 21413 10bceaf 21412->21413 21419 10bba20 21412->21419 21413->21381 21416 10bce75 21415->21416 21417 10bceaf 21416->21417 21418 10bba20 2 API calls 21416->21418 21417->21381 21418->21417 21420 10bba2b 21419->21420 21422 10bdbc8 21420->21422 21423 10bd21c 21420->21423 21422->21422 21424 10bd227 21423->21424 21425 10b5ca4 2 API calls 21424->21425 21426 10bdc37 21425->21426 21426->21422 21437 4a777bd 21439 4a77734 21437->21439 21438 4a77825 21439->21438 21442 4a79946 21439->21442 21456 4a79948 21439->21456 21443 4a79962 21442->21443 21444 4a7996a 21443->21444 21470 4a7a0e7 21443->21470 21475 4a79e38 21443->21475 21480 4a7a248 21443->21480 21484 4a79dfb 21443->21484 21489 4a7a53c 21443->21489 21494 4a7a0dc 21443->21494 21499 4a7a43d 21443->21499 21504 4a7a052 21443->21504 21512 4a7a065 21443->21512 21517 4a79d45 21443->21517 21521 4a7a1f6 21443->21521 21444->21438 21457 4a79962 21456->21457 21458 4a7996a 21457->21458 21459 4a7a0e7 2 API calls 21457->21459 21460 4a7a1f6 2 API calls 21457->21460 21461 4a79d45 2 API calls 21457->21461 21462 4a7a065 2 API calls 21457->21462 21463 4a7a052 4 API calls 21457->21463 21464 4a7a43d 2 API calls 21457->21464 21465 4a7a0dc 2 API calls 21457->21465 21466 4a7a53c 2 API calls 21457->21466 21467 4a79dfb 2 API calls 21457->21467 21468 4a7a248 2 API calls 21457->21468 21469 4a79e38 2 API calls 21457->21469 21458->21438 21459->21458 21460->21458 21461->21458 21462->21458 21463->21458 21464->21458 21465->21458 21466->21458 21467->21458 21468->21458 21469->21458 21472 4a79db5 21470->21472 21471 4a79fab 21471->21444 21472->21471 21526 4a77090 21472->21526 21530 4a77088 21472->21530 21476 4a79e4d 21475->21476 21478 4a77090 WriteProcessMemory 21476->21478 21479 4a77088 WriteProcessMemory 21476->21479 21477 4a7a229 21478->21477 21479->21477 21482 4a77090 WriteProcessMemory 21480->21482 21483 4a77088 WriteProcessMemory 21480->21483 21481 4a7a26c 21482->21481 21483->21481 21485 4a79e01 21484->21485 21534 4a76ef8 21485->21534 21538 4a76ef2 21485->21538 21486 4a79e95 21486->21444 21490 4a7a4f2 21489->21490 21491 4a7a344 21490->21491 21542 4a76a10 21490->21542 21546 4a76a09 21490->21546 21491->21444 21495 4a7a588 21494->21495 21550 4a76fd0 21495->21550 21554 4a76fca 21495->21554 21496 4a7a5a6 21500 4a7a453 21499->21500 21501 4a7a344 21500->21501 21502 4a76a10 ResumeThread 21500->21502 21503 4a76a09 ResumeThread 21500->21503 21501->21444 21502->21500 21503->21500 21505 4a7a05f 21504->21505 21506 4a7a138 21504->21506 21510 4a76ef2 Wow64SetThreadContext 21505->21510 21511 4a76ef8 Wow64SetThreadContext 21505->21511 21507 4a7a344 21506->21507 21508 4a76a10 ResumeThread 21506->21508 21509 4a76a09 ResumeThread 21506->21509 21507->21444 21508->21506 21509->21506 21510->21506 21511->21506 21513 4a7a5bb 21512->21513 21514 4a7a318 21513->21514 21558 4a77180 21513->21558 21562 4a7717a 21513->21562 21514->21444 21566 4a77318 21517->21566 21570 4a7730c 21517->21570 21522 4a7a1fa 21521->21522 21524 4a77090 WriteProcessMemory 21522->21524 21525 4a77088 WriteProcessMemory 21522->21525 21523 4a7a229 21524->21523 21525->21523 21527 4a770d8 WriteProcessMemory 21526->21527 21529 4a7712f 21527->21529 21529->21472 21531 4a770d8 WriteProcessMemory 21530->21531 21533 4a7712f 21531->21533 21533->21472 21535 4a76f3d Wow64SetThreadContext 21534->21535 21537 4a76f85 21535->21537 21537->21486 21539 4a76f3d Wow64SetThreadContext 21538->21539 21541 4a76f85 21539->21541 21541->21486 21543 4a76a50 ResumeThread 21542->21543 21545 4a76a81 21543->21545 21545->21490 21547 4a76a50 ResumeThread 21546->21547 21549 4a76a81 21547->21549 21549->21490 21551 4a77010 VirtualAllocEx 21550->21551 21553 4a7704d 21551->21553 21553->21496 21555 4a77010 VirtualAllocEx 21554->21555 21557 4a7704d 21555->21557 21557->21496 21559 4a771cb ReadProcessMemory 21558->21559 21561 4a7720f 21559->21561 21561->21513 21563 4a771cb ReadProcessMemory 21562->21563 21565 4a7720f 21563->21565 21565->21513 21567 4a773a1 CreateProcessA 21566->21567 21569 4a77563 21567->21569 21569->21569 21571 4a77317 CreateProcessA 21570->21571 21573 4a77563 21571->21573 21427 10bcf80 21428 10bcfc6 GetCurrentProcess 21427->21428 21430 10bd018 GetCurrentThread 21428->21430 21432 10bd011 21428->21432 21431 10bd055 GetCurrentProcess 21430->21431 21433 10bd04e 21430->21433 21436 10bd08b 21431->21436 21432->21430 21433->21431 21434 10bd0b3 GetCurrentThreadId 21435 10bd0e4 21434->21435 21436->21434 21574 10bd5d0 DuplicateHandle 21575 10bd666 21574->21575 21576 4a7aa98 21577 4a7ac23 21576->21577 21579 4a7aabe 21576->21579 21579->21577 21580 4a79038 21579->21580 21581 4a7ad18 PostMessageW 21580->21581 21582 4a7ad84 21581->21582 21582->21579

                  Executed Functions

                  Function 04A7730C Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 418 4a7730c-4a773ad 421 4a773e6-4a77406 418->421 422 4a773af-4a773b9 418->422 427 4a7743f-4a7746e 421->427 428 4a77408-4a77412 421->428 422->421 423 4a773bb-4a773bd 422->423 425 4a773e0-4a773e3 423->425 426 4a773bf-4a773c9 423->426 425->421 429 4a773cd-4a773dc 426->429 430 4a773cb 426->430 438 4a774a7-4a77561 CreateProcessA 427->438 439 4a77470-4a7747a 427->439 428->427 432 4a77414-4a77416 428->432 429->429 431 4a773de 429->431 430->429 431->425 433 4a77439-4a7743c 432->433 434 4a77418-4a77422 432->434 433->427 436 4a77426-4a77435 434->436 437 4a77424 434->437 436->436 441 4a77437 436->441 437->436 450 4a77563-4a77569 438->450 451 4a7756a-4a775f0 438->451 439->438 440 4a7747c-4a7747e 439->440 442 4a774a1-4a774a4 440->442 443 4a77480-4a7748a 440->443 441->433 442->438 445 4a7748e-4a7749d 443->445 446 4a7748c 443->446 445->445 447 4a7749f 445->447 446->445 447->442 450->451 461 4a775f2-4a775f6 451->461 462 4a77600-4a77604 451->462 461->462 463 4a775f8 461->463 464 4a77606-4a7760a 462->464 465 4a77614-4a77618 462->465 463->462 464->465 466 4a7760c 464->466 467 4a7761a-4a7761e 465->467 468 4a77628-4a7762c 465->468 466->465 467->468 469 4a77620 467->469 470 4a7763e-4a77645 468->470 471 4a7762e-4a77634 468->471 469->468 472 4a77647-4a77656 470->472 473 4a7765c 470->473 471->470 472->473 475 4a7765d 473->475 475->475
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04A7754E
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: b9e9ac8c073af3429751c9f6bfa47d363749fe451ded78b48f185b415522a0b7
                  • Instruction ID: d94a35f6528d5cc2a5e2b387878c9a85eff44fc5f3f8901c2501989363d50259
                  • Opcode Fuzzy Hash: b9e9ac8c073af3429751c9f6bfa47d363749fe451ded78b48f185b415522a0b7
                  • Instruction Fuzzy Hash: DEA16E75D00219DFDB24DF68CC81BEDBBB2BF48314F148569D808A7250DB74A985CF91
                  Function 04A77318 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 476 4a77318-4a773ad 478 4a773e6-4a77406 476->478 479 4a773af-4a773b9 476->479 484 4a7743f-4a7746e 478->484 485 4a77408-4a77412 478->485 479->478 480 4a773bb-4a773bd 479->480 482 4a773e0-4a773e3 480->482 483 4a773bf-4a773c9 480->483 482->478 486 4a773cd-4a773dc 483->486 487 4a773cb 483->487 495 4a774a7-4a77561 CreateProcessA 484->495 496 4a77470-4a7747a 484->496 485->484 489 4a77414-4a77416 485->489 486->486 488 4a773de 486->488 487->486 488->482 490 4a77439-4a7743c 489->490 491 4a77418-4a77422 489->491 490->484 493 4a77426-4a77435 491->493 494 4a77424 491->494 493->493 498 4a77437 493->498 494->493 507 4a77563-4a77569 495->507 508 4a7756a-4a775f0 495->508 496->495 497 4a7747c-4a7747e 496->497 499 4a774a1-4a774a4 497->499 500 4a77480-4a7748a 497->500 498->490 499->495 502 4a7748e-4a7749d 500->502 503 4a7748c 500->503 502->502 504 4a7749f 502->504 503->502 504->499 507->508 518 4a775f2-4a775f6 508->518 519 4a77600-4a77604 508->519 518->519 520 4a775f8 518->520 521 4a77606-4a7760a 519->521 522 4a77614-4a77618 519->522 520->519 521->522 523 4a7760c 521->523 524 4a7761a-4a7761e 522->524 525 4a77628-4a7762c 522->525 523->522 524->525 526 4a77620 524->526 527 4a7763e-4a77645 525->527 528 4a7762e-4a77634 525->528 526->525 529 4a77647-4a77656 527->529 530 4a7765c 527->530 528->527 529->530 532 4a7765d 530->532 532->532
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04A7754E
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 3fa5b959cbbf67bb6331a9af765b7559493bd719c6196033a00ef239b14730bb
                  • Instruction ID: 739ed0c4d2b4193a965fd18074a01e45eb06e2d3d898f3a4f8ab3c2a39a80146
                  • Opcode Fuzzy Hash: 3fa5b959cbbf67bb6331a9af765b7559493bd719c6196033a00ef239b14730bb
                  • Instruction Fuzzy Hash: 84915D75D00219DFDB24DF68CC81BEDBBB2BF48314F1485A9E848A7250DB74A985CF92
                  Function 010B44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 639 10b44b0-10b59b9 CreateActCtxA 643 10b59bb-10b59c1 639->643 644 10b59c2-10b5a1c 639->644 643->644 651 10b5a2b-10b5a2f 644->651 652 10b5a1e-10b5a21 644->652 653 10b5a31-10b5a3d 651->653 654 10b5a40 651->654 652->651 653->654 656 10b5a41 654->656 656->656
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 010B59A9
                  Memory Dump Source
                  • Source File: 00000020.00000002.2281132832.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_10b0000_XClient.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: 02e2821c95babc90de38fd600125c2752940acc581d3568a578bd34b37f44b69
                  • Instruction ID: abe0e4c7fbfd6c8517accaaaab91c684be94026338b309cde048ae8ad0b0503b
                  • Opcode Fuzzy Hash: 02e2821c95babc90de38fd600125c2752940acc581d3568a578bd34b37f44b69
                  • Instruction Fuzzy Hash: AC41CFB0C00719CBDB24DFAAC884ADEBBB5BF49304F2480AAD448BB255DB756945CF91
                  Function 04A77088 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 657 4a77088-4a770de 659 4a770e0-4a770ec 657->659 660 4a770ee-4a7712d WriteProcessMemory 657->660 659->660 662 4a77136-4a77166 660->662 663 4a7712f-4a77135 660->663 663->662
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04A77120
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: cb7c81f7d04c8d4aeca6d1f9283be476057101f8a7e67d49ed997c03c110c952
                  • Instruction ID: 4737d26bc64ec7dfac71c6f11147c273b7e91cacd367cefba69b467e98a3e6ed
                  • Opcode Fuzzy Hash: cb7c81f7d04c8d4aeca6d1f9283be476057101f8a7e67d49ed997c03c110c952
                  • Instruction Fuzzy Hash: DC2146B6900349DFDB10CFA9C885BDEBBF1FF48314F10842AE959A7250C778A945CBA5
                  Function 04A77090 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 667 4a77090-4a770de 669 4a770e0-4a770ec 667->669 670 4a770ee-4a7712d WriteProcessMemory 667->670 669->670 672 4a77136-4a77166 670->672 673 4a7712f-4a77135 670->673 673->672
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04A77120
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: e06d0951c4bb38738242cf16edbe561313b6310f8a9ed1a4968dbcde9d35430a
                  • Instruction ID: 4879d7c2a15a841e36c37e9a59d3d1c4e909f460ca779f356d88784133b42e84
                  • Opcode Fuzzy Hash: e06d0951c4bb38738242cf16edbe561313b6310f8a9ed1a4968dbcde9d35430a
                  • Instruction Fuzzy Hash: 462169B59003099FDB10CFA9C880BDEBBF5FF48310F108429E958A7250C778A944CFA5
                  Function 04A7717A Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04A77200
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 4f4754430f9ff2040594239eff796e405828c005e0eb84721232141c515babb4
                  • Instruction ID: 9c425a2f5f232dc319a0d81feb409a3bef4a31a81078a07d048228b7bd15b7d6
                  • Opcode Fuzzy Hash: 4f4754430f9ff2040594239eff796e405828c005e0eb84721232141c515babb4
                  • Instruction Fuzzy Hash: 0D2114B58002599FCB10DFA9C981AEEBBF5FF48320F10882AE559A7251C738A545CBA5
                  Function 04A76EF2 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04A76F76
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: 1f7f91e06c5be99901e63f2502e979da997dce1d23575390288d6adcde4e6fc2
                  • Instruction ID: eafcedc6c741c006ff0d740ab3f36ea6a441a9b64712ab15c890d42fb5226642
                  • Opcode Fuzzy Hash: 1f7f91e06c5be99901e63f2502e979da997dce1d23575390288d6adcde4e6fc2
                  • Instruction Fuzzy Hash: F12157B2D002098FDB10CFA9C9857EEBBF0EF48324F14842AD459A7241C778A985CFA5
                  Function 04A77180 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04A77200
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: 820b66d850e41fba2b13a6802335062339dcead1ca2d81118eb3242fe79b7773
                  • Instruction ID: 3674882d4702edc4fc5f16c492a91f4779f74053086fe0cc51f1adc7bfa4c97b
                  • Opcode Fuzzy Hash: 820b66d850e41fba2b13a6802335062339dcead1ca2d81118eb3242fe79b7773
                  • Instruction Fuzzy Hash: 762128B18002599FCB10DFAAC841AEEFBF5FF48320F10842AE559A7250C734A544CBA5
                  Function 04A76EF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                  Download Yara Rule
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04A76F76
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: a44e9e3407a3b8c539fedd592ca9c031cc866c851874e77b2a1dc073275d3b5c
                  • Instruction ID: 56f12c776d9cc7b591a7d5050ff662c83d936312f161e6ab7de7b4d65bb1f085
                  • Opcode Fuzzy Hash: a44e9e3407a3b8c539fedd592ca9c031cc866c851874e77b2a1dc073275d3b5c
                  • Instruction Fuzzy Hash: B12118B19003098FDB10DFAAC4857EEBBF4EF88324F148429D459A7251D778A985CFA5
                  Function 010BA070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010BAFB9,00000800,00000000,00000000), ref: 010BB1CA
                  Memory Dump Source
                  • Source File: 00000020.00000002.2281132832.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_10b0000_XClient.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: cd697208546c18f31ec82394832a07ebacd8fac4993e1d825a13a6bbea8cf24f
                  • Instruction ID: ccebc873ad45810a89f32a8f74eb23e62b31c6a24282c5772102e7fab311bed2
                  • Opcode Fuzzy Hash: cd697208546c18f31ec82394832a07ebacd8fac4993e1d825a13a6bbea8cf24f
                  • Instruction Fuzzy Hash: 0011F6B69003099FDB14CF9AD488ADEFBF4EB88314F10846AE559A7210C375A945CFA5
                  Function 04A76FCA Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04A7703E
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 8b801363176762c27d11a71f4982d098e267fc973c4ef68e1d3af22a28eae057
                  • Instruction ID: e968aa443c72d870366cbbf1c784dd1f21fdad0d1f4ab79086afde035b6a0e3d
                  • Opcode Fuzzy Hash: 8b801363176762c27d11a71f4982d098e267fc973c4ef68e1d3af22a28eae057
                  • Instruction Fuzzy Hash: B41167B6800249CFDB20CFA9C845BDEBBF5EF88324F208429E519A7250C735A945CFA1
                  Function 04A76FD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04A7703E
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: cb66653440eff736f031842dad09dc0f1984fa573452afe584a9f2dbbf5408c4
                  • Instruction ID: 6fe39aaaff10e136dfbcdea563d383c1fc954810f01a4ebecce64357e6bac0db
                  • Opcode Fuzzy Hash: cb66653440eff736f031842dad09dc0f1984fa573452afe584a9f2dbbf5408c4
                  • Instruction Fuzzy Hash: 8C1156758002489FDB20DFAAC844BDFBBF5EB88320F208419E519A7250C735A944CFA5
                  Function 04A76A09 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 4941228f5a1b0a89ca443a1f37af861341bdb3765338d6fe807f68298483e6c9
                  • Instruction ID: 02acadd87526e7137188505bc9f54f874a246db35abdbb56e3ca3cb25972823c
                  • Opcode Fuzzy Hash: 4941228f5a1b0a89ca443a1f37af861341bdb3765338d6fe807f68298483e6c9
                  • Instruction Fuzzy Hash: 96116AB1D002498FDB20DFA9C8457DEFBF5EF88324F248429C019A7250CB34A545CF95
                  Function 04A76A10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: c971a66e81c068cd68f501fb79f9b489dca70aef335106066b6fc0dff0346234
                  • Instruction ID: 8e4d71f70b03677c757fc49f41c6edaf7860145c0e208e54619a9f65c62103c6
                  • Opcode Fuzzy Hash: c971a66e81c068cd68f501fb79f9b489dca70aef335106066b6fc0dff0346234
                  • Instruction Fuzzy Hash: 541136B1D002498FDB20DFAAC8457DFFBF5EB88324F248429D459A7250CB75A944CFA5
                  Function 04A79038 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 04A7AD75
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 644c195cfdd7ba692824852eccdb54eb47448590956b512df8cb2d7d2f141758
                  • Instruction ID: 47d35adf42f2f056f51ac5e4f286135793582eb7bb661e2115df4bcd91e047ae
                  • Opcode Fuzzy Hash: 644c195cfdd7ba692824852eccdb54eb47448590956b512df8cb2d7d2f141758
                  • Instruction Fuzzy Hash: 4D1106B5900349DFDB20DF9AC845BDEFBF8EB48324F108419E558A7211C375A944CFA5
                  Function 04A7AD1A Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 04A7AD75
                  Memory Dump Source
                  • Source File: 00000020.00000002.2291550599.0000000004A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A70000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_4a70000_XClient.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 06d417b4b63b475633d827003c9d337692c53bace7b166b6b8420552b52cd38a
                  • Instruction ID: 5199d61e3adc07b9b4ef742ddd8c00dc2fb86ef05d7f012f5049f8760a6a1715
                  • Opcode Fuzzy Hash: 06d417b4b63b475633d827003c9d337692c53bace7b166b6b8420552b52cd38a
                  • Instruction Fuzzy Hash: E511E2B5800249DFDB20CF99D884BEEFBF4EB48324F10841AE558A7210C375A984CFA5
                  Function 00DDD3D8 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000020.00000002.2280494666.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_ddd000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e3e546f9b2e085f9c60af0174e3e92b03f9c522f0a0c5015cc860fb9c9e45b34
                  • Instruction ID: 5596a224c687759f4ce9c43a5c51105d275d2c758b4cb0cde303ebd8d744e157
                  • Opcode Fuzzy Hash: e3e546f9b2e085f9c60af0174e3e92b03f9c522f0a0c5015cc860fb9c9e45b34
                  • Instruction Fuzzy Hash: 33212571500204DFDF15DF14D9C0B2ABF66FB98324F24C16AE9094B35AC336E856CAB2
                  Function 00DDD3D3 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000020.00000002.2280494666.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_ddd000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction ID: 3fa821a40036b210ca3159123758cf77b1c1ba6be8f62fe6e48d76e35ec437e5
                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                  • Instruction Fuzzy Hash: E211AF76504240DFDF16CF14D5C4B16BF72FB94324F28C6AAD9090B656C33AE85ACBA1
                  Function 00DDD759 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000020.00000002.2280494666.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_ddd000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c7b531656aa86af1c22f4abd5fcdd1f1869e80e88a272d717ee578cf505f3cd
                  • Instruction ID: fcc1882d935500dc7aee7863d93aeb9c8fbae201267db3e3a370bea66c355f57
                  • Opcode Fuzzy Hash: 4c7b531656aa86af1c22f4abd5fcdd1f1869e80e88a272d717ee578cf505f3cd
                  • Instruction Fuzzy Hash: 2B01A771008340BAEB108A29CD84767BFD9EF51324F1CC5ABED4A4A396C379DC40CA71
                  Function 00DDD758 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000020.00000002.2280494666.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_32_2_ddd000_XClient.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bffb8d72bd43fe707de3dbda1ca627f6f5cfdcbbd3d1323ec3e244b436418561
                  • Instruction ID: 1b1a5cb59c4815ee65ee5b67abac1700e752c493885d32e9ef48fdbb4bfc71b2
                  • Opcode Fuzzy Hash: bffb8d72bd43fe707de3dbda1ca627f6f5cfdcbbd3d1323ec3e244b436418561
                  • Instruction Fuzzy Hash: F6F06271404344AEEB108A1ADC84B66FFA8EF51734F18C45BED094A396C379AC44CAB1